French data protection authority (CNIL) actively intervenes
The Austrian data protection authority is not the only one to punish companies that do not comply with the GDPR. The French data protection authority (CNIL) is also intervening more and more actively, as you can see in the following examples.
Personal data used unlawfully for marketing purposes
1. on October 18, the French data protection authority published five notices against three companies of the Gie Humanis Fonctions Group and against two companies of the Malakoff-Médéric Group. These companies have been found to have violated Article 6 (2) of the GDPR. Article 6 describes the lawfulness of the processing.
During its investigation, CNIL found that personal data was provided to the above-mentioned companies by two associations for the implementation of supplementary pension plans. However, these companies also used the personal data for marketing purposes. This was done without the authorization of these two associations.
These companies have thereby undoubtedly violated the GDPR, as there was no legitimate interest for this processing. The French data protection authority therefore demanded that these five companies immediately cease this processing and that the requirements of the GDPR be met within one month.
Illegal collection of personal data
2. the second case concerns the French company Singlespot, which collected the following data from its customers via its own mobile app: the IDs for mobile advertising (comparable to cookies, only for mobile apps), the name and version of the users’ mobile app, and also which operating system (Android or IOS) was used in the process. This data was then transferred to the company without specifically informing the customers about it and also without obtaining the customers’ consent for this transfer.
At the end of the CNIL inspection, over 14 million advertising IDs, based on which personalized ads are created, were found in Singlespot’s database. And over 5 million of these were additionally linked to geolocation, meaning the exact location of people was stored when they used the app.
This results in some violations of the legislation:
- No legal ground for the implementation of this processing has been provided(a consent, in this case).
- No appropriate retention period for this purpose of processing has been established or observed(principle of data minimization).
- Data security and confidentiality werenot ensured as stated in the company’s privacy policy.
The CNIL has therefore decided that all 14 million records of clients/possible clients collected without complying with the GDPR must be deleted. Furthermore, future data collection must be brought in line with the GDPR, otherwise the data protection authority has already announced fines.
Source: Yes the GDPR has teeth