The french individual and coarse trade giant carrefour must pay a total of 3.05 million euros due to several clarifications against the data protection basic regulation (dsgvo). A corresponding sanction has directed the privacy worker cnil after receiving multiple complaints against the group and had carried out on-site inspections between may and july 2019. A claim of 2.25 million euros is now on the parent company, the bank subsidiary carrefour banque should 800.000 euro.
Data stored too long
In their investigation, among other things, the prufter noted that the french marketplace still stored the data of more than twenty-eight million earlier customers as part of a bonus program, even though they have been inactive since five to ten years. The same was for 750.000 users of the website carrefour.For. The practiced retention period of four years for customer data after the last purchase had been too long.
According to cnil, cnil also violated information obligations from the dsgvo. The information that the company offers the visitors of the stammwebsite and carrefour-banque.Fr as well as the owners of the bonus card provided, were difficult to access, barely lacking and linguistic. Furthermore, cookies have been set without the necessary consent.
Sharp sanctions sentenced
Carrefour also demands an identity credits unjustified if customers wanted to dust their securitized control rights, criticizes the supervisory instance. Multiple requests for information is the group to spat or not complied with. For the loyalty program, he has collected personal contact details and, contrary to the commitment – passed on to the in-house financial service provider. From other and sharp sanctions, the cnil looked at carrefour "significant efforts" have to fix all detected clearances.