Carrefour France – €2,250,000 Fine (France, 2020)
Carrefour France was fined for multiple data protection violations, including keeping inactive customer data for too long and not providing clear information about data handling. The company failed to respond to customer requests regarding their personal data. This case shows that businesses must prioritize data privacy and respond to user inquiries.
What happened
Carrefour France stored personal data of inactive customers for years and did not adequately inform users about their data rights.
Who was affected
Over twenty-eight million inactive customers and individuals who requested access to their personal data.
What the authority found
The French data protection authority ruled that Carrefour France violated several GDPR provisions regarding data storage and user rights.
Why this matters
This ruling stresses the importance of data minimization and responsiveness to customer requests. Companies should regularly audit their data practices to ensure compliance with privacy laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The French DPA (CNIL) fined Carrefour France EUR 2,250,000 for several violations of data protection regulations, including the GPDR. During its investigation, the CNIL found that the information on personal data provided to users of the carrefour.fr websites and those wishing to join the loyalty program was neither easily accessible nor easily comprehensible. The CNIL also found that the information regarding the transfer of data to countries outside the EU and regarding the duration of data storage was incomplete. The CNIL also notes that the company did not comply with the storage time limits. Furthermore, the data of more than twenty-eight million customers who were inactive for five to ten years were stored for the purposes of the loyalty program. This was also the case for 750,000 users of the carrefour.fr site, who were inactive for five to ten years. The CNIL states that the company required proof of identity for almost every user request to exercise a right. However, this automatic requirement was not justified, as in most cases there was no doubt regarding the identity of the data subjects. Furthermore, the company did not respond to several requests from individuals who wanted to access their personal data. Also, in numerous cases, the company did not carry out the erasure of data requested by individuals. Finally, the company has not responded to several requests from persons who did not agree to receive advertising by SMS or e-mail.
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for Carrefour France in FR
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
18 November 2020
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€2,250,000
Enforcement Tracker ID
ETid-457
GDPRhub ID
gdprhub-2923About this data
Cite as: Cookie Fines. Carrefour France - France (2020). Retrieved from cookiefines.eu
Last updated: