After several complaints against the CARREFOUR group, the CNIL carried out checks between May and July 2019 with the companies CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). The CNIL noted shortcomings in the processing of customer and potential user data. The President of the CNIL therefore decided to initiate a sanctioning procedure against the group. At the end of this procedure, the restricted committee - the CNIL body responsible for imposing sanctions - considered that the companies had failed to meet several obligations under the GDPR. It thus sanctioned the company CARREFOUR FRANCE with a fine of 2,250,000 euros and the company CARREFOUR BANQUE with a fine of 800,000 euros. However, it did not issue an injunction when it found that significant efforts had then enabled compliance on all the breaches identified.
Specifically, the group failed on:
• Breaches relating to cookies (article 82 of the de la loi Informatique et Libertés (i.e., Data Protection Act))
• Breaches of the obligation to properly inform people (article 13 of the GDPR)
• Failure to comply with the obligation to limit the retention period of personal data (article 5.1.e of the GDPR)
• A breach of the obligation to facilitate the exercise of rights (Article 12 of the GDPR)
• Failure to respect rights (articles 15, 17 and 21 of the RGPD and L34-5 of the Postal and Electronic Communications Code)
• A breach of the obligation to process data in a fairly manner (Article 5 of the GDPR)
Needless to say, these are among the very first elements a DPO will check to verify company's maturity. Problems related to the above processes and relative corrections could have been the result of the first month of activities (and I'm over-estimating...).