By decision of 28 July 2020, the CNIL imposed a fine of €250,000 and an obligation to comply with the GDPR within 3 months of the decision, on SPARTOO, an online shoe retailer operating in 13 European countries.
This is the first decision from the CNIL as the lead authority and it sanctions the company’s following failures to comply with the GDPR concerning the processing of customer, prospect and employees’ data :
- excessive data collection: permanent telephone recording, retention of bank data recorded during the call and the collection of health cards in Italy ;
- excessive storage period: undetermined or unjustified storage period;
- breaches of the obligation to inform data subjects: incorrect legal bases indicated in the customer privacy policy and very incomplete information from employees concerning telephone recordings;
- failure to comply with the data security obligation: credit card data were kept unencrypted for 6 months and customer passwords were not robust enough.
This decision is of some importance in that the CNIL cooperated with the other European authorities concerned with a view to adopting a common position.
1. Background
SPARTOO is an online shoe retailers which operates in 13 European countries.
During an inspection conducted in May 2018, the CNIL found several breaches of the GDPR and decided to initiate sanction proceedings against the Company in 2019.
2. Excessive data collection
The Company recorded all telephone calls received by customer service employees for employees’ training purposes.
The CNIL considered that permanent and full recording of calls was not necessary for this purpose (i.e.training). Indeed, it noted that the person in charge of employee training listens to only one recording per week and per employee.
It also notes that the recording and storage of customer bank details communicated by the customer are not necessary for employee training either.
The CNIL tends to consider the permanent recording of employees’ telephone calls as excessive for any purpose unless a regulation authorises it (e.g. banking regulations for stock exchange orders).
Furthermore, the request for a copy of the health and identity card in Italy for anti-fraud purposes was considered excessive and irrelevant, the copy of the identity card being sufficient.
3. Excessive retention period
The company did not have a retention period in place and no regular deletion and/or archiving was implemented.
3.1 Concerning customers
Although the Company has undertaken to keep customer data for 5 years following this audit, the CNIL has sanctioned the Company for keeping a very large amount of data from former customers for several years (more than 3 million people had not logged on to their account for more than 5 years).
3.2 Concerning prospects
The Company has set up a 5-year retention period for prospect data starting from their last activity (e.g. the opening of a newsletter). However, it no longer sends direct marketing email to people who do not show interest in its products or services for a period of two years. The CNIL, therefore, concluded that the retention period should be limited to two years and not 5 years.
As regards the starting point of the 2-year retention period, the CNIL points out that the mere opening of the direct marketing e-mail is not sufficient to justify the renewal of the retention period as the message may have been opened involuntarily.
Indeed, the CNIL added that the action justifying the renewal of the retention period must be an act of the prospects proving that they have shown an interest, such as clicking on a web link provided in the newsletter.
However, this position of the CNIL has always seemed a bit excessive insofar as all newsletters (e.g. from online newspapers), do not necessarily call to go to the website of the company concerned and the recipient can simply click on the unsubscribe link provided in each marketing e-mail if they are no longer interested. It seems, nonetheless, that the other 12 concerned authorities have aligned with the CNIL position on this point although the decision seems to open the door to other possibilities to prove the individuals have shown an interest.
Furthermore, the retention of e-mail addresses and passwords beyond 5 years, in a pseudonymised and non-anonymised form, so that individuals can reconnect to their account, was not either considered GDPR compliant.
4. Failure to provide a GDPR compliant information notice
The CNIL has noted that the information provided on the company’s website is erroneous, as the legal basis for the processing indicated is not correct.
The information provided to employees concerning the recording of telephone calls made with customers is also insufficient insofar as they are not informed of the purpose of the processing, the legal basis of the system, the recipients of the data, the duration of data retention and their rights.
5.Failure to comply with the obligation to ensure data security
The CNIL noted that :
- the passwords to access customer accounts via the website were not strong enough;
- the retention for six months and in clear text of the scans of the bank card used when placing an order, for the purpose of combating fraud, does not guarantee the security of customers’ banking data.
In conclusion:
- Indicating the correct legal bases in the privacy policies and ensuring that the information is complete;
- Verifying that the data collected is necessary as a priority when it is sensitive or when its volume makes the collection intrusive;
- Setting retention periods that are consistent and in line with the purposes of the data processing;
- Reviewing the security policy and the robustness of the passwords (security issues are subject to sanctions in most CNIL controls).
