KASPR – €240,000 Fine (France, 2024)

KASPR runs a Chrome browser extension which allows users to get the business details of people whose LinkedIn profile they had visited. On the 28 July 2022, the French DPA (Commission nationale de l’informatique et des libertés – CNIL) carried out a compliance check with KASPR, the controller. The investigation showed that approximately 160 million contacts were included in the controller’s database. These entries included the surname, first name, e-mail address, telephone number, LinkedIn profile URL or other social networks, employer, company, job title, skills, professional interest, career, date of hiring and end of post, training, place of work, source of data and date of collection. Harvesting the data from LinkedIn and storage On LinkedIn, users can choose between four different visibility options: 1 – Only visible to me, 2 – Anyone on LinkedIn, 3 – 1st degree connections and 4 – 1st and 2nd degree connections. The controller collected the contacts details of LinkedIn users who had made their details visible to all (Option 2) as well as those whom had limited the visibility to 1st and 2nd degree connections (Options 3&4). Providing information Four years after the implementation of the KASPR tool, the controller notified data subjects by sending an email which informed them of the practice and gave the option to object to the processing by clicking on a link in the email. When data subjects filed access requests under Article 15 GDPR, the controller merely responded that their personal information was retrieved from publicly available sources. The controller’s argument The controller argued that the processing is based on its legitimate interest to facilitate connection between working professionals aligning with the intentions of data subjects active on LinkedIn. Further, it argued that identity verification should reasonably be expected by users of a professional networking service and that data was collected according to the selected options on Li