Cell center operators entered data into a CRM system. Some of those operators were located outside the EU, so there was unlawful data storage in countries that did not provide an adequate level of protection of personal data. Some of the data related to the health status of the people contacted, as well as offensive language. Further, the data subjects were not informed of the recording of the calls, or of any other processing of their personal data.
On 21 November 2019, the CNIL imposed a EUR 500,000 fine on FUTURA INTERNATIONALE, a company of less than 100 employees, operating in the energy sector (providing insulation and heat pump equipment) and partner of EDF. As part of its business, this company implements phone marketing campaigns.
The CNIL initiated an inspection due to the lack of compliance of the direct marketing activities
FUTURA INTERNATIONALE was the subject of a complaint from a data subject on 6 February 2018.
The complainant stated that despite her oral and written opposition to the company’s headquarters, the unsolicited phone calls had not ceased for several months.
The CNIL therefore carried out an inspection at the company’s premises to verify the compliance of the processing operations in connection with such direct marketing activities.
In the course of the investigations, the authority noted that FUTURA INTERNATIONALE processed customer and prospect data obtained directly from the data subjects or from third parties as part of sponsorship programs.
These data processing activities for the purpose of direct marketing, and especially through cold calls, were carried out by several call centers engaged as processors. However, no centralized mechanism was put in place to take into account and handle the requests for objection expressed by the data subjects.
The CNIL has finally identified 5 breaches of the GDPR
The inspection delegation observed that customer data were processed using a CRM tool in which the teleoperators were able to enter comments relating to customers that were sent to FUTURA INTERNATIONALE. The control of this software highlighted comments relating to the health status of the people contacted as well as offensive language.
In addition, the call centers were mostly located in North Africa, which involved transferring personal data outside the European Economic Area to countries that did not provide an adequate level of protection of personal data. FUTURA INTERNATIONALE did not implement the appropriate safeguards provided for in the GDPR.
Finally, the recordings of telephone conversations showed that the data subjects were not informed of the recording of the calls, as well as any other processing of their personal data.
On 27 September 2018, the President of the CNIL gave notice to FUTURA INTERNATIONALE to comply with the GDPR.
In the absence of a satisfactory response to this formal notice, the French authority initiated an administrative penalty procedure against the company in its capacity as controller, to address the five breaches of the GDPR observed following the inspection, namely:
- Failure to process data which are adequate, relevant and limited to what is necessary for the purposes for which they are processed (Article 5(1)(c) of the GDPR);
- Failure to inform the data subjects (Article 12 and 14 of the GDPR);
- Failure to respect the right to object (Article 21 of the GDPR);
- Failure to cooperate with the supervisory authority (Article 31 of the GDPR);
- Failure to provide the appropriate safeguards regarding the transfer of personal data outside the European Union (Article 44 of the GDPR).
The Commission definitively closed the “transition” phase
In order to justify the amount of the fine imposed, the CNIL took into consideration the large number of breaches to the GDPR and their persistence despite the formal notice. The authority stated that these breaches seriously infringe the rights of the data subjects, and that the lack of full cooperation by the company to put an end to them should increase the sanction.
Finally, the French authority refuted the argument that the company had difficulty in complying with a new legal framework, on the grounds that the breaches found relate to obligations that the French Data Protection Act already imposed on data controllers before the GDPR.
This penalty is fully in line with the CNIL’s 2019-2021 strategic plan, which announced the end of the transition phase during which the authority would remain understanding. The approach is now to effectively implement “all the promises and potentialities of the GDPR”, particularly in terms of protecting the data subject’s rights and privacy.