Deliberation SAN-2023-015 of October 12, 2023
Following the receipt of 31 complaints between November 2019 and January 2021, relating in particular to telephone canvassing, the transmission of banking data and the exercise of rights, the CNIL opened an investigation procedure against a major audiovisual media services provider. The checks carried out by CNIL agents and the rapporteur identified a number of breaches on various subjects, which led the restricted panel of the CNIL to impose an administrative fine.
- Absence of valid consent for direct email marketing.
Article L. 34-5 of the French Post and Electronic Communications Code requires that consent be obtained from individuals before marketing messages are sent to them by electronic means (email, SMS, etc.). The validity of this consent is assessed against the criteria laid down by the RGPD: consent must be free, unambiguous, specific and informed.
In this case, the audiovisual media services provider was sending marketing emails to millions of prospects whose contact information, and consent, had been collected indirectly via partners.
However, the company was unable to provide proof of the consent given. In addition, the consent forms used by the partners did not include any information as to the identity of the companies (including the provider) to which the prospects’ data could be transmitted if the latter gave their consent. As a result, the CNIL’s restricted panel considered that, event if consent had been given, it was not “informed” (in the meaning of the GDPR), since prospects were unaware that their data would be used by the audiovisual media services provider. The criteria for valid consent defined by the RGPD were therefore not met.
The company tried to argue that the responsibility for obtaining valid consent lay with the partners. However, the panel rejected this argument, pointing out that article L. 34-5 of the CPCE places the obligation to obtain consent – and therefore to provide proof of it – on the entity carrying out the commercial prospecting operations, regardless of whether the data was collected indirectly. It was therefore incumbent on the provider to put in place measures to ensure that the consent of its partners was validly obtained, which it failed to do.
- Failure to inform data subjects about the processing of their data.
Two types of shortcomings were noted in this area:
– The privacy policy accessible on the company’s website did not provide sufficiently precise information on retention periods, and did not include mention of the right to lodge a complaint with the CNIL.
With regard to retention periods, the policy only generically indicated the fact that data was retained for periods linked to the pursuit of certain purposes, but without indicating the precise periods applicable (or the criteria for determining these periods). The breach of Article 13 of the RGPD was therefore constituted. However, the restricted panel took into account the fact that the company had, in the course of the proceedings, amended its privacy policy, which is now compliant on this point.
As for the breach concerning the right to lodge a complaint with the CNIL, this was ultimately not upheld by the restricted panel, which noted that this right was mentioned in other documents (general conditions of use, general subscription conditions, etc.) and that the company had finally modified its privacy policy to include this information.
– Some of the data subjects had received no information on data protection during telephone canvassing calls. In fact, out of seventy-six recordings produced by the company, the information provided to thirteen persons called was either incomplete or absent.
In its defense, the provider argued that some of the calls were very short, so that the operator would not have had time to provide the information. However, the panel noted that the calls lasted at least thirty seconds, which could at leasthave given the operator time to refer callers to the company’s privacy policy.
- Failure related to the exercise of their rights by data subjects.
The CNIL noted that several requests from data subjects to exercise their rights (right to deletion, opposition, access, etc.) had not been properly processed by the provider.
Some requests had not been correctly qualified by the company, despite being formulated clearly enough in the opinion of the restricted panel. One request had clearly been mislaid, and another processed outside the deadlines set by the RGPD. In addition, some requests had indeed been processed by the provider, but without the data subjects being informed, even though this is an obligation for the controller under Article 12 of the Regulation.
- Failure to include mandatory clauses in a contract with a data processor.
The CNIL’s restricted panel also noted that a contract, concluded with a hosting service provider, did not include all the clauses imposed by Article 28 of the RGPD for contracts with data processors. However, the decision does not contain a description of the missing clauses.
- Failure to secure employees’ passwords.
According to the rapporteur and the restricted panel, this breach consisted in the use of a password hashing algorithm, the vulnerability of which had been known for several years. The publisher tried to demonstrate that the overall level of security within the company was also ensured by other measures, in addition to passwords. However, these arguments were not accepted by the restricted panel.
- Failure to notify a data breach.
Finally, the CNIL’s restricted panel criticized the provider for failing to notify an incident that enabled subscribers to access the data of other subscribers. Only seven people expressly notified having actually had such access, but in total several hundreds of persons could have pottentially had such access according to the company. These persons could have, in theory, accessed to the data of other subscribers, i.e., several thousands in total. Consequently, it was necessary for the publisher to notify the CNIL of the breach.
For all these violations, the company has therefore been imposed a 600,000 euros fine and the fact that the decision is made public by the CNIL. It should be noted, however, that the rapporteur’s initial proposed fine was 750,000 euros. In the decision, the restricted panel states that it took into account the remedial efforts made by the company, but also the fact that certain breaches (notably those relating to prior information during telephone canvassing and the exercise of rights) were isolated and/or the result of human error, and therefore did not reveal any structural compliance problems.