Monsanto Company – €400,000 Fine (France, 2021)

In May 2019, several media outlets revealed that the Monsanto company was processing personal data of more than 200 public figures like politicians, journalists and scientists involved in the glyphosate debate. At the same time, the French DPA CNIL received seven complaints from data subjects whose personal information was included in Monsanto's filing system. The investigation revealed that (i) the filing system had been created on behalf of Monsanto by several companies specialized in public relations and lobbying; (ii) the filing system contained different information about the data subjects including job description, professional email address, mobile phone number, and sometimes Twitter account. Furthermore, (iv) a rating was given to every data subject, to estimate their influence and their support to Monsanto's activities. = The DPA found that the creation of contact files for the purpose of lobbying is not illegal in itself. However, the DPA found that the company had violated Article 14 GDPR for not having provided the data subjects with the mandatory information as soon as possible. Indeed, even if consent from those public figures was not necessary, they still had to be informed, so they could exercise their rights and especially their right to object. The DPA found that data subject were informed of the existence of the filing system only in 2019, after revelations in the media, even though the Monsanto company had all of their contact information. The DPA also reminded that the fact of not informing the data subject of the existence of a processing harms the exercise of their others rights guaranteed under the GDPR. = The DPA found that the company had violated Article 28 GDPR. As a controller, Monsanto had to lead by a judicial document the processing realised by its processor, especially to guarantee security measures. The DPA found that no contract between the companies contained the terms provided by Article 28(3) GDPR.