Carrefour Banque – €800,000 Fine (France, 2020)

€800,000Commission Nationale de l'Informatique et des Libertés18 November 2020France
final
ePrivacy
Fine

Carrefour Banque faced a hefty fine for unfairly processing customer data when they signed up for a loyalty program. The company shared more personal information than it promised, violating data protection rules. This case serves as a warning for businesses to be honest about how they handle customer data.

What happened

Carrefour Banque transmitted additional personal data of customers without their consent while processing loyalty program sign-ups.

Who was affected

Customers who signed up for the Pass card loyalty program and had their data shared without proper consent.

What the authority found

The French data protection authority found Carrefour Banque violated GDPR by not processing data fairly and transparently.

Why this matters

This case highlights the need for companies to be clear and truthful about data sharing practices. Businesses should review their data processing agreements to avoid similar issues.

GDPR Articles Cited

AI-verified

Art. 12 GDPR
Art. 13 GDPR
Art. 5(1)(a) GDPR
View original scraped data
Art. 5(1)(a) GDPR
Art. 12 GDPR
Art. 13 GDPR
Art. 82 Loi Informatique et Libertés

Original data from scraper before AI verification against source document.

National Law Articles

AI-identified

Art. 82 Loi Informatique et Libertes
Source verified 6 March 2026
articles corrected
national law identified
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll Carrefour Banque actions
Full Legal Summary
Detailed

The French DPA (CNIL) imposed a fine on Carrefour Banque for violation of its obligation to process data fairly (Article 5 (1) GDPR). If a person who subscribed to the Pass card (a credit card that can be attached to a loyalty account) also wanted to participate in the loyalty program, he or she had to tick a box in which he or she agreed to Carrefour Banque sending his or her surname, first name and e-mail address to 'Carrefour fidélité'. Carrefour Banque expressly indicated that no further data would be transmitted. However, the CNIL noted that other data such as postal address, telephone number and the number of children had been transmitted, although the company undertook not to transmit any further data.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for Carrefour Banque in FR

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

Ramona Films, S.L.

2022 · Agencia Española de Protección de Datos

€8K

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

18 November 2020

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€800,000

Enforcement Tracker ID

ETid-454

GDPRhub ID

gdprhub-2930

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified
Cookie relevance: 50%

Cite as: Cookie Fines. Carrefour Banque - France (2020). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: