From Data Bytes 46 summarising updates from April 2024 1
On 4 April 2024, the French data protection authority ("CNIL") imposed a €525,000 fine on HUBSIDE.STORE after investigations revealed that the company had utilised data from data brokers in commercial prospecting campaigns to promote its products, including mobile phones and laptops, without obtaining valid consent from the individuals concerned. The CNIL determined that these practices by HUBSIDE.STORE violated the following provisions set forth by the General Data Protection Regulation ("GDPR") and the French Post and Electronic Communications Code ("CPCE"):
- Failure to comply with the obligation to obtain consent to receive commercial prospecting by electronic means (Article L.34-5 of the CPCE): The CNIL found that the data collection forms employed by the brokers were misleading, rendering it impossible to obtain free and unambiguous consent from the individuals concerned. The CNIL underscores that it is the company's responsibility, as the user of the collected data, to ensure that data subjects provide valid consent.
- Failure to comply with the obligation to have a legal basis for processing data (Article 6 of the GDPR): The CNIL's restricted committee confirmed that while commercial canvassing by telephone may be justified by the company's legitimate interests, individuals must be informed at the time of data collection that they may receive marketing communications from the company. However, the forms employed to collect prospective customers' data did not consistently include HUBSIDE.STORE in the list of potential contacts for the individuals concerned. Furthermore, the deceptive nature of the data collection forms prevented valid consent from being obtained from the data subjects.
- Failure to comply with the obligation to inform individuals (Article 14 of the GDPR): The CNIL's investigations uncovered that HUBSIDE.STORE inadequately informed individuals canvassed by telephone of essential information pertaining to the collection and use of their personal data. Indeed, the company failed to notify individuals of their rights, such as the ability to lodge a complaint with CNIL, and omitted vital information including its identity, contact details, purposes for data usage, retention periods. The absence of this information deprived the individuals concerned of their ability to exercise control over their personal data.
As a result of the aforementioned violations, the CNIL imposed a €525,000 fine upon HUBSIDE.STORE, amounting to roughly 2% of the company's annual turnover.
1 https://www.cnil.fr/en/commercial-prospecting-hubsidestore-fined-eu525000
Authors: Nicolas Quoy, Partner; Antoine Boullet, Senior Associate.