France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements

On 28 July 2020, the French Supervisory Authority (the “CNIL”) sanctioned the online shoes retail company, SPARTOO SAS, by a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty for various non-compliances with the GDPR of the personal data processing related to clients, prospects and employees[1].

I. Factual background and nature of the infringements sanctioned

This is the first decision of sanction taken by the CNIL as a “lead authority” in cooperation with 13 other European data protection authorities in accordance with Article 60 of the GDPR. The geographical scope was covering all the jurisdictions where SPARTOO’s website was available: Spain, Germany, Italy, the Netherlands, Slovakia, Denmark, Poland, Sweden, Finland, Belgium, Czech Republic, Hungary and the UK.

This decision was taken further to a dawn-raid on 31 May 2018 at SPARTOO’s premises in France. The purpose of the dawn-raid was to check the conformity of SPARTOO’s clients and prospects’ personal data processing as well as the recording of phone conversations between SPARTOO’s employees and its clients.

Based on its investigations and the submission of its draft decision to the EU cooperation process, the CNIL held that SPARTOO infringes the following GDPR requirements:

  • Data minimization (Article 5(1)(c) of the GDPR):
    • The exhaustive and permanent recording of all the phone conversations between SPARTOO’s employees and its clients is disproportionate for the objective sought which is the training, given the fact that the person in charge of the training was only listening to one recording per week and per employee.
    • The recording and storage (even for a day) of customers’ banking information when placing an order by phone was not necessary for the purpose of employees training. The CNIL confirmed that banking information should be subject to a reinforced protection given its nature and the risks associated with their disclosure to unauthorized third parties.
    • In the context of the purpose of fight against fraud, the collection in Italy of the health card (tessera sanitaria) is excessive as it contains much more information than an ID card which is not relevant for the purpose and given that the ID Card was also collected.
  • Storage limitation (Article 5(1)(e) of the GDPR):
    • SPARTOO did not set out any data retention policy and did not proceed to any regular erasure and achieving of clients and prospects’ personal data. Though, SPARTOO informed the CNIL that it had set out a 5 years retention period, the CNIL noticed that SPARTOO was already retaining for many years the personal data of more than 3 million of clients who did not connect to their account for more than 5 years.
    • Regarding prospects’ personal data, the 5 years retention period from the last contact (e.g., opening of a newsletter) implemented by SPARTOO was considered too long given that SPARTOO was no more sending direct marketing communication if the prospect was not expressing any interest in its products for 2 years. The CNIL stated that 2 years of data retention should thus be sufficient.
    • Further, the data retention period starting point for prospects’ personal data which was the last time a prospect opened a marketing email, is not considered as evidencing sufficiently that the prospect is interested in SPARTOO’s products since such email can be accidentally opened.
    • The CNIL also found that the practice consisting in not deleting all the data, after 5 years of data retention, but to retain the email address of the client and their password under a pseudonymized and not in an anonymized form in case the client wishes to reuse such identifiers for accessing again his/her account does not comply with the GDPR.
  • Transparency (Article 13 of the GDPR):
    • The website privacy policy does not comply with GDPR as it indicates that the legal basis of all the personal data processing is the consent although several of the personal data processing could rely on other legal basis (e.g., SPARTOO’s legitimate interests or the performance of the contract).
    • Regarding the recording of the phone conversations, the employees are not properly informed in particular on the purpose, legal basis, data recipients, data retention period and their rights.
  • Integrity and confidentiality (Article 32 of the GDPR):
    • The CNIL also challenged the strength of the password to access SPARTOO’s website, rejecting SPARTOO’s argument that a simple password was more secured than an overly complex password because it is supposedly less predictable by a hacker and less likely to be reused for several websites or apps.
    • In the context of fight against fraud, SPARTOO is considered as being in infringement of the security requirements as (i) it collects in clear, scans of credit cards including, in full, the credit card number, and (ii) such scan is retained for 6 months in clear in the database

II. Criteria taken into account for the sanction

Based on the above infringement, the CNIL issued a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty of €250 per day.

The CNIL also decided to publish this decision due to the importance and severity of the infringement concerning the employees and the nature of the concerned data, and given that SPARTOO is involved in a B2C e-commerce activity.

In order to calculate the fine, the CNIL took into consideration the following:

  • The maximum fines of 20 million euros or 4% of the turnover in light of the multiples above-mentioned infringements;
  • The infringements are for most of them related to requirements existing before the GDPR entered into force (e.g., transparency, data minimization, security requirements for banking data);
  • The seriousness of the infringement, in particular regarding banking data for which the CNIL has issued several guidelines and the recording of the phone conversations which relates to employees;
  • The volume of concerned data subjects (e.g. more than 3 million of clients and 25 million of data subjects affected by the infringement to limited data retention obligation);
  • The fact that SPARTOO was an established e-commerce actor; and
  • The fact that SPARTOO has taken steps only further to the dawn-raid which took place on 31 May 2018 and an hearing which was held on 19 June 2019, to ensure the compliance of its processing with the GDPR and despite such steps, the company is still not compliant.

Therefore, at the date of the closure of the case, as SPARTOO was still not in full compliance, the CNIL decided to issue an injunction to comply with GDPR within 3 months under penalty.

This decision gives an idea of how far the CNIL may carry out an in-depth and practical audit of compliance during a dawn-raid and how it assesses the different infringements to determine the amount of the applicable sanction. It is interesting to note that, in this case, the level of the sanction was based on the sensitiveness of the data involved (employee’s data and clients banking information), the sector of activity of the company (e-commerce), the volume of data subjects affected and the time taken by the company to regularize the situation without being compliant at the time of the decision. At the same time and despite the high level of the fine, the CNIL indicates that the sanction took in consideration the company’s cooperative attitude and the efforts already made toward compliance, which means that the fine could have been higher.

[1] Decision No. SAN-2020-003 of 28 July 2020: https://www.legifrance.gouv.fr/affichCnil.do?oldAction=rechExpCnil&id=CNILTEXT000042203965&fastReqId=655302508&fastPos=1

Denise Lebeau-Marianna and Yaël Hirsch

If you have any questions on what this may mean for you or your organisation, please contact the authors listed above or your regular DLA Piper contact.