Following investigations at the French retailer and wholesaler, the French data protection authority has identified several breaches.
Data is stored too long!
Last year, the French data protection authority CNIL received several reports or complaints about the Carrefour Group. The CNIL took action in response. On-site inspections were carried out in May and July 2019. It was found that data was being stored for too long and that the information obligations under the GDPR were also being violated. A retention period of four years after the last purchase was practiced. According to the data protection authority, this is too long. The inspections revealed that the group of companies continues to store data from over 28 million former customers. This data comes from a bonus program, and the customers have not been active for at least five years. In some cases, data from more than five years was still stored. This was also the case for the carrefour.fr site, which has more than 750,000 users. Storing inactive customers for such a long period is not appropriate.
Duty of information was violated
These were not all the violations of the basic data protection regulation that had been identified. According to the French data protection authority, the Group is also in breach of the necessary information obligations. On Carrefour’s website, the information is not clear and understandable enough when visiting the site, nor is the necessary consent for the use of cookies. In addition, the requests from data subjects are not processed promptly. Some of them do not seem to be answered at all. Furthermore, data of the customers of the bonus program were then also passed on to the own financial service providers. Last but not least, Carrefour required proof of identity from the customers if they wanted to exercise their right to information. This is unjustified according to the CNIL supervisory authority.
Fine
Following the investigations by the data protection authority, a claim of 2.25 million euros has now been issued to the Carrefour holding company and a claim of 800,000 euros to the bank subsidiary Carrefour Banque. Since the group is now working on the violations that have been identified, the authority has refrained from imposing additional sanctions for the time being.
