Overview: On August 5, 2020, the French Data Protection Authority (the CNIL, or Commission nationale de l'informatique et des libertés) announced that it has filed a fine of €250,000 on French online shoe retailer, Spartoo, for various infringements of the EU General Data Protection Regulation (GDPR). This is the first penalty under the GDPR enforced by the CNIL.
Why Defensible Data Retention Policies Are Important: The CNIL found Spartoo’s full and permanent recording of telephone calls received by its customer service for employee training purposes to be excessive. The CNIL found that such recording was not justified, especially as the person in charge of employee training only listened to one call recording per week and per employee. The CNIL further found that, when orders were made by phone, the recording and storage of customers’ payment card details was not necessary for the purposes of the call recordings (i.e., employee training). Finally, the CNIL found that the collection of a customer’s health card in Italy to combat fraud was also excessive.
Potential Fines: The CNIL decided to impose a fine of €250,000 on Spartoo and issued an injunction against the company to ensure its data processing activities came into compliance with the GDPR. The CNIL also ordered a periodic penalty payment of €250 for each day of delay in complying with the injunction, beginning three months following notification of the CNIL’s decision.
How Exterro’s Software Helps Tackle These New Regulations: Learn more about Exterro’s defensible data retention and disposal software solution for meeting GDPR obligations.