Futura International – €500,000 Fine (France, 2019)

The CNIL received a complaint on the ground that he was very regularly cold called by a company whose activity consists of direct marketing solicitations via phone (the controller). Although the complainant had previously informed the controller they did not want to be called and had already exercised their right to object via e-mail, the controller continously sent them marketing emails. Thus, a complaint was lodged with the CNIL. In addition to the violation of the right to object, could unsolicited direct marketing phone calls lead to additional GDPR infringments? The investigation carried out by the CNIL revealed that the controller had received several letters from people complaining that they were still being solicited despite their opposition. It also appeared that the company's files contained several excessive comments related to customers or their health conditions. In addition, people were not properly informed about the processing of their personal data, or about the recording of the conversations they had with the company. In total, following its investigations the CNIL found five breaches of the GDPR: -         Violation of the right to object, Article 21(2) GDPR: no procedure was implemented to ensure effectively that persons who opposed telephone solicitation were no longer called); -         Violation of the principle of data minimization, Article 5(1)(c) GDPR: inadequate and offensive comments or irrelevant comments related to people's health were found in the company's customer file; -         Violation of Articles 12 and 13 GDPR: insufficient information on the processing of data subject’s personal data and their rights; -         Violation of Articles 46 and 49 GDPR:  the controller did not provide appropriate safeguards for data subjects; -         Failure to cooperate with the CNIL, Article 31 GDPR. As a consequence, the CNIL imposed a fine of EUR 500.000.