Who: Performeclic and the French Data Protection Authority (CNIL)’s restricted committee
Where: France
When: 7 December 2020
What happened:
Performeclic is a very small company employing two employees and whose activity is to send commercial prospecting by e-mail on behalf of advertisers.
On June 2019, the Signal Spam association, which collects reports from internet users concerning the receipt of unsolicited emails, informed the French Data Protection Authority (CNIL) that the Performeclic company regularly appears at the top of the ranking of companies issuing the most messages reported as “spam” by French Internet users.
On 7 December 2020, the CNIL ruled that Performeclic had breached the French Post and Electronic Communications Code (Code des Postes et des Communications Electroniques (CPCE)) and five of its obligations under the General Data Protection Regulation n°2016/679 (GDPR), namely:
- Non-compliance with the obligation to obtain the consent of individuals before sending prospecting e-mails (Article L. 34-5 CPCE)The company was unable to prove the existence of valid consent from the persons prospected, although the sending of commercial prospecting by electronic means is at the heart of the company’s activity.
- Non-compliance with the principle of data minimisation (Article 5-1(c) GDPR)The company keeps data not necessary for sending the electronic commercial prospecting, such as the telephone number of the prospects.
- Non-compliance with the obligation to limit data retention (Article 5-1(e) GDPR)The company keeps prospect data for an excessive period, i.e. more than three years from the simple opening of the prospecting e-mails, without any further action on the part of the persons concerned (e.g. without clicking on one of the links in the prospecting e-mails).
- Non-compliance with the obligation to inform individuals (Article 14 GDPR) The information at the bottom of prospecting e-mails addressed to persons whose personal data have been collected indirectly is not complete as it does not specify the identity of the controller, its legal basis, the categories of personal data concerned, the data retention, the rights of individuals, etc. Moreover, no additional information method is implemented by the company to provide complete information to the persons concerned.
- Non-compliance with the obligation to give individuals the right of opposition (Article 21(2) GDPR)The company does not allow the approached persons to effectively oppose to the use of their data.
- Non-compliance with the contractual framework for relations with a subcontractor (Article 28 GDPR)The CNIL noticed the absence of mandatory clauses in the contract concluded between the company and its hosting provider, such as to ensure that persons authorised to process personal data are committed to confidentiality.
Why this matters:
Firstly, in making its decision public, the CNIL points out the importance of the obligation to obtain the consent of the persons before sending prospecting e-mails and to be able to provide proof of such consent. Secondly, the CNIL points out that even small companies are concerned by the protection of personal data. However, the fine amount is small, as the CNIL explained that it took into account the size and financial situation of the company. This fine alone might not have deterred the company from stopping violating the rules, so the CNIL also sentenced the company to be liable to a penalty payment of 1,000 euros per day of delay in case of non-compliance.
