The French regulator CNIL has ordered the online company Spartoo SAS fined with a fine of EUR 250’000. The following criteria were primarily relevant:
- The fine framework of EUR 20 million/4% of annual turnover;
- that the breaches largely concerned provisions that had already existed prior to the entry into force of the GDPR:
- the seriousness of the violations;
- the number of people affected (more than 25 million);
- that Spartoo is an established supplier;
- that Spartoo had taken compliance steps only after the search (see sogl.) and that not all violations had been remedied even at the time of the fine decision.
Among other things, it is interesting to note (apart from the fact that this was the first case in which CNIL cooperated with authorities in various Member States) that CNIL had conducted a house search (“dawn raid”) at Spartoo’s premises in France in the process. The objective of the search was to obtain information relating to the processing of customer data, but also of recordings of employee interviews.