Lobbying file: penalty of 400,000 euros against MONSANTO
The CNIL has imposed a fine of 400,000 euros on MONSANTO for not having informed the individuals whose data were recorded in a file for lobbying purposes.
In May 2019, several media outlets revealed that MONSANTO had a file containing the personal data of more than 200 political figures or individuals from civil society (for example journalists, environmental activists, scientists or farmers), which could influence the debate or public opinion on the renewal of the authorisation of glyphosate in Europe. At the same time, the CNIL received seven complaints, notably from data subjects in this file.
The checks carried out by the CNIL services revealed that this list had been compiled on behalf of MONSANTO by several companies specialising in public relations and lobbying, as part of a major lobbying campaign.
The file in question contained information such as the organisation the individual is attached to, the position held, the work address, the work landline number, the mobile phone number, the work e-mail address and, in some cases, the Twitter account, for each of these individuals. Furthermore, each individual was given a score from 1 to 5 to assess their influence, credibility and support for MONSANTO on various subjects such as pesticides or genetically modified organisms.
At the end of the investigation and after having heard from MONSANTO, the restricted committee (the CNIL body in charge of sanctions) pronounced a fine of 400,000 euros and decided to make its decision public. It considered that the company had disregarded the regulations by not informing the data subjects that their data were recorded in this file. The CNIL also condemned the fact that the company had not put in place the contractual guarantees that should normally govern relations with a data processor. It pointed out that the obligation to provide information to individuals is a central measure in the GDPR insofar as it allows them to exercise their rights, in particular the right to object. Finally, it noted that this breach was not ended until several years after the processing was carried out, after several media outlets revealed its existence.
Breach of the obligation to inform individuals (Article 14 of the GDPR)
The creation of contact files by lobbyists for lobbying purposes is not, in itself, illegal. However, only individuals who can reasonably expect, because of their fame or their activity, to be the subject of sector contacts can appear in this file. Although it is not necessary to obtain consent from these individuals, the data entered in the file must have been legally collected and the individuals informed of the existence of the file, so that they can exercise their rights and in particular their right to object.
The CNIL noted that the individuals whose personal data had been collected contact information (address, phone number or e-mail address) for almost all of the individuals that it could easily have used.
The restricted Committee also pointed out that failure to inform data subjects of the existence of processing necessarily undermines the exercise of the rights conferred on them by the GDPR. The right to be informed is an essential right which determines the ability to exercise other rights (rights of access, objection, erasure, etc.) enjoyed by the individuals: in this case, they were prevented from doing so for several years.
Breach of the obligation to govern the processing carried out on behalf of the data controller by a formal legal act (Article 28 of the GDPR)
As data controller, MONSANTO was required to govern the processing carried out on its behalf by its data processor by a legal act, in particular to provide guarantees regarding data security. However, the CNIL noted that none of the acts concluded between the two companies included the particulars provided for in Article 28 of the GDPR.