HUBSIDE.STORE – €525,000 Fine (France, 2024)

HUBSIDE.STORE (“controller”) has stores in France, Belgium, Spain, Portugal and Italy. In France, the controller carried out canvassing campaigns by telephone and SMS from prospect files purchased from two main data brokers, in order to promote the products it sold. The French DPA (“CNIL”) carried out an inspection at the controller’s premises in order to verify compliance with the GDPR and French Data Protection Act. During this inspection, the CNIL discovered that, regarding commercial prospecting by SMS, the controller carried out these operations using prospect files purchased from data suppliers. These data suppliers collected the data of the persons concerned via entry forms for online competitions, in order to enable their partners to use them in their commercial prospecting. The CNIL indicated that the forms accessible on the websites of the data suppliers were similar: beneath the fields enabling the person to enter their contact details was a “VALIDATE”, “I VALIDATE” or “I ANSWER QUESTIONS TO APPLY” button. Above or below this button, a text specified that by clicking on the button, the data subject declares that they have read the controller’s privacy policy and accepts that the data collected will be used to send them offers from the company’s partners. Hyperlinks were provided to access the privacy policy and the list of partners concerned. At the end of the text, it specified that if the data subject wishes to continue without receiving offers from the controller’s partners, they can click on a link in the text (“click here”). The CNIL also pointed out that the form contains a hypertext link to a nominative lust of partners and not to categories of partners. However, the list did not mention HUBSIDE.STORE. The controller also provided the CNIL with recordings of canvassing calls that they sent to Belgium in order to promote its stores there. The CNIL found that during these calls, the data subjects were only informed that the call had been recorded a