France: Dawn Raid; fine of EUR 250,000 against Spartoo

The French regu­la­tor CNIL has orde­red the online com­pa­ny Spar­too SAS fined with a fine of EUR 250’000. The fol­lo­wing cri­te­ria were pri­ma­ri­ly relevant:

• The fine frame­work of EUR 20 million/4% of annu­al turnover;
• that the brea­ches lar­ge­ly con­cer­ned pro­vi­si­ons that had alre­a­dy exi­sted pri­or to the ent­ry into force of the GDPR:
• the serious­ness of the violations;
• the num­ber of peo­p­le affec­ted (more than 25 million);
• that Spar­too is an estab­lished supplier;
• that Spar­too had taken com­pli­ance steps only after the search (see sogl.) and that not all vio­la­ti­ons had been reme­di­ed even at the time of the fine decision.

Among other things, it is inte­re­st­ing to note (apart from the fact that this was the first case in which CNIL coope­ra­ted with aut­ho­ri­ties in various Mem­ber Sta­tes) that CNIL had con­duc­ted a hou­se search (“dawn raid”) at Spartoo’s pre­mi­ses in France in the pro­cess. The objec­ti­ve of the search was to obtain infor­ma­ti­on rela­ting to the pro­ce­s­sing of cus­to­mer data, but also of recor­dings of employee interviews.