AG2R La Mondiale – €1,750,000 Fine (France, 2021)

An on-site investigation carried out by the French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) in October 2019 revealed the following breaches: First, the internal firm policy on data retention duration was only implemented in several areas of activities. In this respect, the company later indicated that it had undertaken a broad compliance plan and, in particular, that an IT project had been initiated in 2017 in order to achieve effective compliance with GDPR. However, the timetable of this project could not be met due to the complexity of the firm's information systems. Second, it appeared that subcontractors performed all of canvassing operations without informing data subjects on the processing their personal data and their rights. In addition, subcontracting agreements did not contain any provision on the matter, and 30% of calls were recorded, without informing clients and prospects. Since the on-site investigation, the firm had been implementing corrective measures. According to the firm, compliance with data retention legal duration will be complete by 2022 and canvassing operations are now carried out in accordance with Articles 13 and 14 GDPR. * Has the firm violated Article 5(1)(e) GDPR and domestic legal provisions regarding personal data retention? * Has the firm violated Articles 13 and 14 GDPR because its subcontractors did not provide clients and prospects with information listed in those articles during canvassing operations? * In both cases, does the compliance policy implemented by the firm reduce its responsibility under Article 83 GDPR? On the duration of data retention The CNIL found that the company had violated Article 5(1)(e) GDPR and several domestic provisions of the Insurance Code. Regarding the 3 years limit of retention of prospects’ data, the CNIL reiterates that its [https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000027837528/ guidelines on data protection by insurance, capitalisation, reinsurance and assis