News & media > News >

Carrefour fined €3M: a textbook case of bad personal data practices

Vanessa Bouchara

Updated on January 24, 2021

Carrefour fined €3M: a textbook case of bad personal data practices

Seized of several complaints between June 2018 and April 2019, the French supervisory authority (CNIL) implemented its supervisory powers over CARREFOUR FRANCE and CARREFOUR BANQUE in two noteworthy decisions on November 18, 2020.

The controls revealed multiple breaches of the EU Regulation 2016/679 (GDPR) 2,250,000 against CARREFOUR FRANCE and 800,000 against CARREFOUR BANQUE.

The breaches of which CARREFOUR is accused constitute significant non-compliance with the GDPR and have thus allowed the CNIL to remind the following fundamental principles of personal data protection:

  • Retention of data in a form which permits identification of the data subjects for no longer than is necessary for the purposes for which they are processed;
  • Processing of data in a lawful, fair and transparent manner with regard to the data subject;
  • Processing of data in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.


CARREFOUR is accused of disproportionately keeping data on its customers, who have in particular joined loyalty programs but are no longer active, and also of keeping copies of their identity documents when exercising their rights. 

Personal data relating to inactive loyalty program participants

First, the CNIL criticizes CARREFOUR for not respecting the retention periods of the data relating to its loyalty program members, processed for commercial prospecting purposes, which the company had set at four years from their last activity (last transaction or last connection).

It appeared that CARREFOUR was keeping the data of several million inactive members, for periods ranging from five to ten years.

The CNIL reminds us that, , in order to determine an adequate data retention period, it is necessary to examine the purpose of the processing and the specificities of the controller’s business sector.

This principle is all the more applicable to the retail sector as customers are used to returning to the same stores on a regular basis to make their purchases.

The CNIL invites you to refer to the former simplified standard n°48 and considers in this case that the data retention period cannot exceed three years from the last contact with the company, given the specificities of the said processing and the sector of activity of the data controller.

As a reminder, in the SPARTOO decision of July 28, 2020 (CNIL v. SPARTOO SAS, July 28, 2020, SAN-2020-003), the CNIL considered that a retention period of two years for data processed for commercial prospecting purposes was proportionate in view of the purpose of the processing.

Personal data relating to inactive loyalty program participants

CARREFOUR is then reproached for keeping copies of the identity cards requested from people wishing to exercise their rights to data concerning them (right of access, erasure, opposition…) for a period of one to six years, which is an excessive length of time to keep data in view of the purpose of their treatment.

For the CNIL, the copies of the identity cards had not to be kept beyond the processing of the request for exercise of right, the conservation of the favorable answer letter being then sufficient to justify the follow-up given to the request.


CARREFOUR is accused of not respecting a certain number of people’s rights.

Right to accessible information

The CNIL criticizes CARREFOUR for not providing users of its websites with and easily accessible information in clear and simple terms, pursuant to Article 12 of the GDPR, which requires the controller to provide information that is “concise, transparent, intelligible and easily accessible form, using clear and plain language

Indeed, the authority notes that the information relating to the processing of data is carried out at several levels on several separate pages, and in particular in the general conditions of use of the loyalty program.

This multi-level information is possible, provided that:

  • The first level presents the essential characteristics of the treatment;
  • The second level details all the information related to the treatment;
  • The complete information relating to all the treatments carried out on the site remains easily accessible for the Net surfers in a single document distinct from the  General Terms & Conditions of Sale.

The CNIL thus applies the guidelines of the G29 on transparency, and takes up rules that are already well established, but regularly ignored by website publishers

It is interesting to note that, even if the CNIL has not expressly stated so, it is common ground that this privacy policy must itself be easily accessible on the website, and be translated, if necessary, into all the languages offered on the site (see in particular ODA vs. Knops Publishing, December 17, 2019, DOS-2019-01356).

Right to clear and complete information

The authority also criticizes CARREFOUR for the lack of clarity and precision of the information communicated to Internet users. It is therefore recommended to use a simple vocabulary and to avoid legal or technical terms.

