October 12, 2023, the French Data Protection Authority (the “CNIL”) announced a €600,000 fine for mass media company Groupe Canal+ for failing to comply with its commercial prospecting obligations applicable under the French Post and Electronic Communications Code and several obligations of the EU General Data Protection Regulation (“GDPR”).
The CNIL received several complaints from individuals claiming that they had difficulties in having their rights taken into account by Groupe Canal+. As a result of the complaints, the CNIL started an investigation into the privacy and data protection practices of Groupe Canal+.
The CNIL’s Decision and Sanction
Key takeaways from the CNIL’s investigations include:
- Groupe Canal+ was unable to provide any evidence of valid consent from individuals for the sending of direct marketing communications. In addition, the forms used by the company’s commercial partners to collect personal data were silent about the fact that personal data would be shared with Groupe Canal+ for marketing purposes. The CNIL reiterated that the list of partners receiving data must be made available to individuals at the time of obtaining their consent, for consent to be valid. Finally, the CNIL found that the measures implemented by Groupe Canal+ with its data suppliers to ensure that valid consent had been collected were insufficient;
- Groupe Canal+ was not providing appropriate information to individuals creating a MyCanal account about the processing of their data. Further, Groupe Canal+ was not providing appropriate information to individuals during telephone prospecting;
- Groupe Canal+ was not responding to data subject rights requests within one month, as prescribed under the GDPR, and was ignoring certain requests for access;
- Groupe Canal+ did not put in place appropriate measures to ensure the security of personal data and did not have appropriate contractual agreements with all its data processors; and
- Groupe Canal+ failed to notify the CNIL of a personal data breach which had exposed subscriber data to other subscribers for a period of five hours.
In light of these infringements, the CNIL imposed a €600,000 fine on Groupe Canal+. According to the CNIL, this amount is justified by the nature of the infringements identified, and the lack of cooperation and reactivity by Groupe Canal+ to bring itself into compliance as regards the infringements of which it was accused.