Very regularly called by a home insulation company, a person who had asked the operator to stop calling and exercised her right to object decided to lodge a complaint with the French data Protection Authority.
After onsite investigations and a formal notice, the French Data Protection Authority (Commission nationale de l'informatique et des libertés or "CNIL") imposed on the company a €500,000 fine after redefining best practices in relation to cold calling.
The company FUTURA INTERNATIONALE is specialized in the installation of insulation products in houses. For this activity, it uses the services of several call centers mostly based outside the European Union which, on its behalf, call potential clients.
The company has continued to call – via call centers – a person although that person said on the phone that she no longer wanted to be called and also wrote a letter to object.
This person eventually decided to file a complaint with the CNIL that then decided to investigate the company's premises.
The investigation showed not only that the company continued to call persons despite their objection, but also that the files contained comments on clients that were excessive or related to their health condition, that it informed the persons neither about the processing of their data nor about the recording of the phone conversation.
The CNIL sent a formal notice to comply with the General Data Protection Regulation ("GDPR"), requiring the company to implement the necessary corrective actions and then, realizing that the company was still non-compliant, initiated proceedings.
The CNIL's decision1 is a great example of the trends in the CNIL's practice we already described2 : almost one out of four investigations are triggered by a complaint, ¾ of the complaints are related to the exercise of a right, ¾ of the fines are pronounced as a result of a complaint. If we add to these figures the decision made by the CNIL to include respect for the rights of individuals in its 2019 investigation strategy, the CNIL's decision is everything but a surprise.
Let's take a look at the decision and identify the inputs.
Scope of application of the GDPR over time
The GDPR became effective on May 25, 2018, i.e. after the CNIL's investigations and before the formal notice to comply with the GDPR.
With a reference to the non-retroactivity of criminal law, the CNIL considered that the non-compliances were "continuous" (i.e. they lasted over time) which entitled it to assess such non-compliances under the GDPR.
Non-compliances in relation to marketing
Following on its investigations – based on an onsite visit and the review of the documentation – to determine compliance of all data processing activities related to marketing (and more particularly to investigate the complaint), the CNIL identified 5 non-compliances with the GDPR.
Irrelevant data (offensive comments, or health-related comments) in the customer file of the company
Article 5-1-c of the GDPR requires that "the personal data must be: (...) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ("data minimization") (...)".
However, during its onsite investigations, the CNIL noticed that offensive comments or health-related comments were registered in the PROGIBOS software used by the company for the management of its clients, and considered that they were either excessive or irrelevant.
After the formal notice, the CNIL noted that the company had simply added an information banner intended for the software users. However, "in consideration of the comments recorded by the software users", the CNIL considered that "the data controller has to use a mandatory procedure allowing it to make sure that these behaviors have ceased, either by preventing automatically the record of such comments when they are entered, or by checking automatically and on a daily basis the recorded comments".
Insufficient information to the persons called about the data processing and their rights
The GDPR requires that the persons whose data are processed, either directly or indirectly, be informed regarding this data processing "in a concise, transparent, intelligible and easily accessible form, using clear and plain language", the to-be-provided information being precisely identified (Articles 13 et 14 of the GDRP).
During its investigations, the CNIL had access to telephone recordings which enabled it to note that the persons were "either recipients of no information relating to the recording of the call or simply informed of the recording of the conversation without any other information being communicated to them (...)".
After the formal notice, the CNIL noted that the company had not set up anything. The CNIL explained to the company that had indicated that it was now communicating information to people without however providing proof thereof, that "information, even summary information, must be communicated to people via the voice service or teleoperator, by offering them the possibility of obtaining full information either by activating a key on their keyboard or by sending an e-mail for example".
No consideration for the persons' right to object
Article 21 of the GDPR that deals with the right to object requires that "Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing", it being specified that Article 12 of the GDPR requires the data controller to facilitate the exercise of data subject rights, such as the right to object.
During its investigations, the CNIL noted the absence of any procedure allowing to ensure that objection expressed to the company be communicated to its subcontractors, the call center teleoperators, and conversely, that the objection expressed to call center teleoperators be centralized at the company's headquarters (in other words, the objection, however expressed, remained ineffective).
In addition, the CNIL noted not only the lack of consideration of the objection expressed by the person having lodged the complaint, but also the presence of emails received from people reporting several calls despite their refusal.
After the formal notice, the CNIL noted that the company was still not compliant with above-mentioned provisions. The CNIL explained to the company that had indicated that it had set up an objection list in the software that, in view of "the economic interests represented by commercial prospecting, both for FUTURA INTERNATIONALE and for its subcontractors" and "the volume of calls made on behalf of the company and thirdly the number of persons concerned (more than 300 had already expressed their objection on the day of the meeting), (...) only an automated mechanism is sufficiently effective to ensure that the objection expressed by the persons concerned is respected".
Lack of cooperation with the CNIL
Article 31 of the GDPR provides that "The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks."
In practice, the CNIL criticized the company for having provided little or no response and supporting evidence, while at the same time benefiting from extensions of timelines. It considered "that the absence of a response to the requests made by the CNIL services and to the formal notice sent by the President [of the CNIL], as well as the absence of consideration of these requests before the notification of a sanction report, are sufficient to demonstrate, if not the clearly expressed will not to comply with the CNIL's requests, at least a flagrant disinterest in these issues."
Insufficient protection of the data transfers to service providers located outside of the European Union
Article 44 of the GDPR says that "Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if (...) the conditions laid down in this Chapter are complied with by the controller and processor (...). All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined."
During its investigations, the CNIL found that the company was transferring data to countries considered as not offering an adequate level of protection.
After the formal notice, the CNIL found that the company was still non-compliant. The CNIL explained to the company that had indicated that it had signed contracts incorporating the European Commission's standard contractual clauses (which is one of the methods provided for under the GDPR to carry out data transfers) that these contracts were either incomplete or unsigned.
The CNIL imposed a €500,000 fine.
It noted that the breaches had persisted despite the formal notice, that such breaches concerned obligations that existed in the French Data Protection Act well before the GDPR and that they affected the persons concerned (in particular with regard to the right of objection and the method to carry out international transfers of data).
It justified the amount of the fine in the light of the breaches (which concern the rights of individuals), recalling that the GDPR provides for a maximum amount of fine of €20 million for this type of breaches. It considered that the fine, which represents 2.5% of the company's annual turnover, was not excessive in view of the company's behavior and the seriousness of the breaches. Once again, it insisted on the fact that the breaches concerned the rights of individuals and that it is the complaint of a person that prompted the investigations.
In addition, since the company was still non-compliant, the CNIL issued an injunction to comply, subject to a penalty of €500 per day of non-compliance, effective at the end of a period of one month from the notification of its decision.
Finally, it decided to publish its decision in view of the importance to ensure that the rights of individuals are duly respected, especially in the context of cold calling activities.
 Cf. our article entitled Investigations and sanctions: What lessons can be drawn from the CNIL's activities? published on our Blog in May 2019
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.