Carrefour Banque – €800,000 Fine (France, 2020)

€800,000Commission Nationale de l'Informatique et des Libertés18 November 2020France
final
ePrivacy
Fine

Carrefour Banque was fined EUR 800,000 for unfairly processing customer data when they signed up for a loyalty program. The company promised not to share extra information but did so anyway, which can harm customer trust. This case serves as a reminder for businesses to keep their promises about data sharing.

What happened

Carrefour Banque shared more personal information than it promised when customers signed up for its loyalty program.

Who was affected

Customers who subscribed to the Pass card and joined the loyalty program were affected.

What the authority found

The French data protection authority ruled that Carrefour Banque violated GDPR by not processing data fairly.

Why this matters

This case shows that companies must honor their commitments regarding data sharing. Businesses should review their data practices to ensure they are transparent and fair.

GDPR Articles Cited

AI-verified

Art. 12(GDPR)
Art. 13(GDPR)
Art. 5(1)(a) GDPR
Art. 82 Loi Informatique et Libertés GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 12(GDPR)
Art. 13(GDPR)
Art. 82 Loi Informatique et Libertés

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Source verified 10 March 2026
articles corrected
national law identified
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll Carrefour Banque actions
Full Legal Summary
Detailed

The French DPA (CNIL) imposed a fine on Carrefour Banque for violation of its obligation to process data fairly (Article 5 (1) GDPR). If a person who subscribed to the Pass card (a credit card that can be attached to a loyalty account) also wanted to participate in the loyalty program, he or she had to tick a box in which he or she agreed to Carrefour Banque sending his or her surname, first name and e-mail address to 'Carrefour fidélité'. Carrefour Banque expressly indicated that no further data would be transmitted. However, the CNIL noted that other data such as postal address, telephone number and the number of children had been transmitted, although the company undertook not to transmit any further data.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Carrefour Banque in FR

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

18 November 2020

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€800,000

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Carrefour Banque - France (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: