On November 26, 2019, the French Data Protection Authority (the “CNIL”) announced that it had levied a fine of €500,000 on Futura Internationale, a French SME specializing in thermal insulation of private buildings, for various infringements of the EU General Data Protection Regulation (“GDPR”). The infringements related to the company’s direct marketing voice-to-voice calls include failure to (1) comply with the individuals’ objection to the processing of their personal data for direct marketing; (2) process only relevant personal data (by recording excessive comments in the CRM software); (3) provide sufficient notice regarding the recording of phone calls and data processing; (4) cooperate with the CNIL; and (5) implement appropriate data transfer mechanisms for the data transfers to non-EU call center providers.

Background

On February 6, 2018, the CNIL received a complaint from an individual who kept receiving direct marketing voice-to-voice calls on behalf of Futura Internationale, despite the fact that the individual exercised their right to object to the processing of their telephone number for such purpose (both orally by informing the call operator of their objection and in writing by sending a letter to Future Internationale). The CNIL’s investigation revealed that the company used more than 30 call center providers, which were mainly located in non-EU countries that have not been recognized as providing an adequate level of data protection, and did not have appropriate data transfer agreements in place. The investigation further revealed that the company did not implement a centralized mechanism to comply with individuals’ objections, and, in many cases, individuals were not informed of the recording of their conversation with the call operator. Where individuals were informed of the call recording, they were not provided with a privacy notice. The CNIL also found that call operators recorded comments that were offensive or related to the individuals’ health in the CRM software. On September 27, 2018, the CNIL served a formal notice to Future Internationale, ordering the company to comply with the GDPR and demonstrate such compliance within a prescribed time limit. As the company failed to provide all the requested documents within that time limit, the Chairwoman of the CNIL initiated a sanctions procedure.

The CNIL’s Decision

In its decision, the CNIL held that Futura Internationale did not comply with (1) individuals’ objections to the processing of their personal data for direct marketing purposes under Article 21(2) of the GDPR; (2) the GDPR transparency requirement; (3) the GDPR data minimization requirement; (4) the duty to cooperate with the CNIL in the performance of its tasks as required by Article 31 of the GDPR; and (5) the GDPR cross-border data transfer restrictions. Given the number of infringements, their persistence and seriousness, the CNIL decided to impose a fine of €500,000 on Futura Internationale and issued an injunction against the company to ensure its data processing activities comply with the above GDPR requirements. The CNIL also ordered a periodic penalty payment of €500 for each day of delay in complying with the injunction, from a period of one month following notification of the CNIL’s decision. In publicizing its decision, the CNIL draws attention to the following: (1) the CNIL pays particular attention to the respect for individuals’ data protection rights, especially in the context of placing direct marketing calls; and (2) cooperating with the CNIL is a duty incumbent on all data controllers and data processors, and failure to fulfill that duty is punishable.