Not only the ICO is currently imposing penalties to organisations that do not observe the GDPR. The French Data Protection Authority (CNIL) is also stepping in more actively, as you will see in the following examples.
1. The French Data Protection Authority has published 5 formal notices against three companies of the Gie Humanis Fonctions Group and against two companies of the Malakoff-Médéric on October 18th, 2018. It turned out that these companies have violated Article 6 (2) of the GDPR. Article 6 describes the lawfulness of processing.
The CNIL also discovered at the investigation that the above-mentioned companies have had access to personal data provided by two pension federations for the purpose of implementing supplementary retirement plans. But these companies also used this personal data for marketing purposes. That happened without an authorisation of the two federations.
These companies have beyond doubt violated the GDPR as they did not have a legitimate interest in processing the data for marketing purposes. Therefore, the French Data Protection Authority demanded from these five companies to cease this kind of processing immediately and they are also required to comply with the GDPR within one month.
2. The second case affects the French company Singlespot that collected the following data from its customers via their own mobile app: the mobile ad ID (similar to cookies but with mobile apps), the names and version of the mobile app of the users and also what operating system was used (Android or IOS). This data was then transferred to Singlespot without specifically informing the affected persons and without asking for their consent for this specific processing.
At the end of the investigation of the CNIL over 14 million advertising identifiers were found in the database of Singlespot. Over 5 million of these identifiers were also associated with the geolocation of the users. That means that the exact location of over 5 million persons have been saved while they were using the app.
The following breaches of the legal provisions have been noted by the CNIL:
- A failure to provide a legal basis for the implementation of this processing (consent in this case).
- A failure to define and respect a retention period that is appropriate for the purpose of the processing (data minimisation).
- A failure to ensure data security and data confidentiality in accordance with the privacy policy of the company.
The CNIL has therefore decided that all 14 million records of customers/possible customers, that have been collected without observing the GDPR, have to be erased. Future data collecting also has to be in conformity with the GDPR otherwise the Data Protection Authority has already announced to inflict fines.
Source: Yes the GDPR has teeth