Greetings from Brussels!
Back in 2019, French multinational Carrefour came under the scrutiny of France's data protection authority. Following multiple complaints against the Carrefour group, the CNIL carried out checks between May and July 2019 into the Carrefour France and Carrefour Bank group entities, operating in the mass retail and financial services sectors respectively.
The complaints, which were centered around the processing of customer personal data, prompted the CNIL to initiate sanctioning procedures against both Carrefour affiliates. During the inspections, several infringements of the GDPR, as well as the French postal and electronic communications code, were identified. These violations primarily involved processing transparency and customers' privacy rights. In its conclusions, the CNIL imposed a 2,250,000 euro fine on Carrefour and an 800,000 euro fine on Carrefour Bank. Further injunctions were not issued as it was noted that the group had made significant efforts to rectify and bring all infringements into compliance. Last week, a full statement was released by the CNIL on their findings and sanctions.
In summary, transparency of information and policies available to users on both Carrefour entity websites were not easily accessible or fully comprehensible, particularly in what concerns the commercially advantageous Carrefour loyalty program or store credit card scheme. Notably, clarity on data collection and transfer, as well as the legal basis for processing between entities was flawed. Furthermore, Carrefour France did not respect its own data retention policy of a four-year "shelf life" holding almost 29 million "inactive" customer records from anywhere between five and 10 years. The CNIL found both the retention timeframe policy and the contravening infringement excessive for what should be deemed as "regular purchasing activity." All defunct or obsolete data has now been deleted.
Additionally, there were question marks surrounding noncompliance with cookie regulations. The CNIL noted that when a user connected to Carrefour websites several cookies were automatically placed on the connecting terminal before any action was taken on the part of the user. The CNIL ruled that several of those cookies were used for advertising and, therefore, consent should have been established in the first instance.
Finally, it is worth mentioning the infringement of the obligation to facilitate the exercise of rights. There were breaches of the rights of access, appeal and deletion. It was required of complainants to provide proof of identity for any request to exercise their rights, even though the applicants were already identified. The CNIL found that Carrefour France did not comply with the subject rights requests within the one-month time limit required by the GDPR.
The explanatory documents for the Carrefour France and Carrefour Banque decisions are very thorough, insightful and worth the read to understand the depth and breadth of such inspections, its evaluations and justifications for the sanctions imposed. In what concerns the Carrefour France fine, it was interesting to note that the CNIL applied the concept of “undertaking” as defined within EU competition and case law to take account of Carrefour France’s two retail subsidiaries (with higher revenues), which also benefitted from the data processing activities under review.
Carrefour France and Carrefour Bank have a two-month window to appeal the CNIL’s rulings before the Conseil d’Etat, France’s highest administrative court. Although, from what I can gather from Carrefour France’s Twitter statements on the matter, this seems very unlikely.