News
🇫🇷 Insurance and excessive retention periods
📢 €1.75 Million Fine for a French Insurance Company
Source: SAN 2021-010
👉 The CNIL has sanctioned an insurance company for two serious breaches of the RGPD, relating to the retention period for personal data and the provision of information to individuals.
💾 Data stored… for over 30 years!
🔍 During an investigation, the CNIL discovered that: • Data from prospects was retained for over 5 years, instead of the 3 years recommended.
• Data from over 2 million clients was kept more than 5 years after contract termination.
• For 1.3 million clients, it was stored for over 10 years.
• And for several thousand individuals, it was stored for over 30 years!
This violates Article 5-1(e) of the GDPR, which states that data must be kept no longer than necessary.
⚠️Rappel legal obligations (accounting or life insurance):
Certain accounting documents must be kept for 10 years, in accordance with article L123-22 of the French Commercial Code.
Life insurance contract data must be kept for 30 years for evidentiary purposes in the event of litigation, in accordance with article L114-1 of the French Insurance Code.
😬 Even when citing legal obligations, the retention periods exceeded regulatory requirements.
📞 Violation of information obligations during telemarketing
Article 12 of the GDPR requires that individuals be clearly, concisely, transparently and intelligibly informed at the time of data collection—on the purpose, context, and their rights, among others.
➡️ Of 50 sample calls, 30% were recorded without informing the individuals.
➡️ Two subcontractors acted without providing any GDPR-related information: no info on rights, purposes, or retention.
📉 Why such a “moderate” fine?
💡 The company actively cooperated with the CNIL.
➡️ Result: A €1.75 million fine, which represents only 0.02% of its annual turnover.
📌 Key takeaways for all data processors:
✔️ Respect legally mandated retention periods and CNIL recommendations.
✔️ Always inform individuals, including over the phone.
✔️ Document all data processing, even when subcontracted.
✔️ Cooperate with the CNIL to reduce the risk and amount of sanctions.