Carrefour receives a large fine for non-compliance with data

A Carrefour supermarket in Nice (illustrative image).

-

Carrefour was sanctioned with a fine of three million euros by the French gendarme for personal data.

The CNIL considered that two companies in the group had violated European rules on their customer data.

Seized of several complaints and after having carried out checks between May and July 2019, "the CNIL noted shortcomings concerning the processing of the data of the customers and the potential users", writes the Commission in a press release published on Thursday on its site.

Carrefour France will have to pay a fine of 2.25 million euros, and Carrefour Banque of 800,000 euros.

Shortcomings "now corrected"

No injunction has been issued, the regulator having since "noted that significant efforts had enabled compliance on all the shortcomings identified".

“The CNIL's decision concerns past and isolated failures.

They are now fully corrected, ”responded Carrefour on Twitter.

The distribution giant also claims to have derived from these practices "no financial benefit".

In detail, the CNIL criticizes Carrefour for not having sufficiently informed the users of its sites and the customers registered for its loyalty program on the retention period and the processing, many of which was moreover irregular, applied to their data. personal.

Data kept for years

The regulator noted that "cookies" (tracers) used for advertising were placed during a connection to the site before the user's consent was obtained as required by the General Data Protection Regulation ( GDPR) entered into force in May 2018.

Carrefour Banque also communicated to the distribution brand's loyalty program the postal address, telephone number or number of children of people subscribing to a credit offer, although it "explicitly indicated that none" of this data was not transmitted.

Finally, "the company Carrefour France did not respect the retention periods for data that it had set", notes the regulator.

The profiles of some 28 million customers of the loyalty program and 750,000 users of the carrefour.fr site, inactive for 5 to 10 years, were thus kept.

The CNIL considers that a period exceeding 4 years after the last purchase is excessive.

By the Web

In four months, the CNIL has identified 33 million cases of personal data breaches

By the Web

Personal data: the Council of State confirms the fine of 50 million euros against Google

• Society

• Personal data

• crossroads

• CNIL