The National Commission for Informatics and Freedoms (Cnil) has pinned the supermarket giant Carrefour for violating European rules on personal data.

Thus, Carrefour France will have to pay an amendment of 2.25 million euros while Carrefour Banque, also singled out, will have to pay 800,000 euros. 

The French personal data gendarme, the Cnil, fined two companies in the Carrefour large-scale distribution group 3 million euros for violating European rules on personal data, she announced on Thursday.

Seized several complaints and after carrying out checks between May and July 2019, "the CNIL noted shortcomings concerning the processing of the data of the customers and the potential users", writes the Commission in a press release published on its site.

Carrefour France will have to pay a fine of 2.25 million euros, and Carrefour Banque of 800,000 euros.

No injunction was issued, the regulator having since "noted that significant efforts had enabled compliance on all the breaches noted".

"The decision of the CNIL concerns past and isolated failures. They are now fully corrected," Carrefour responded on Twitter.

The distribution giant also claims to have derived "no financial benefit" from these practices.

28 million loyalty program profiles kept

In detail, the CNIL criticizes Carrefour for not having sufficiently informed the users of its sites and the customers registered for its loyalty program on the retention period and the processing, many of which was moreover irregular, applied to their data. personal.

The regulator noted that "cookies", that is to say tracers, used for advertising were placed during a connection to the site before the user's consent was obtained as required by the General Data Protection Regulation (RGPD) entered into force in May 2018. Carrefour Banque also communicated to the distribution brand's loyalty program the postal address, telephone number or number of children of subscribers to a credit offer, while it "explicitly indicated that none" of this data was transmitted.

Finally, "the company Carrefour France did not respect the retention periods for data that it had set", notes the regulator.

The profiles of some 28 million customers of the loyalty program and 750,000 users of the carrefour.fr site, inactive for 5 to 10 years, were thus kept.

The CNIL considers that a period exceeding 4 years after the last purchase is excessive.