Carrefour France – €2,250,000 Fine (France, 2020)

The French DPA (CNIL) fined Carrefour France EUR 2,250,000 for several violations of data protection regulations, including the GPDR. During its investigation, the CNIL found that the information on personal data provided to users of the carrefour.fr websites and those wishing to join the loyalty program was neither easily accessible nor easily comprehensible. The CNIL also found that the information regarding the transfer of data to countries outside the EU and regarding the duration of data storage was incomplete. The CNIL also notes that the company did not comply with the storage time limits. Furthermore, the data of more than twenty-eight million customers who were inactive for five to ten years were stored for the purposes of the loyalty program. This was also the case for 750,000 users of the carrefour.fr site, who were inactive for five to ten years. The CNIL states that the company required proof of identity for almost every user request to exercise a right. However, this automatic requirement was not justified, as in most cases there was no doubt regarding the identity of the data subjects. Furthermore, the company did not respond to several requests from individuals who wanted to access their personal data. Also, in numerous cases, the company did not carry out the erasure of data requested by individuals. Finally, the company has not responded to several requests from persons who did not agree to receive advertising by SMS or e-mail.