News

In 2019, the French Data Protection Authority (CNIL) imposed a fine of €500,000 on a company specializing in home thermal insulation for improper marketing practices and sensitive data collection.

🔍 Case Details

A complaint was filed by a consumer reporting repeated unsolicited marketing calls from the company, despite having expressed their opposition both verbally to call center agents and in writing to the company’s headquarters. Months after these efforts, the calls persisted.

The CNIL investigation revealed several GDPR violations, including failure to respect the right to object and insufficient information provided to the individuals being solicited, violating Articles 13-14 of the GDPR.

Further investigation found that:

• The company processed customer and prospect data obtained either directly from the individuals (via inbound contact or outbound marketing campaigns using directories managed by subcontractors) or through third parties via a referral program.
• Telemarketing activities were handled by call centers, most of them located in North Africa, acting as subcontractors.
• Call center operators recorded comments in the company's software, Progibos. Some comments included sensitive information about individuals’ health status or derogatory remarks about them.

This practice violated Article 9-2-e of the GDPR regarding sensitive data and Article 5 on data minimization. The GDPR prohibits the collection of sensitive data, such as health status, and mandates that data collected must be adequate, relevant, and limited to what is necessary for the intended purposes.

👉 Best Practice: Instead of collecting sensitive data, the company could have made general notes without processing unnecessary and sensitive information that was unrelated to their marketing objectives.

📌 Consequences

• Administrative Fine: €500,000
• Reputational Damage: The exposure of improper practices impacted the company’s credibility.