CNIL: Sanc­tion inter alia for refu­sal to pro­vi­de infor­ma­ti­on about the source of data – no trade secret objec­tion; infor­ma­ti­on in explo­ita­ti­on chains.

The CNIL impo­sed a fine of EUR 300,000 on the tele­com­mu­ni­ca­ti­ons ser­vice pro­vi­der FREE on Novem­ber 30, 2022 (n°SAN-2022 – 022; Eng­lish trans­la­ti­on at GDPRhub) after 41 com­plaints were recei­ved against FREE for dif­fi­cul­ties with the right to infor­ma­ti­on. Among other things, FREE had not pro­vi­ded infor­ma­ti­on about the Source of data used for mar­ke­ting pur­po­ses issued. FREE had clai­med that this infor­ma­ti­on con­sti­tu­ted a Trade secret within the mea­ning of Artic­le 15(4) of the GDPR (“The right to recei­ve a copy pur­su­ant to para­graph 3 shall not pre­ju­di­ce the rights and free­doms of other persons”).

The CNIL rejects this. The reser­va­ti­on of the rights and free­doms of other per­sons refers sole­ly to Art. 15(4) GDPR, i.e. the right to a Copy of the data, but not on Art. 15 (1) GDPR, i.e. the infor­ma­ti­on to be pro­vi­ded about the data pro­ce­s­sing, inclu­ding the available infor­ma­ti­on about the data source. In addi­ti­on, Art. 5 (1) GDPR requi­res, among other things, trans­pa­ren­cy about the pro­ce­s­sing. The con­trol­ler can the­r­e­fo­re only refu­se to pro­vi­de infor­ma­ti­on about the data source, if the spe­ci­fi­ca­ti­on is not pos­si­ble:

doit par prin­ci­pe com­mu­ni­quer “la source spé­ci­fi­que” rela­ti­ve aux don­nées et […] la limi­ta­ti­on du droit d’ac­cess aux indi­ca­ti­ons de la “natu­re des sources, des types d’or­ga­nis­mes, d’entre­pri­ses et de sec­teurs” ne peut inter­ve­nir que lorsqu’il ne déti­ent pas cet­te infor­ma­ti­on, l’i­den­ti­fi­ca­ti­on de la source spé­ci­fi­que des don­nées à carac­tère per­son­nel de la per­son con­cer­née étant impossible

At Pro­ce­s­sing chains it is then not suf­fi­ci­ent to name only the link that ori­gi­nal­ly coll­ec­ted the data from the data sub­ject. Rather, the direct source must be named, in this case the data bro­ker from whom FREE had obtai­ned the data.

In addi­ti­on, FREE had the Right to data dele­ti­on vio­la­ted. Data sub­jects had reque­sted that their FREE email account be dele­ted. FREE had wai­ved the cor­re­spon­ding dele­ti­on and clai­med that the request to dele­te an email account is not a dele­ti­on request within the mea­ning of the GDPR. The CNIL rejects this as well, becau­se this request neces­s­a­ri­ly con­ta­ins a request for dele­ti­on of the per­so­nal data asso­cia­ted with the account.

Final­ly, FREE vio­la­ted the data secu­ri­ty requi­re­ments becau­se no spe­ci­fic Com­ple­xi­ty of the pass­word for the user accounts becau­se user pass­words were stored in clear text and trans­mit­ted to users in clear text. The obli­ga­ti­on to docu­ment brea­ches of data secu­ri­ty was also vio­la­ted in this case after reu­sed hard­ware boxes were dis­tri­bu­ted to new sub­scri­bers that con­tin­ued to con­tain per­so­nal data of the for­mer subscribers.




Rela­ted articles