A record-breaking year for fines issued to businesses. Free Mobile, AG2E La Mondiale and Carrefour were all targeted for GDPR infringements, all of which could have been avoided with a bit more care.


2021 was a banner year in Europe on the business front for violating General Data Protection Regulation (GDPR). Nearly 1.1 billion EUR in fines were issued by European authorities for the protection of personal data against only 158.5 million EUR in 2020 (i.e., a multiplication of seven) according to a report by DLA Piper.

The highest fine concerns Amazon, who holds record in this area. In August, 746 million EUR was received by the CNPD (National Commission for the Protection of Data), Luxembourg’s data protection authority, against Amazon Europe Core. It was a collective complaint led by the association La Quadrature du Net. The origin of this condemnation was complaints by 10,000 people against Amazon in May 2018. Amazon’s advertising targeting system operated without the free consent of Amazon users, which was an indirect violation of GDPR.


Fines up by 55% in 2021 in France

In France the number of fines increased from 2020 to 2021 by 55%. Last year, the CNIL imposed 18 sanctions, including 15 fines, for an amount of 214 million EUR. Of the 18 sanctions, half involved a violation related to the security of personal data, while four related to poor management of cookies and other tracers.

A record number of formal notices was also reached in 2021, with 135 decisions pronounced against only 49 the previous year. A significant proportion of these formal notices concerned cookies. The CNIL confirmed that 89 decisions were breaches involving the use of trackers.


Companies of High Standing Caught in the CNIL’s Nets

Among the companies pinned down last year by the CNIL was telephone operator Free Mobile, which was fined 300,000 EUR. The CNIL received several complaints concerning ignored marketing requests. An on-site check and a document inspection revealed breaches of the rights of the data subjects concerned. In the case of Free Mobile, the exemplary side of the sanction was beyond doubt. To explain this, the French supervisory authority puts forward the following arguments:  

The sanction takes into account the size and the financial situation of the company. Its advertising is justified by the need to recall the importance of dealing with personal rights requests and the security of user data. In such a case, one can legitimately wonder how such malfunctions, which so flagrantly violate the rights of individuals, could have persisted for so long within a company such as Free. Unless it is a clear desire to make numbers at all costs… A very poorly rewarded strategy given the amount of the fine…


AG2R La Mondiale: A GDPR Violation Costing 1.75 million EUR.

Another large group sanctioned by the CNIL last year was AG2R La Mondiale. They learned the hard way that the personal data of its prospects and customers could not be kept indefinitely and that the obligation to inform people during telephone canvassing operations was a reality. The French specialist in social and asset protection was ordered to pay no less than 1.75 million EUR for the violation of these two GDPR obligations—limitation of data retention periods and obligation to inform.

AG2R La Mondiale breached the maximum retention period of three years set in its reference system and in the group’s processing register for the retention of prospect data. The data of nearly 2,000 prospects who’d had no contact with the group for up to five years had been retained.

The company retained customer data of more than two million people, some of which was of a sensitive (health) or a particular nature (bank details), beyond the legal retention periods authorised after the end of the contract.

The information provided to the people contacted by the company’s subcontractors during cold-calling operations did not include all the elements required by GDPR. Telephone calls were recorded without the person being informed, therefore denying them their right to oppose.

It is surprising to note that such shortcomings have been able to persist in a group governed by the Insurance Code, as they should be the subject of frequent audits, control procedures and other reports relating to regulatory compliance. Prudential rules have apparently not been applied in all departments of the group, which would have made it possible to avoid such a breach.


Two Carrefour Group Societies Sanctioned

Seized by several complaints, the CNIL sanctioned two Carrefour group companies in 2021 for multiple GDPR breaches; in particular, information provided to individuals and respect for their rights. Carrefour France and Carrefour Banque were fined 2.25 million EUR and 800,000 EUR respectively.

The information provided to users of the carrefour.fr and carrefour-banque.fr sites, as well as to people wishing to join the loyalty program, was not easily accessible (access to information too complicated and in lengthy documents containing other information), or easily understandable (information written in general and imprecise terms, sometimes using unnecessarily complicated formulations). The CNIL noted that when a user connected to carrefour.fr or the carrefour-banque.fr, several cookies were automatically placed on their terminal before any action on their part.

Furthermore, Carrefour France did not comply with the data retention periods it had set. The CNIL details that the data of more than 28 million customers who had been inactive for five to ten years was kept as part of the loyalty program. The same was true for 750,000 users of the carrefour.fr site.


Damage to Reputation

It is regrettable that such well reputed companies have tarnished their image due to manifest negligence in the management of basic rules relating to the protection of data. The main objective of these fines is to serve as examples to other French companies and groups. Hopefully, this will encourage managers to take the necessary measures to ensure the number of fines imposed by the CNIL stops increasing in 2022.