The CNIL imposed a fine of EUR 300,000 on the telecommunications service provider FREE on November 30, 2022 (n°SAN-2022 – 022; English translation at GDPRhub) after 41 complaints were received against FREE for difficulties with the right to information. Among other things, FREE had not provided information about the Source of data used for marketing purposes issued. FREE had claimed that this information constituted a Trade secret within the meaning of Article 15(4) of the GDPR (“The right to receive a copy pursuant to paragraph 3 shall not prejudice the rights and freedoms of other persons”).
The CNIL rejects this. The reservation of the rights and freedoms of other persons refers solely to Art. 15(4) GDPR, i.e. the right to a Copy of the data, but not on Art. 15 (1) GDPR, i.e. the information to be provided about the data processing, including the available information about the data source. In addition, Art. 5 (1) GDPR requires, among other things, transparency about the processing. The controller can therefore only refuse to provide information about the data source, if the specification is not possible:
doit par principe communiquer “la source spécifique” relative aux données et […] la limitation du droit d’access aux indications de la “nature des sources, des types d’organismes, d’entreprises et de secteurs” ne peut intervenir que lorsqu’il ne détient pas cette information, l’identification de la source spécifique des données à caractère personnel de la person concernée étant impossible
At Processing chains it is then not sufficient to name only the link that originally collected the data from the data subject. Rather, the direct source must be named, in this case the data broker from whom FREE had obtained the data.
In addition, FREE had the Right to data deletion violated. Data subjects had requested that their FREE email account be deleted. FREE had waived the corresponding deletion and claimed that the request to delete an email account is not a deletion request within the meaning of the GDPR. The CNIL rejects this as well, because this request necessarily contains a request for deletion of the personal data associated with the account.
Finally, FREE violated the data security requirements because no specific Complexity of the password for the user accounts because user passwords were stored in clear text and transmitted to users in clear text. The obligation to document breaches of data security was also violated in this case after reused hardware boxes were distributed to new subscribers that continued to contain personal data of the former subscribers.