The latest penalty imposed by the CNIL’s restricted panel for GDPR and personal data protection violations was published on November 26th against Futura Internationale, amounting to a hefty €500,000.
This company presents itself as specializing in energy-efficient renovations and energy production solutions for individuals, offering services related to thermal insulation.
The growth of its business led it to use telephone prospecting campaigns outsourced to call centers, primarily located outside the European Union.
Having been informed of regular marketing efforts by this company, and of a consumer who had repeatedly exercised their right to object, notably by mail, the CNIL (French Data Protection Authority) conducted an inspection of the company’s premises on March 20, 2018, which revealed numerous breaches of data protection regulations.
These included the presence of numerous letters of objection from other consumers, which had gone unanswered.
GDPR and obligations: Breaches, bad faith & sanctions
In addition to respecting individuals’ rights regarding their personal data, the CNIL (French Data Protection Authority) also noted:
- “The company’s files contained several excessive comments concerning clients or relating to their health.”
- “Individuals were also not properly informed about the processing of their personal data, nor often even about the recording of the conversation.”
In October 2018, the President of the CNIL issued a formal notice requiring Futura Internationale to comply with the GDPR and adopt the necessary corrective measures. Given the company’s lack of response, the CNIL imposed an exemplary sanction.
CNIL: Reminder of data protection obligations
The substantial amount of the fine is also linked to the company’s reluctance to cooperate with the CNIL (French Data Protection Authority) regarding the regulation of its collection and processing of personal data.
The CNIL justified its decision by citing, among other things, the company’s “very partial” responses, or even its failure to provide documents requested during its audit, “a clearly expressed intention not to respond to the CNIL’s requests, or at the very least, a blatant disinterest in these matters.”
Telephone canvassing in the field of energy renovation
Unlike previous sanctions issued by the CNIL (French Data Protection Authority), this new regulation reiterates that, beyond online and email campaigns, telephone solicitation is also subject to the provisions of the GDPR.
These commercial and advertising practices are frequently denounced by most consumer associations, and the French Directorate General for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF) and the government have taken action on this issue.
Informing and warning consumers, strengthening controls, and even banning telephone solicitations concerning personal data are indeed under consideration following a 20% increase in consumer complaints on this subject in recent months.
Find the latest news related to the GDPR, commented on by the law firm PCS Avocat:
- CNIL & Data Protection: Common GDPR Mistakes
- GDPR Cheat Sheet: Data Processing Documentation
- Latest CNIL GDPR Sanctions: “The Game’s Over”
- GDPR: An Exemplary €50 Million Fine Against Google
News related to personal data – 2020 Summary
The CNIL’s pre-Covid objectives for 2020 included: prioritizing the digital challenges of daily life, ensuring balanced data protection regulation, promoting data diplomacy, offering cutting-edge public expertise on digital technology and security, and embodying an innovative public service united around its values.
The Council of State clarified the conditions under which the right to be forgotten on the internet, as provided for by the GDPR, must be respected.
The ACPR criticizes the lack of serious cyber-risk insurance contracts in France, as organizations are not yet sufficiently assessing their exposure to this type of risk.
A debate on facial recognition and its potential ban has been requested by CREIS-Terminal and the CNIL (French Data Protection Authority).
Personal emails were freely accessible on ameli.fr by modifying a few characters in the URL.
The CNIL has launched and outlined its position on the government’s tool for processing court decisions, “DataJust.”
An agreement with the GSM Association would allow the European Commission to access geolocation data collected from the phones of numerous mobile operators.
The CNIL has launched the authorization process for the monetization of personal data, notably through the TaData & Streamr services.
