The National Commission for Informatics and Freedoms (Cnil) on Wednesday sentenced the e-commerce site Spartoo to a fine of 250,000 euros. The authority ruled that the company had not complied with several articles of the General Data Protection Regulation (GDPR).
On its site, the CNIL indicates that this is "its first sanction decision in cooperation with other European supervisory authorities". The Spartoo platform is available in 13 EU states and “the company's customers and prospects” are spread over several countries. The investigation has therefore been carried out jointly with foreign authorities since May 2018.
We take note of the @CNIL's decision. We are committed to making the requested changes as soon as possible. Rest assured #Spartoo has always been very committed to respecting regulations regarding the personal data of its customers #RGPD
- Spartoo (@Spartoo) August 5, 2020Very many breaches of the GDPR
The investigations revealed shortcomings concerning the minimization of personal data. Spartoo was recording more phone conversations and banking data than needed. The retention period of the information was not respected either. The CNIL also noted that “the information provided in the website's data privacy policy does not comply” with the GDPR.
In addition, employees were not sufficiently informed of how to record their telephone conversations with customers. Spartoo also breached its obligation to secure data. The passwords required were not complex enough and the anti-fraud measures against the bank card were not strict enough, the commission found.
High Tech
In ten years, Hadopi cost 80 million euros ... and brought in 87,000 euros
High Tech
United States: Company pays hackers $ 4.5 million in ransom to recover data
- Justice
- Fine
- GDPR
- Personal data
- CNIL
- Ecommerce