CNIL fines Carrefour France 2,25 million € and Carrefour Banque 800,000 €

26 November 2020

After receiving several complaints, the CNIL imposes a financial penalty against two companies of the CARREFOUR group for GDPR infringements concerning the information given to individuals and in particular the respect of their rights.

After receiving several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). The CNIL noted infringements concerning the data processing of customers and potential users.  The Chair of the CNIL therefore decided to initiate sanction proceedings against these companies.

At the end of this procedure, the CNIL sanctions committee considered that the companies had failed to comply with several GDPR requirements.

It imposed a financial penalty of 2,250,000 euros against CARREFOUR FRANCE and 800,000 euros against CARREFOUR BANQUE. However, it did not issue an injunction to comply since it noted that significant efforts had already been made to address the infringements.

Infringements on the obligation to inform individuals (Article 13 of the GDPR)

The information provided to users of the and websites, as well as to people wishing to join the loyalty program or the « Pass » card, was not easily accessible (access to information was too complicated, in very long documents containing other information), nor easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated wording). In addition, information was incomplete regarding the data retention periods.

Concerning the website, the information was also insufficient regarding data transfers outside the European Union and the legal basis of the processing operations (files).

On this point, the companies have amended their privacy notices and websites during the procedure.

Infringements regarding cookies (Article 82 of the French Data Protection Act)

The CNIL noted that when a user connected to the or websites, several cookies were automatically placed on his terminal, before any action of the user. Considering that some of these cookies were used for advertising purposes, consent should have been sought before storing the cookies on the device.

During the procedure, the companies changed the functioning of their websites. Advertising cookies are no longer placed before the user has given his consent.

Failure to comply with the obligation to limit the data retention period (article 5.1.e of the GDPR)

The company CARREFOUR FRANCE did not respect the data retention periods it had set. The data of more than twenty-eight million customers who had been inactive for five to ten years were being kept as part of the loyalty program. The same was true for 750,000 users of the website who had been inactive for five to ten years.

Moreover, in this case, the sanctions committee considers that it is excessive to retain customer data for 4 years after the last purchase. Indeed, this duration, which was initially chosen by the company, exceeds what appears necessary in the field of mass distribution, given the consumption habits of customers who mainly make regular purchases.

During the procedure, CARREFOUR FRANCE committed significant resources to make the necessary changes to become with the GDPR. In particular, older data were deleted.

Failure to comply with the obligation to facilitate the exercise of rights (article 12 of the GDPR)

The company CARREFOUR FRANCE required, except for opposition to commercial prospection, proof of identity for any request to exercise a right. This systematic request was not justified since there was no doubt about the identity of individuals exercising their rights. In addition, the company was unable to process several requests to exercise rights within the deadlines required by the GDPR.

On these two points, the company changed its practices during the procedure. In particular, it deployed significant human and organizational resources to respond to all requests received within less than one month.

A failure to respect rights (articles 15, 17 and 21 of the GDPR and L34-5 of the French Postal and Electronic Communications Code)

First of all, the company CARREFOUR FRANCE has not responded to several requests from individuals wishing to access their personal data. The company approached all the individuals concerned during the procedure.

Then, in several cases, the company did not proceed with the deletion of data requested by several people when it should have done so. On this point, too, the company has complied with all requests during the procedure.

Finally, the company did not take into account several requests from people who objected SMS or email advertising, in particular due to specific technical errors. The company complied during the procedure on this point as well.

Failure to comply with the obligation to process data fairly (Article 5 of the RGPD)

When a person subscribing to the « Pass » card (a credit card that can be attached to the loyalty account) also wished to join the loyalty program, she had to tick a box indicating that she accepted that CARREFOUR BANQUE would communicate to "Carrefour fidélité" her last name, first name and email address. CARREFOUR BANQUE explicitly indicated that no other data would be transmitted. However, the CNIL noted that other data were transmitted, such as the postal address, the telephone number and the number of children, although the company undertook not to transmit any other data.

On this point, the company changed its practices during the procedure. It has completely overhauled its online subscription process for the « Pass » card and individuals are now informed of all data transmitted to CARREFOUR FRANCE.