Commercial prospecting and rights of individuals: fine of 600,000 euros against GROUPE CANAL+
On 12 October 2023, the French Data Protection Authority (CNIL) fined GROUPE CANAL+ 600,000 euros, notably for failing to comply with its obligations in terms of commercial prospecting and rights of individuals.
The CNIL received many complaints concerning difficulties encountered by individuals in having their rights taken into account by GROUPE CANAL+, which produces channels and distributes pay television offers.
On the basis of the findings from the investigations, the restricted committee – the CNIL body responsible for issuing sanctions – considered that the company had failed to comply with several obligations set out in the General Data Protection Regulation (GDPR) and the French Post and Electronic Communications Code (CPCE). It imposed a fine of 600,000 euros on GROUPE CANAL+, which has been made public.
The amount of this fine was decided in the light of the breaches identified, as well as taking into account the company's cooperation and all the measures it took during the procedure to bring itself into compliance as regards the breaches of which it was accused.
Failure to comply with the obligation to obtain consent from individuals to receive commercial prospecting by electronic means (Articles L. 34-5 of the French CPCE and 7 of the GDPR)
GROUPE CANAL+ regularly carries out commercial prospecting campaigns by electronic means. However, it was unable to provide any evidence that it had obtained valid prior consent from individuals.
During the investigations, the company provided the CNIL with two examples of standard prospect data collection forms given by its commercial partners, from whom it collects data. However, no information on the identity of the recipients to whom the data was transmitted was provided, either on the collection forms or via clickable hypertext links. For consent to be informed and valid, the list of partners receiving data must be made available to individuals at the time of obtaining their consent.
Finally, the measures implemented by GROUPE CANAL + with its data suppliers to ensure that consent had been validly given by individuals prior to being canvassed were insufficient.
Failure to provide information (Articles 13 and 14 of the GDPR) and to respect the exercise of rights (Articles 12 and 15 of the GDPR)
The verifications carried out by the CNIL also revealed other breaches that were included in the sanction decision:
- A breach of the obligation to inform individuals during telephone prospecting: the company's service provider in charge of telephone canvassing did not systematically provide all the information required by the GDPR;
- A failure to comply with obligations relating to the modalities for the exercise of the rights of the data subjects (Article 12 of the GDPR): in particular, the company failed to respond to certain complainants within the one-month period stipulated by the legislation;
- A failure to respect the right of access to data (Article 15 of the GDPR). The company didn't responded to some access requests.
Failure to provide a contractual framework for processing carried out by a processor (Article 28.3 of the GDPR).
During its investigations, the CNIL found that a processor’s contract did not include all the information required by the GDPR.
Failure to ensure the security of personal data (Article 32 of the GDPR).
The restricted committee also found a breach of the obligation to ensure the security of personal data, since the storage of the company's employee passwords was not sufficiently secure.
Failure to comply with the obligation to notify the CNIL of a data breach (Article 33 of the GDPR).
CNIL investigations revealed the existence of a data breach, which made some subscriber data accessible to other subscribers for a period of 5 hours, and which was not notified to CNIL.
- Article L. 34-5 of the French Post and Electronic Communications Code (commercial canvassing) [in French] - Légifrance
- Article 12 of the RGPD (exercise of the rights of the data subject) - EUR-LEX
- Article 13 of the RGPD (information to be provided where personal data have been obtained from the data subject) - EUR-LEX
- Article 14 of the GDPR (information to be provided where personal data have not been obtained from the data subject) - EUR-LEX
- Article 15 of the GDPR (data subject's right of access) - EUR-LEX
- Article 21 of the GDPR (data subject's right to object) - EUR-LEX
- Article 28 of the GDPR (rules on processors) - EUR-LEX
- Article 32 of the GDPR (obligation to ensure data security) - EUR-LEX
- Article 33 of the GDPR (obligation to notify a data breach to the relevant authority) - EUR-LEX