Cybersecurity Compliance
CNIL Fines Clairvoyance Companies €400,000 for GDPR Violations in Data Retention and Consent
Why This Alert Is Important
The latest French Data Protection Authority (CNIL) enforcement shows that GDPR compliance failures come at a high price—steep penalties and diminished consumer trust are the inevitable outcomes.
Overview of the Incidents
On October 10, 2024, CNIL fined two remote clairvoyance companies—Cosmospace (€250,000) and Telemaque (€150,000)—a total of €400,000 for multiple GDPR breaches, including:
- Excessive Data Retention: Both companies retained customer data for six years after the end of their relationships, mainly for marketing purposes. CNIL deemed this retention excessive and recommended a maximum of three years. Telemaque further failed to restrict access to the data, violating GDPR requirements.
- Processing of Sensitive Data Without Explicit Consent: Sensitive data, such as sexual orientation and health information, was processed without obtaining explicit user consent, violating GDPR rules that mandate clear, informed consent for handling such data.
- Unlawful Marketing Communications: The companies sent marketing emails and SMS without obtaining valid consent. The data collection forms did not clearly inform users about potential data sharing for marketing purposes, resulting in a breach of GDPR's consent requirements.
- Improper Call Recording Practices: Cosmospace recorded all customer calls for a variety of reasons, failing to comply with GDPR’s data minimization principle. CNIL suggested that only a sample of calls be recorded for quality monitoring, while others should be recorded selectively, as necessary for contract validation or safeguarding purposes.
What the Settlement Requires
- For Companies: This enforcement serves as a critical reminder to evaluate data retention strategies. Companies must ensure they only retain personal data for as long as necessary, implement clear access controls, and enforce timely deletion.
- For Privacy Professionals: The case highlights the need for constant vigilance in consent management and data retention policies, particularly when handling sensitive information. Regular audits and policy updates are key to maintaining compliance.
- For Consumers: The decision reinforces GDPR’s role in protecting consumer rights, ensuring organizations are held accountable for mishandling data and failing to secure explicit consent, especially for sensitive data processing.
Challenges for Privacy Advocates
The fines highlight the complexity of managing data retention and consent practices under GDPR. Privacy advocates must emphasize precise retention schedules, effective consent management, and strict adherence to data minimization principles to ensure data protection.
The case also reveals the growing importance of restricting access to stored data and implementing automated deletion protocols once the retention period expires. This proactive approach aligns with GDPR’s expectations and minimizes regulatory risks.
The CNIL’s recent fines on Cosmospace and Telemaque for GDPR breaches highlight the serious risks of poor data retention and inadequate consent management. This enforcement shows that excessive data retention, lack of explicit consent for sensitive data, and weak access controls expose companies to significant penalties and erode customer trust. Organizations can mitigate these risks by implementing strong data retention and consent policies that adhere to GDPR standards. For example, Exterro’s Data Retention solution helps automate defensible retention schedules and prevent data over-retention, reducing regulatory risks associated with improper data management. Additionally, Exterro’s Consent & Preference Management platform streamlines the handling of consent across channels, ensuring user preferences are honored and that consent is explicit and synchronized, from initial data collection through all interactions. Leveraging automated solutions for data retention and consent management not only strengthens compliance but also builds trust with consumers by protecting their rights and reducing the likelihood of enforcement actions.
Data Privacy Tip
Proper data retention isn’t merely about cutting storage costs; it's a core aspect of GDPR compliance. Whether operating within the EU or handling EU citizens' data, businesses must proactively manage compliance risks. This involves setting clear retention schedules, restricting data access, and promptly deleting redundant data. Learn how to craft a robust data retention policy and maintain GDPR compliance by watching our On-Demand Webcast.