BRICO PRIVÉ – €500,000 Fine (France, 2021)

€500,000Commission Nationale de l'Informatique et des Libertés14 June 2021France
final
ePrivacy
Fine

BRICO PRIVÉ was fined EUR 500,000 for mishandling customer data, including keeping information longer than allowed. This is significant because it shows that companies must follow data retention rules and protect customer information, or they could face hefty fines.

What happened

BRICO PRIVÉ retained customer data longer than permitted and failed to properly secure it.

Who was affected

Over 16,000 customers who had not ordered in five years and over 130,000 inactive account holders were affected.

What the authority found

The French data protection authority ruled that BRICO PRIVÉ violated multiple GDPR articles by not adhering to data retention and security obligations.

Why this matters

This ruling serves as a warning to businesses about the importance of data retention policies and security measures to protect customer information.

GDPR Articles Cited

AI-verified

Art. 13(GDPR)
Art. 17(GDPR)
Art. 32(GDPR)
Art. 5(1)(e) GDPR
View original scraped data
Art. 5(1) e) GDPR
Art. 13(GDPR)
Art. 17(GDPR)
Art. 32(GDPR)

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 82 Loi informatique et libertés
Art. L. 34-5 CPCE
Source verified 2 April 2026
scope corrected
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll BRICO PRIVÉ actions
Full Legal Summary
Detailed

The French DPA (CNIL) has imposed a fine of EUR 500,000 on BRICO PRIVÉ. CNIL conducted three inspections at BRICO PRIVÉ between 2018 and 2021 and identified several deficiencies in the processing of personal data of prospects and customers. The controller, for example, had not complied with the data retention periods it had established. In this regard the data of more than 16,000 customers who had not placed an order in the last five years had been retained. The same applied to more than 130,000 people who had not logged into their customer accounts for five years. In addition, the controller violated its information obligations under Art. 13 GDPR. Furthermore, the controller failed to fulfill its obligation to fully comply with the deletion requests received. The CNIL also found that the controller did not implement sufficient technical and organizational measures to ensure information security. Thus, for example, the controller did not require the use of a secure password during the process of opening an account the company´s website or when employees accessed the customer relationship management software. The fine is composed proportionately of EUR 300,000 for violations of Art. 5(1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR and Art. 32 GDPR and EUR 200,000 for violations of Art. 82 Loi informatique et libertés and Art. L. 34-5 CPCE.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for BRICO PRIVÉ in FR

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Minister for Legal Protection

2022 · DPA RbOverijssel

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

CNIL

2019 · Court of Justice of the European Union

Details

Fine Date

14 June 2021

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€500,000

Enforcement Tracker ID

ETid-734

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. BRICO PRIVÉ - France (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: