Individuals having difficulties in obtaining responses to their personal data subject access requests (DSAR) from French telephone operator Free Mobile filed several complaints before the French data protection authority (CNIL). These requests related to accessing their personal data and objecting to receiving direct marketing messages by electronic means. After its investigations, the CNIL imposed a fine of €300,000 against Free Mobile on 28 December 2021.
The CNIL charged Free Mobile with four grounds of breach of the General Data Protection Regulation (EU) 2016/679 (GDPR):
Failure to comply with the right of access of data subjects regarding their personal data (Articles 12 and 15 GDPR), since Free Mobile did not respond to the requests made by the claimants within the 30-day time limit.
Failure to comply with the right to object of the data subjects (Articles 12 and 21 GDPR), since Free Mobile did not take into account the requests of the claimants to cease sending them direct marketing communications.
Breach of the obligation to protect data by design (Article 25 GDPR), as Free Mobile kept invoicing claimants for telephone services despite their subscription being cancelled.
Breach of the obligation to ensure the security of personal data (Article 32 GDPR), since Free Mobile communicated by unsecured emails the users’ passwords in clear text when they subscribed to Free Mobile’s services (these passwords being nontemporary and Free Mobile not requiring them to be changed).
The CNIL also decided to make the sanction public. Free Mobile argued that such publicity would be disproportionate considering the severity of the breaches, the low number of complaints (seven), and that it would irreversibly damage its reputation. Nevertheless, the CNIL chose to publish the sanction, justifying its actions by the need to reiterate the importance of responding to data subjects’ access requests within the relevant timeline (usually 30 days) with all the relevant and required information (Article 13 and 14 GDPR) and ensuring the security of users’ personal data.
In January 2020, the Dutch Supervisory Authority set the precedent on the importance of the GDPR principle of data minimization, especially when data subjects exercise their right through DSAR. According to such principle, controllers must not collect data that is unnecessary for the purpose of the processing.
Under this obligation, the Dutch Supervisory Authority fined media company Sanoma Media Netherlands B.V. on the ground that it conditioned DSAR to first upload a full copy of an identity document. However, this supervisory authority considered that such practice made it overly complicated for customers to access their data or have their data deleted and that the media company collected unnecessary personal data in view of the request submitted by the data subject.
As GDPR approaches its fourth anniversary, it is becoming clear that, on the one hand, data subjects have acquired the awareness necessary to exercise their rights, and, on the other hand, data controllers must implement effective channels and internal process to handle DSAR properly, effectively, in a timely manner, and in a way that would not, in turn, generate its own set of breaches of GDPR.
Claude-Etienne Armingaud’s practice focuses on the representation of public and private companies in the area of information technologies and intellectual property law. Mr. Armingaud provides counsel to his clients at all stages of their corporate life cycle and in wide-ranging transactions, including in connection with litigation compliance matters, intellectual property protection and development, data protection strategic operations, and other commercial contracts.
Mr. Armingaud regularly advises start-up companies in matters relating to...
You are responsible for reading, understanding and agreeing to the National Law Review's (NLR’s) and the National Law Forum LLC's Terms of Use and Privacy Policy before using the National Law Review website. The National Law Review is a free to use, no-log in database of legal and business articles. The content and links on www.NatLawReview.com are intended for general information purposes only. Any legal analysis, legislative updates or other content and links should not be construed as legal or professional advice or a substitute for such advice. No attorney-client or confidential relationship is formed by the transmission of information between you and the National Law Review website or any of the law firms, attorneys or other professionals or organizations who include content on the National Law Review website. If you require legal or professional advice, kindly contact an attorney or other suitable professional advisor.
Some states have laws and ethical rules regarding solicitation and advertisement practices by attorneys and/or other professionals. The National Law Review is not a law firm nor is www.NatLawReview.com intended to be a referral service for attorneys and/or other professionals. The NLR does not wish, nor does it intend, to solicit the business of anyone or to refer anyone to an attorney or other professional. NLR does not answer legal questions nor will we refer you to an attorney or other professional if you request such information from us.
Under certain state laws the following statements may be required on this website and we have included them in order to be in full compliance with these rules. The choice of a lawyer or other professional is an important decision and should not be based solely upon advertisements. Attorney Advertising Notice: Prior results do not guarantee a similar outcome. Statement in compliance with Texas Rules of Professional Conduct. Unless otherwise noted, attorneys are not certified by the Texas Board of Legal Specialization, nor can NLR attest to the accuracy of any notation of Legal Specialization or other Professional Credentials.
The National Law Review - National Law Forum LLC 3 Grant Square #141 Hinsdale, IL 60521 Telephone (708) 357-3317 or toll free (877) 357-3317. If you would ike to contact us via email please click here.