EU Data Protection Authority Levies Its First Fine for Violations of the GDPR
In its August 5, 2020, enforcement decision, CNIL focused on violations of the following principles of the GDPR:
Failure to Employ Data Minimization Measures: CNIL’s decision focused on Spartoo’s practice of recording telephone calls for employee training purposes and the recording of credit card payment information from customers during these training calls, finding this data practice was not necessary.
Failure to Implement Adequate Measures Regarding Storage Limitation: Spartoo was found to be sitting on volumes of customers’ personal information absent policies to scrub accounts no longer in use for upwards of 10 years. The records of over 25 million customers were kept for users who were not active for a period of more than three years. CNIL found the lack of meaningful data retention policies and corresponding time frames for deletion of customer information to be in violation of the storage limitation principle.
Failure to Provide Adequate Notice: Spartoo’s privacy policies were found to be deficient in accordance with the GDPR notice requirement. The policy failed to appropriately provide notice regarding the legal bases for the processing of personal information.
Failure to Employ More Robust Data Security Standards: CNIL found that Spartoo’s password practices and requirements for its customers were deficient, and that customers should have been required to create more secure passwords for their accounts.
CNIL’s enforcement action may serve to open the floodgates for GDPR enforcement. As more EU data protection authorities issue guidance on specific provisions of the GDPR, whether it be cookies or the legality of data transfer mechanisms, businesses should be sure to expect investigations and enforcement actions from the various DPAs.
The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.