Alerted by the SIGNAL SPAM association about the behaviour of PERFOMECLIC, a very small company whose business is sending commercial canvassing by e-mail on behalf of advertisers, the CNIL carried out checks and found numerous breaches of the obligations in force with regard to commercial canvassing.
In particular, PERFOMECLIC was unable to prove the existence of valid consent on the part of the persons it canvassed, which therefore constitutes a breach of the obligation to obtain consent before sending canvassing emails.
The CNIL also noted a number of shortcomings:
- the principle of data minimisation, as some of the data retained is not necessary for email marketing purposes, such as telephone numbers;
- With regard to data retention periods, the company keeps prospect data for more than three years from the time prospecting emails are opened without any further action on the part of the data subjects (for example, without clicking on one of the links in the prospecting emails);
- the obligation to keep people properly informed;
- the right of individuals to object, as the company does not allow canvassed individuals to effectively object to the use of their data;
- the contractual framework for relations with a subcontractor, due to the absence of mandatory clauses in the contract between the company and its hosting provider.
On 7 December 2020, the CNIL sanctioned PERFORMECLIC for these breaches. Taking into account the size and financial situation of the company, the penalty imposed consists of :
- a fine of 7,300 euros
- an injunction to comply within 2 months, subject to a penalty of 1,000 euros per day of delay
- publicising the decision.