Nestor SAS – €20,000 Fine (France, 2020)

Nestor SAS, founded in 2015, provides a service of prepared and delivered meals to office employees which order these on their website. It was subject to various complaints over time. In November 2018 and January 2019, CNIL received four complaints from people that were not clients, indicating that they had received commercial emails despite having never provided their consent. Additionally, another complainant outlined that it is particularly difficult to object to the processing of personal data for commercial emailing purposes. Some complainants received emails despite having unsubscribed to the mailing list. Another two complainants attempted to get a copy of their personal data from Nestor, without success. Nestor did not either respond to requests asking information about the purpose of processing, the duration of processing or their source. The CNIL also conducted a investigation of the Nestor website and app in May 2019. This was performed to check its compliance with the GDPR and the French national data protection law 1978 as amended (loi n°78-17 du 6 janvier 1978 modifiée relative à l’informatique, aux fichiers et aux libertés). CNIL did this again in February 2020. The CNIL also inspected the company's headquarters in May 2019. CNIL continued its investigation in June and September 2019 by requiring further information on the legal basis for processing data, the right to object and the duration of processing of personal data. There were four key material law questions: *Did Nestor violate Article L. 34-5 of the Postal and Electronic Communication law (Code des postes et des communications électroniques) by sending commercial emails without consent? *Did Nestor fail to provide sufficient information to the data subject at the moment of collecting their personal data in violation of Articles 12 and 13 GDPR? *Did Nestor fail to respect the exercises of the right of access in violation of Article 15 GDPR? *Did Nestor fail to satisfy the obligation of s