Spartoo – €250,000 Fine (France, 2020)

€250,000Commission Nationale de l'Informatique et des Libertés5 August 2020France
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

French online retailer Spartoo was fined for recording all customer service calls and storing some bank details without proper security. They also failed to provide accurate privacy information. This case emphasizes the need for careful handling of personal data and transparency.

What happened

Spartoo recorded all customer service calls and stored some bank details unencrypted, violating data protection rules.

Who was affected

Customers who called Spartoo's hotline and had their conversations and bank details recorded were affected.

What the authority found

The French authority fined Spartoo for not minimizing data collection and for failing to provide correct privacy information, violating GDPR's principles.

Why this matters

This ruling stresses the importance of data minimization and the secure handling of sensitive information. Companies should ensure transparency and accuracy in their privacy policies to comply with GDPR.

GDPR Articles Cited

AI-verified

Art. 13 GDPR
Art. 5(1)(c) GDPR
View original scraped data
Art. 5(1) GDPR
Art. 13 GDPR
Art. 14 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
articles corrected
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll Spartoo actions
Full Legal Summary
Detailed

A fine of EUR 250000 was imposed on the online retailer Spartoo. The reason for this was that the company, which has its headquarters in France but supplies a large number of European countries, fully recorded all telephone hotline conversations (including personal data such as address and bank details of orders) and in addition stored bank details partially unencrypted. Among other things, this represents a violation of the principle of data minimization. Furthermore, the supervisory authority also found a violation of the information obligations according to Art. 13 GDPR, as the company's data protection information was partially incorrect.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Spartoo in FR

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

Ramona Films, S.L.

2022 · Agencia Española de Protección de Datos

€8K

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

5 August 2020

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€250,000

Enforcement Tracker ID

ETid-362

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Spartoo - France (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: