The 1st GDPR sanction of the CNIL concerning commercial prospecting
On 21 November 2019, the CNIL imposed a penalty of €500,000 on Futura Internationale for failure to respect the rights of canvassed persons in the context of commercial prospecting operations.
This is the first sanction imposed by the CNIL after the entry into force of the RGPD on the subject of commercial prospecting. The reasons given by the supervisory authority and the amount of the sanction imposed testify to the subject’s interest.
Futura Internationale sells thermal insulation equipment and uses call centres located outside the European Union to carry out commercial prospecting operations.
Seized on February 6, 2018 by an individual who complained that he was regularly approached by Futura Internationale, even though he had expressed his opposition to this solicitation, orally to the telephone operators and by letter to the company’s headquarters, the CNIL carried out an on-site inspection on March 20, 2018.
Following this audit, the President of the CNIL gave Futura Internationale formal notice to comply with the General Data Protection Regulations (RGPD) – Decision No. MED-208-039 of 27 September 2018. As this formal notice was not followed by any effect, sanction proceedings were initiated against the company for breaches of Articles 5-1-c), 12, 13, 14, 14, 21 and 44 of the DGPS.
Find the sanction within the interactive DATA LEGAL DRIVE sanctions map
The breaches observed
The case was raised at the meeting of the restricted panel on 19 September 2019 and gave rise to a sanction by the company at the end of a deliberation n°SAN-2019-010 of 21 November 2019.
First of all, the CNIL took care to justify the application of the provisions of the GDPR to the facts observed during the audit of 20 March 2018, recalling that the alleged breaches were continuous over time and had continued beyond the date of entry into force of the GDPR.
Data collected is inadequate, relevant, and limited
Through the failure to process adequate, relevant and limited data (art. 5-1-c of the GDPR), the CNIL sanctioned the presence of abusive comments and/or comments relating to the state of health of the persons concerned – in this case the canvassed persons – in the company’s customer and prospect management software.
This failure was constituted at the expiry of the time limit set by the aforementioned formal notice; the company having served the disputed comments only during the sanction proceedings.
It should be noted that the CNIL gave its assessment of the corrective measures adopted by the company, considering that a simple mention of information intended for users of the customer and prospect management software was insufficient in this case – in view of the comments noted – to guarantee compliance with the provisions of Article 5-1-c).
The CNIL specified that the company had to set up a binding automated mechanism to ensure that misconduct would not be repeated.
Failure to provide information
The failure to inform people was due to the way in which prospecting campaigns were conducted. In practice, people were contacted by telephone – by and/or on behalf of Futura Internationale – and were not informed of the recording of the conversation, or were simply informed of the recording without any other information relating to the processing of their data and their rights.
Here again, the breach was constituted at the end of the time limit set by the formal notice.
During the proceedings, the company argued that it was now providing complete information, by e-mail, to the persons solicited.
However, the CNIL observed that the company did not produce any document justifying this corrective measure.
Moreover, for persons whose data were collected directly, the obligation to provide the information at the time of collection (Article 13 of the GDPR) could not be satisfied by sending an e-mail, by hypothesis after the telephone conversation.
The CNIL thus recalled that in the context of telephone prospecting, even summary information must be communicated immediately by telephone, with the possibility of obtaining more complete information by other means, referring to the transition to the Transparency Guidelines within the meaning of EU Regulation 2016/679 of the former G29, which mention the possibility of multi-level information.
Right of opposition of persons not respected
As regards commercial prospecting carried out by telephone call, Futura Internationale was also accused of failing to comply with the obligation to respect the right of opposition.
On this point, the CNIL pointed out that, under Articles 12 and 21 of the combined GDPR, the company was required to set up a mechanism to ensure that the right of objection expressed by persons contacted by telephone is effectively taken into account, both for the company’s staff (controller) and its subcontractors.
For the CNIL, it is not possible to effectively guarantee the opposition expressed by the persons concerned other than by an automated mechanism; and this requirement seems absolutely justified in this case in view of the economic interests generated by commercial prospecting, the volume of calls made and the number of persons concerned.
Failure to cooperate with the CNIL
With regard to the failure to cooperate with the supervisory authority (Article 31 of the GDPR), he gave the CNIL the opportunity to clarify two things.
On the one hand, the fact that it was the company’s responsibility, in its capacity as controller, to respond to requests addressed to it and to report on compliance with the GDPR, without being able to attribute its breaches to the boards responsible for defending its interests.
On the other hand, the fact that the failure to cooperate was not incompatible with the possibility of compliance following a formal notice.
In the present case, the alleged failure was indeed constituted at the expiry of the time limit set by the formal notice and, in addition, the decision pronounced by the Court of First Instance.
Insufficiently supervised data transfers outside the EU
Finally, Futura Internationale was accused of failing to comply with the obligation to supervise data transfers to countries outside the European Union that did not provide an adequate level of protection. More specifically, the contractual clauses concluded between the company and its subcontractors did not meet the requirements set out in sections 44 et seq. of the GDPR.
The CNIL recalled that the alleged breaches related to obligations already present in the provisions of the Data Protection Act, that certain breaches concerned the rights of individuals, or that the data were the subject of cross-border flows outside any protective legal framework.
It also took into account other aggravating criteria, namely the plurality of breaches, persistence and seriousness, but also the fact that the procedure had its origin in a complaint lodged by a person.
With regard to the amount of the penalty, the CNIL has clarified its approach, namely that the fine imposed must be fair, proportionate and dissuasive. In the present case, however, in view of the alleged breaches and the company’s conduct, it considered that a penalty of 2.5% of annual turnover was not excessive.