Spartoo, a multi-national e-commerce company fined €250,000 for GDPR violation

CNIL, French Data Protection Authority on 5th August 2020 announced a fine of 250,000 Euros against Spartoo SAS, a multi-national e-commerce company with operations in thirteen EU countries. This is also the first fine by CNIL as a lead regulator for a company involved in cross-border processing. Some insights from the decision posted by CNIL:

Data Minimization(Article 5–1 c) Violation

Article 5–1 c) of GDPR states that personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed (data minimization).

1. The controller was recording telephone conversations between customers & the support team. The purpose of this processing activity was “Employee Training & Evaluation”.
2. Customers had an option to opt-out of these recordings. CNIL pointed out that no such option was available for the employees
3. Also, the company stated that the trainer listens to only one employee recording per week. CNIL pointed out that recording all calls is not necessary for the purpose of “Training” pursued.
4. Few of the call recordings had customer’s bank details. CNIL pointed out that bank details were not necessary for the purpose of “Training” pursued by the controller.
5. Collection of Identity Card & Health Card in Italy for the purpose of “Fight Against Fraud”. CNIL pointed out that identity cards was enough to establish an identity for the purpose of “Fight Against Fraud”. Health card collection violates data minimization(GDPR Article 5–1 c)and is excessive & irrelevant to the purpose pursued.

Storage Limitation(Article 5–1 e) Violation

Article 5–1 e) of GDPR states personal data must be kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed. ; (storage limitation).

1. The controller had a retention policy for inactive account for 5 Years. However, they only sent prospecting emails for two years from inactive time. CNIL pointed out that the two years is the appropriate retention period for the purpose of processing. Hence, keeping the data for 5 years is a violation of storage limitation(GDPR Article 5–1 e)
2. CNIL also criticized the company for determining activity as the mere opening of emails and suggested opening could be by mistake or design of the mail service and opening of a hyperlink inside the email or such activity should be used to determine the interest of the user and the last active time.
3. At the end of the retention period, the controller was deleting all personal data except email and password which were encrypted using SHA-256 and kept in a separate database. The controller argued that this data was anonymous and is kept so that users can log in with the same credentials even after the retention period. CNIL pointed out that even with SHA-256 the data is pseudonymized & controller cannot keep the data beyond the retention period

Violation of obligation of informing individuals(Article 13)

Article 13 of the GDPR requires the data controller to provide, at the time the data is collected, information relating to his identity and contact details, those of the data protection officer, the purposes of the processing and its legal basis, the recipients of the personal data, if applicable the transfers of personal data, the retention period of the personal data, the rights enjoyed by individuals as well as the right to lodge a complaint with ‘a supervisory authority.

1. The controller’s privacy notice failed to mention that data is being transferred to Madagascar and hence violated Article 13 of GDPR.
2. Controller’s employee privacy policy wrt recording of telephone calls failed to mention purposes of the processing, the legal basis of processing, recipients, retention schedule, rights of individuals, and the possibility of lodging a complaint with CNIL. Hence, this is a violation of Article 13 of GDPR.

Violation of obligation to implement Technical & Organizational Measures(Article 32–1)

Article 32–1 of GDPR states: Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, including the degree probability and severity vary, for the rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk and in particular the means to ensure the continued confidentiality, integrity, availability and resiliency of processing systems and services.

1. Controllers allowed users to create a six-digit password with the same character which was changed to a minimum of 8 characters. CNIL pointed out that an 8-digit password of the same category of characters is weak and does not meet the requirements of robustness.
2. Controllers collected scans of bank cards over unencrypted emails & kept it with the other supporting documents with no additional security measures. Hence, the company did not put appropriate security measures to protect customer’s banking data and violate Article 32–1 of GDPR.

The complete deliberation by CNIL has more details including discussions between company and CNIL. It is a wealth of information for the privacy team on setting up a privacy program for GDPR compliance. You can start GDPR compliance with this data mapping tool.