The CNIL (French Data Protection Authority) set a fine of €250,000 on SPARTOO. The online retailer violated multiple articles of the GDPR, including a) the principle of data minimization (by recording the full calls of customer service reps, and by collecting too much information in multiple redundant formats); b) the obligation to limit data retention (by keeping call recordings permanently, retaining prospect data for 5 years instead of 2, and retaining pseudo-anonymized and non-anonymized email addresses and passwords beyond 5 years); c) the obligation to inform individuals (by saying that ‘consent’ was the reason for data collection, when in fact contracts and business interests were other [unstated] reasons, and by not telling employees about what information they were collecting and why); d) the obligation to secure data (by not requiring strong passwords, and by keeping unencrypted scans of bank cards).

https://www.cnil.fr/fr/spartoo-sanction-de-250-000-euros-et-injonction-sous-astreinte-de-se-conformer-au-rgpd