SPARTOO SAS – €250,000 Fine (France, 2020)

On 31 May 2018, CNIL initiated an investigation in the premises of SPARTOO SAS in order to investigate whether the processing of the personal data of its clients, prospect clients and employees, are compliant with GDPR. CNIL focused on several processing activities of SPARTOO SAS: 1) recording the customer service calls on a permanent basis, 2) storage of customers' bank details 2) no determination of retention period initially 3) determination of retention period of five years since the customer's last activity 4) establishing as last activity of the prospect customer the mere opening of an email 5) storage of personal data of more than three millions of non-connected customers for more than five years in a non-anonymised way 6) no erasure of personal data on a regular basis, 7) request the customer's health card in Italy in the context of the fight against fraud, 8) lack of strong password policy, 9) not adequate information provided to customers, prospect customers and employees regarding the processing of their personal data. CNIL found that the collection of bank details and the recording of customer service conversations was excessive and not necessary for the purported aim, that is the training of employees, given that only one call per employee was examined per week. Also, the collection of the health cards in Italy was found excessive, and together with the above-mentioned activities, CNIL held that the data minimisation principle had been violated (5§1(c) GDPR). CNIL also found a violation of the storage limitation principle (5§1(e) GDPR), given the lack of retention period in the first place, the storage of data of many inactive customers for more than five years and the excessive storage of prospect customers' personal data, which should be limited to 2 years. Furthermore, the information provided to the data subjects was found inadequate and contrary to the obligation of transparency (13 GDPR). More specifically, CNIL held that there are more leg