Who: Spartoo and the French Data Protection Authority (CNIL)’s restricted committee
Where: France
When: 28 July 2020
What happened:
Spartoo is a company specialising in shoe e-commerce. Its website is accessible in thirteen countries of the European Union. After auditing Spartoo in May 2018, the French Data Protection Authority (CNIL) found several cases of non-compliance with the General Data Protection Regulation n°2016/679 (GDPR) in the data processing relating to company’s employees, customers and leads. Due to the location of concerned individuals in different EU countries, the proceeding initiated by the CNIL was conducted in cooperation with other European Data Protection Authorities.
On 28 July 2020, the CNIL ruled that Spartoo had breached several of its obligations under the GDPR, namely:
- Non-compliance with the principle of data minimisation (Article 5-1(c) GDPR)
The full and permanent recording of telephone calls received by customer service employees is excessive. Recording all calls is not justified because the person responsible for employee training only listens to one recording per week and per employee.
The recording and retention of customers’ bank details, communicated when orders are placed by telephone, is not necessary for the purposes of employee training either.
- Non-compliance with the obligation to limit data retention (Article 5-1(e) GDPR)
At the time of the CNIL audit, no retention period for customer and lead data was set up by the company, which did not regularly erase or archive personal data. If the company had planned, since the CNIL audit, to keep this data for five years:
– the past retention for several years of a very large amount of data from former customers (more than three million customers had not logged in to their account for more than five years) was a violation of the GDPR;
– the retention of lead data, even if limited to five years from the customer’s last activity (for example the opening of a newsletter), is not necessary beyond the two-year period whereas the company no longer sends email marketing to people who have not expressed interest in its products or services; and
– the CNIL also pointed out that (i) the mere opening of a prospecting e-mail by a person does not demonstrate his or her interest in the company’s products or services – which justifies the retention of his or her data – since this message may be opened unintentionally, and that, (ii) after the five-year retention period for customer data, the retention of customers’ e-mail addresses and passwords in a pseudonymised and non-anonymized form, so that they can log back into their account, is not in compliance with the GDPR.
- Non-compliance with the obligation to inform individuals (Article 13 GDPR)
The website privacy policy cannot indicate that consent is the legal basis for all the processing carried out when many of them are based on other legal bases, such as contract or legitimate interests pursued by the company.
As regards to employees, the information relating to the recording of telephone calls made with customers is insufficient. Employees are not informed of the purpose of the processing, the legal basis of the system, the recipients of the data, how long the data will be kept, and their rights.
- Non-compliance with the obligation of security (Article 32 GDPR)
With respect to passwords for accessing customer accounts via the website, the company should have required users to use stronger passwords.
In the context of the fight against fraud, the retention for six months and in clear text of the scans of the bank card used for an order does not guarantee the security of customers’ banking data.
Why this matters:
This decision is the first decision handed down by the CNIL as lead supervisory authority and demonstrates a successful cooperation between the European Data Protection Authorities in order to monitor and enforce GDPR through the European Union territory.
It is also worth noting that the lead supervisory authority can take into account non-compliance in other countries. Here, the CNIL ruled that, as part of the fight against fraud, the collection, in Italy, of copies of customers’ “health cards” was excessive.
