CNIL issues over 3 million euro fine against French Carrefour

After receiving 15 complaints from data subjects, the French data protection authority, Commission nationale de l'informatique et des libertés (“CNIL”), carried out inspections in the companies Carrefour France (retail sector) and Carrefour Bankque (banking sector). The inspections revealed multiple infringements of the EU’ General Data Protection Regulation (“GDPR”), the CNIL decided to impose a fine of 2,250,000 euros against Carrefour France and 800,000 euros against the Carrefour Banque.


Failure to comply with the Article 13 information provision requirements


Data subjects have the right to be informed about the collection and use of their personal data. The right to be informed is a key transparency requirement under the GDPR. Transparency itself enables data subjects to understand, and if necessary, challenge the data processing activities of companies. It empowers the individuals to hold data controllers accountable and to exercise control over their personal data.


The CNIL found that the information provided to the users of the and was too complicated and too long and therefore, the information was not easily accessible as required by Article 12 of the GDPR. In addition, the information provided when joining Carrefour’s loyalty program was found incomplete and containing imprecise terms and unnecessarily complicated formulations.


Unlawful use of cookies


The ePrivacy Directive (2002/58/EC) and its national transpositions such the the national French Data Protection Act requires that storing of information, such as cookies, is only allowed on a condition that the end user has given his or her consent, after having been provided with clear and comprehensive information about the purposes, in accordance with the GDPR. The consent requirement does not apply to cookies whose sole purpose is to carry out a transmission of a communication over an electronic communications network or that are strictly necessary for the service explicitly requested by the end user (so called ‘strictly necessary’ cookies).


In its decisions, the CNIL noted that when a user visited the or websites, several cookies were automatically stored in the visitor’s terminal equipment before any indication of consent was given. Several of those cookies were used for advertising.


The website stored 39 cookies before any action by the end user. Some of these cookies belonged to Google Analytics. CNIL notes that Google Analytics cookies are not strictly necessary for the provision of the service and therefore requires consent under the French national law. On the website, Microsoft’s tracking cookies were used, in addition to Google’s cookies.


Failures with retention times


The CNIL points out that controllers must provide the data subjects with information relating to the retention periods of the personal data and such retention periods should be formulated in a way that the data subjects can actually assess how long their personal data will be retained. Further, CNIL notes that controllers cannot use generic statements such as that the personal data will be kept for as long as the processing requires.


CNIL found the statements used by Carrefour Banque ‘confusing’ as data subjects could not understand how long their personal data were retained. Further, the information regarding the retention times were found incomplete as Carrefour Banque did not specify the retention periods applicable to all the personal data it processed. In addition, the retention time for data collected by cookies were not specified.


Carrefour France indicated that the data of its loyalty customers were kept for four years from their last activity with the company. CNIL found this retention period ‘excessive’. In addition, the inspections revealed that Carrefour France did not comply with its own retention times as data from 28 million customers, who had been inactive for five to ten years, was still kept by the company. With regard to customers of the website, CNIL noted that data of more than 750,000 customers, whose latest purchase dated back five to ten years, was still kept by the company. In a view of these findings, Carrefour France was found to be in breach of Article 5(1)(e) of the GDPR.


Failure to respect the rights of the data subjects


Article 12 of the GDPR requires that controllers must facilitate the exercise of data subject rights under the Articles 15 to 22 of the GDPR. Further, the controller shall not refuse to act on the request of the data subject for exercising his or her rights unless the controller can demonstrate that is is not capable of verifying the identity of the data subject.


Carrefour France had systematically requested proof of identity when data subjects wanted to exercise their rights. The CNIL found that this systematic request was not justified since, in certain cases, there were no doubt about the identity of the data subjects. In addition, the response times to respond to data subjects’ requests varied up to 9 months, without any information being communicated to the data subjects whose requests were pending. Carrefour France was therefore found in breach of Article 12 of the GDPR.


Failure to process personal data ‘fairly’


When data subjects subscribed to a ‘Pass card’ with Carrefour Banque (a payment card that can be attached to the loyalty account), they had to tick a box indicating that they accept that their first name and email address were disclosed to Carrefour France. Carrefour Banque explicitly indicated that no other personal data would be disclosed. During the inspections, the CNIL found that other personal data, such as postal address, telephone number and information about the children were being disclosed.


In view of these findings, Carrefour Banque was in breach of Article 5(1)(a) of the GDPR.

Link to CNIL’s press release here.
Link to the penalty notice of Carrefour France here.
Link to the penalty notice of Carrefour Banque here.