Monsanto Company – €400,000 Fine (France, 2021)

The French DPA (CNIL) has fined MONSANTO EUR 400,000. In May 2019, several media revealed that MONSANTO was in possession of a file containing the personal data of more than 200 political figures or members of civil society (e.g. journalists, environmental activists, scientists or farmers) likely to influence the debate or public opinion on the renewal of the authorization of glyphosate in Europe. At the same time, the CNIL received seven complaints from data subjects affected by this file. For each of these individuals, the file contained information such as the organization they belonged to, the position they held, their business address, their business phone number, their cell phone number, their business email address, and in some cases their Twitter account. In addition, CNIL noted that each person was assigned a score from 1 to 5 to evaluate their influence, credibility, and support for Monsanto on various issues. The DPA believes that the company violated the provisions of the GDPR by not informing the data subjects that their data was stored in this file. In addition, the CNIL complained that the company had not given the contractual guarantees that should normally regulate the relationship with a subcontractor. The creation of contact files by stakeholders for lobbying purposes is not illegal in itself. However, CNIL stressed that data subjects nevertheless have the right to be informed of the existence of the file in order to exercise additional rights, in particular the right to object. In addition, the CNIL found that the data collection was carried out by a provider contracted by Monsanto and that Monsanto violated Article 28 of the General Data Protection Regulation by not including in its contracts with the data processor the provisions foreseen in the GDPR, in particular regarding data security.