1.75 million penalty against AG2R LA MONDIALE
The CNIL’s restricted committee has sanctioned SGAM AG2R LA MONDIALE for having failed to comply with GDPR obligations relating to retention periods and information to individuals.
CNIL carried out an inspection in 2019 at the AG2R LA MONDIALE group. The purpose of this was to verify the compliance of the processing operations implemented as part of its task to manage the supplementary pensions of private sector employees and its insurance activity.
On this occasion, CNIL found that the AG2R LA MONDIALE Mutual Insurance Group (SGAM AG2R LA MONDIALE), responsible for coordinating the group’s provident, dependency, health, savings and supplementary pension insurance activities, was keeping data on millions of people for an excessive period of time and was not complying with its information obligations in the context of telephone canvassing campaigns.
Based on these elements, the Restricted Committee – the CNIL body responsible for imposing sanctions – considered that the company had failed to comply with two fundamental obligations under the GDPR. It therefore imposed a fine of 1,750,000 euros and decided to make its decision public.
The Restricted Committee also took note of the compliance measures adopted by the company concerning the limitation of the retention period and the informing of individuals.
Breach of the obligation to limit the data retention period (Article 5-1-e of the GDPR)
The company had not implemented the retention periods it had defined in its standards in its systems. As a result, it kept the personal data of its prospects and customers for excessive periods of time.
With regard to the data of prospective customers, the company did not comply with the maximum retention period of three years set out in its standards and in the group’s processing register. The data of almost 2,000 customers who had not had any contact with the company for more than three years, and in some cases five years, were thus kept.
As regards customer data, the company did not comply with the maximum legal retention periods provided for in the Code des assurances (French Insurance Code) and the Code de commerce (French Commercial Code). In this case, the company was storing the data of more than 2 million customers, including some of a sensitive (health) or special nature (bank details), beyond the legal retention periods allowed after the end of the contract.
Measures were taken by the company following the audit and then during the procedure to achieve compliance. Compliance has been achieved with respect to prospect data. With regard to customer data, the company has made firm and documented commitments to the compliance process it has undertaken and has been shown to be partially compliant. It has also made a commitment as to when it will be fully compliant in this respect.
Breach of the obligation to inform individuals (Articles 13 and 14 of the GDPR)
The information provided to individuals canvassed over the telephone by the company’s data processors did not include all the elements required by the GDPR. Indeed, telephone calls made by data processors could be recorded without the person contacted being informed of the principle of recording or of his or her right to object to it. Furthermore, no further information was provided to the canvassers about the processing of their personal data or their other rights. Finally, people were not offered the possibility of accessing more comprehensive information, for example by activating a button on their phone or by sending an e-mail.
However, the company has put in place measures to make the necessary changes to comply with the GDPR, after the inspection and during the procedure.