French retail giant Carrefour France and Carrefour Banque have each been issued GDPR fines of €2,250,000 and €800,000 by the French data protection regulator for a number of blatant GDPR violations.
Carrefour Group, the multinational corporation that dominates the food retail sector in France and operates in several other countries, was recently fined over €3 million by France's Commission nationale de l’informatique et des libertés (CNIL), the country's data protection authority, for failing to comply with several requirements of the GDPR.
Headquartered in Paris, Carrefour Group operates around 230 hypermarkets, 1020 Carrefour Market supermarkets, over 2000 smaller supermarkets and convenience stores, and 130 Promocash cash&carry stores and supplies 1500 independent small food stores under the Proxi banner. The company scored an annual revenue of €80.73 billion in 2019 and employs over 320,000 people across multiple retail brands.
On 26th November, CNIL announced that it has decided to fine two Carrefour Group brands- Carrefour France and Carrefour Banque - €2,250,000 and €800,000 each for violating various provisions of GDPR, such as storing customer data for a prolonged period without any justification, placing advertising cookies on customers' systems without obtaining prior consent, and not honouring customer requests to assess their personal data or to delete their data.
1. Failure to inform customers: CNIL noted that the carrefour.fr and carrefour-banque.fr sites did not provide clear and easy-to-understand instructions to customers wishing to join the loyalty programme or the Pass card, making it extremely difficult for customers to obtain accurate information about these programmes. The websites also did not provide sufficient information with regard to data transfers outside the European Union and the legal basis for processing customer data.
2. Policy on cookies: According to CNIL, the carrefour.fr and carrefour-banque.fr sites automatically placed advertising cookies on customers' devices whenever they visited these sites without asking if they wanted to accept cookies in the first place. As per GDPR, websites are required to obtain clear and precise consent from visitors before placing cookies on their terminals.
3. Policy on Data Retention: CNIL noted that Carrefour France retained the data of more than 28 million customers who had been inactive for five to ten years and the carrefour.fr site also retained the data of 750,000 users who had been inactive for five to ten years.
CNIL said retaining the data of inactive customers for so long is excessive and exceeds what appears necessary in the field of mass distribution, given the consumption habits of customers who mainly make regular purchases.
4. Asking verified customers to furnish identity proof: Carrefour France asked customers to furnish identity proof whenever they wanted to exercise their rights even if there was no doubt as to the identity of the persons exercising their rights. The company also failed to process everal requests for the exercise of rights within the time limits required by the GDPR.
5. Not responding to data requests: CNIL also found during its investigation of the Carrefour Group that Carrefour France did not respond to several requests from people wishing to access their personal data and in several cases, did not delete customers' personal data when asked to do so. At the same time, the company failed to honour several requests from customers who did not wish to receive advertising by SMS or email.
"Having received several complaints against the CARREFOUR group, the CNIL carried out checks between May and July 2019 with the companies CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of customer and potential user data. The President of the CNIL, therefore, decided to initiate a sanctioning procedure against these companies," CNIL said.
"At the end of this procedure, the restricted committee - the CNIL body responsible for pronouncing sanctions - effectively considered that the companies had failed to meet several obligations under the GDPR.
"It thus sanctioned the CARREFOUR FRANCE company with a fine of 2,250,000 euros and the CARREFOUR BANQUE company with a fine of 800,000 euros. On the other hand, it did not issue an injunction when it noted that significant efforts had made it possible to bring all the shortcomings identified into compliance," it added.