Carrefour Fined €3 Million by French DPA for Multiple GDPR Violations
Carrefour has received a €3.25 million GDPR violation penalty from the French data protection authority, Commission Nationale de L’informatique et des Libertés (CNIL), after it was discovered the French retail giant had violated multiple provisions of the General Data Protection Regulation.
The violations included providing data protection information to customers that was not clear and concise, a failure to provide important information related to data retention periods, providing information only in extensive documents containing large amounts of other information, inadequate processes for managing data subject access requests, failing to comply with data subject request time limits, conducting data transfers that lacked transparency, and the illegal use of Internet cookies.
Given the number of violations of the GDPR, the financial penalty could have been far higher; however, when considering an appropriate financial penalty, CNIL considered the level of cooperation from Carrefour in its investigation and the prompt action taken by the retailer to address the violations.
CNIL explained that its committee considered a data retention period of 4 years after a customer had made their last purchase from Carrefour was excessive, especially considering the consumption habits of consumers who mainly make regular purchases. There was also inadequate information on the carrefour.fr website concerning the transfer of data outside of the EU and its legal basis for processing customer data.
While information had been provided on the carrefour.fr and carrefour-banque.fr websites concerning data practices for its customers and individuals wishing to join its loyalty program, that information was difficult to find. The information was included in lengthy documents and was not clearly understandable, having been written in general and imprecise terms, often using unnecessarily complex language. The information was also not complete as they did not explain the data retention period.
The GDPR fine has been split between Carrefour and its banking division, Carrefour Banque, with the former fined €2.25 million and the latter fined €800,000.