Posted

GDPR Enforcement: Lessons from Recent Data Privacy Penalties

by , and

Recent decisions by the French data protection authority (CNIL) have highlighted the importance of GDPR compliance, particularly in the areas of data retention, consent for processing sensitive personal data, and marketing practices. On October, 10, 2024, CNIL fined two companies offering remote clairvoyance services a total of €400,000—€250,000 for Cosmospace and €150,000 for Telemaque—for breaches including excessive data retention, failure to obtain explicit consent for sensitive data processing, and non-compliance with marketing consent rules. These decisions serve as a reminder for businesses to evaluate their data protection policies to avoid costly penalties and maintain consumer trust.

Key Takeaways from the Decisions

  • Excessive data retention: Both companies stored customer data for six years after the end of the commercial relationship, mainly for marketing purposes. CNIL found this retention period to be excessive, recommending a maximum retention period of three years. Telemaque, in particular, failed to implement any restrictions on access to the data, keeping it in active databases without sorting or limiting access over this six-year period.
  • Processing sensitive data without explicit consent: Both companies processed sensitive personal data—such as sexual orientation and health information—during clairvoyance consultations without obtaining explicit consent. CNIL emphasized that merely using the service does not meet the GDPR’s requirement for explicit consent when processing special categories of data.
  • Unlawful marketing communications: The companies sent marketing communications via email and SMS without obtaining valid consent. The forms used to collect customer data did not clearly inform users that their data could be shared for marketing purposes by both Cosmospace and Telemaque, resulting in a breach of consent requirements.
  • Recording of calls: Cosmospace recorded all customer calls for several purposes: (i) to monitor service quality and for employee training, (ii) to demonstrate that contracts had been concluded and properly executed, (iii) to respond to legal requests, and (iv) for safeguarding purposes. However, the CNIL found that these justifications did not warrant the systematic recording of all calls. Instead, CNIL recommended that a sample of calls could be recorded for quality monitoring and training, and only the portions of calls directly relevant to contract conclusions should be retained. Additionally, recordings could be manually triggered by employees in situations involving distress or safeguarding concerns. CNIL found that recording all calls in this manner breached the GDPR’s data minimization principle.

Next steps for consumer-facing businesses
These decisions are particularly relevant for any consumer-facing businesses operating in the EU or UK, especially those with operations in France. It’s a timely reminder to review current practices regarding:

  • Marketing consents: Ensure that proper consent is obtained before sending marketing communications, and that consumers are fully informed about how their data will be used.
  • Processing of sensitive data: Review consent mechanisms for any data collection activities involving special categories of personal data, such as health or sexual orientation, to ensure compliance with GDPR.
  • Data retention: Assess your data retention policies, particularly for marketing purposes, to ensure personal data is not held longer than necessary and that appropriate restrictions on access and use are in place.

This is an opportunity to reassess compliance frameworks, particularly in light of guidance from EU supervisory authorities.