The French Data Protection Authority (“CNIL”) Imposes a Fine of EUR 525,000 on a Technology Company

Kişisel Verilerin Korunması Hukuku, Data Protection Law

The European Data Protection Board (“EDPB”) has released a decision on 15 April, 2024 regarding notification of data breach to the CNIL about HUBSIDE.STORE which operates phone and SMS calling campaigns to promote the products (laptops, cell phones) that purchases data from data brokers and publishers of competition and product testing websites.

According to the decision, CNIL identified multiple violations of the General Data Protection Regulation (“GDPR”):

  • Failure to establish a legal basis for data processing (Article 6 GDPR): HUBSIDE.STORE utilized data collection forms that were misleading, preventing valid consent from individuals. Consequently, they lacked a legitimate legal basis for data collection for commercial prospecting via phone calls, violating Article 6 GDPR. This also breaches the French Postal and Electronic Communications Code (Article L.34-5) regarding SMS prospecting.
  •  Non-compliance with the obligation to inform individuals (Article 14 GDPR):   Investigations revealed that individuals contacted via phone were not adequately informed about the collection and usage of their personal data.

 

As a result, based on the severity of the data breach and the responsibility of the organization in handling the collected data, a fine of 525,000 euros, equivalent to 2% of the Company's turnover, was determined.

You can reach further information here.

You can reach the announcement of the CNIL here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr