News

💸 The CNIL has imposed a €250,000 fine 💸

Facts:
As part of evaluating and training its employees, the e-commerce website recorded customer service calls entirely and permanently.

Source: SAN 2020-003 of July 28, 2020

Violations Identified:

1. Violation of Article 5-1(c) of the GDPR: Lack of Data Minimization (Principle of Proportionality)
• The CNIL deemed the recordings excessive and intrusive in relation to the stated purpose (employee training).
2. Violation of Article 32 of the GDPR: Data Security
• No technical measures were implemented to prevent customer payment data from being recorded during calls.
• The company stored customer banking data in plain text for 15 days without enhanced security measures.
• Credit card numbers should not be recorded or stored once payment has been completed.
3. Violation of Article 5-1(e) of the GDPR: Excessive Data Retention
• The website retained customer and prospect data for 5 years.
• The CNIL required that the retention period for prospect data be limited to 2 years.
• Upon customer inactivity, the site did not delete all data but instead transferred email addresses and passwords to a separate table, hashed using the SHA-256 algorithm. While this algorithm ensures data integrity, it does not anonymize data (only pseudonymizes it).
• Reminder: Upon expiration of the retention period, customer data must be deleted from active databases or anonymized after the legal obligation expires.

Consequences:

• 💸 Administrative Fine: €250,000
• 📢 Reputational Impact: Public Sanction