Between May and July 2019, the CNIL received several complaints about the companies Carrefour France and Carrefour Banque, which triggered an audit of the personal data processing carried out by these companies.
The CNIL found a number of shortcomings, in particular:
- The use of cookies that were placed on users' terminals before their consent was obtained;
- The obligation to inform data subjects: the CNIL found that the information provided by the Carrefour group was difficult to access, unclear and sometimes incomplete (retention periods, data transfers outside the EU and legal bases);
- Respect for the rights of the people concerned: the systematic request for proof of identity was not justified, the one-month deadline for replying to requests was regularly exceeded or requests were not processed, in particular with regard to opposition to commercial prospecting by SMS or email;
- The obligation to process data fairly: certain data were transmitted by Carrefour Banque to Carrefour Fidélité in total contradiction with the information transmitted to the persons concerned at the time of their consent to the transfer;
- Data retention periods: some periods were too long (4 years after the last customer purchase) and were not respected, resulting in the retention of data on more than twenty-eight million customers who had been inactive for between five and ten years.
As the companies have since complied, no injunction has been issued by the CNIL, but it has nevertheless fined CARREFOUR FRANCE 2,250,000 euros and CARREFOUR BANQUE 800,000 euros.
To read the CNIL's decision.