Indeed, this information must be able to put the data subjects in a position to determine in advance the scope and consequences of the processing of their data in order to avoid them being taken by surprise by the data controller (see in particular Council of State v. Google LLC, June 19, 2020, No. 430810), which is not the case here.

In this case, in addition to the fact that the information was insufficiently comprehensible, it was incomplete in several respects, and in any event did not include all the information required by Article 13 of the GDPR.

It is thus observed that the information presented on the site should have specified in an intelligible and transparent way:

  • The identity of the controller;
  • The sufficiently precise legal basis for the processing;
  • Third country recipients of the data and the safeguards surrounding the transfer;
  • The retention period for all categories of data processed.

Finally, the CNIL notes that Internet users browsing the website were not informed of the installation of non-functional cookies on their browser (including Google Analytics), and could not give their consent to these cookies.

It is then recalled that the data controller is under the obligation to inform correctly the Internet users and to collect their consent to the use of cookies as soon as they do not have for exclusive purpose to allow or to facilitate the communication by electronic way and are not strictly necessary to the supply of the service.

The right to exercise one’s rights without hindrance

The CNIL challenges CARREFOUR’s practice of systematically requesting a copy of an identity document from people wishing to exercise their rights to data concerning them.

Such a practice hinders the exercise of the right of the persons concerned, in particular by indirectly dissuading them from making such a request.

The authority reiterates that the requirement to provide a copy of a proof of identity should be strictly limited to situations where the company has “reasonable doubts as to the identity of the natural person making the request”.

Thus, unless there is a special reason, the controller may not require the data subject to provide proof of identity (see, for example, VG Berlin 1, 31 August 2020, 1 K 90.19).

Finally, the CNIL criticizes CARREFOUR for chronic delays in processing requests to exercise rights.

Whereas the GDPR sets a maximum time limit for responding to a request for exercising a right to data is one month, except in exceptional cases, it is noted that CARREFOUR extends this time limit to nine months, which has consequences for data subjects who have to make repeated requests to the data controller.

In any case, if the controller decides not to act on the request or if an additional period extending the processing of the request to three months is necessary, the data subject should have been informed without delay (see in particular ANSPDCP v. Viva Credit, July 30, 2020).

Right of access and deletion of data

A complaint specifically related to a potential failure by CARREFOUR to process a request for right of access to the data on the grounds that the data subject is not informed of the origin of the data processed by the responsible for the processing, the CNIL states thatin the event of a merger or acquisition of a company, the data initially processed by the absorbed company must be considered as indirectly collected by the absorbing company.

Under these conditions, the authority criticizes CARREFOUR for not having informed the complainant of the origin of the data processed concerning him.

This implies a particular attention on the organization of the databases of the absorbed companies by the absorbing companies, which must be able to distinguish the origin of the data.

Finally, the CNIL notes multiple breaches of the right to erasure of data of data subjects whose data were not completely erased from the data controller’s databases.

Right to object to the processing of data for marketing purposes

While there are no exceptions to the right to object to the processing of data for commercial prospecting purposes, the CNIL notes that CARREFOUR has not been able to comply with several requests.

The Authority reminds that the data controller must provide a means for data subjects to exercise their right to object to the processing of data for the purpose of canvassing, and that this right must be systematically taken into account.

More specifically concerning electronic canvassing, the CNIL noted that the canvassing emails did not allow recipients to object directly to the processing of their data for such a purpose, but referred them to the login page for their customer account.

Pursuant to Article L34-5 of the French Post and Electronic Communications Code, the authority states that CARREFOUR was obliged to systematically offer recipients of its prospecting emails a simple and effective way to unsubscribe from the mailing list, in particular by setting up a unique unsubscribe link.


During its remote controls, the CNIL noted the public accessibility of personal data on the website, and in particular to customer invoices, without authentication or connection to the customer account.

The lack of appropriate technical and organizational measures to ensure a level of data security appropriate to the risk, and in particular in this case to unauthorized access to said data, constitutes a clear violation of Article 32 of the GDPR, which requires a general data security obligation of the data controller (see in particular ICO v. Mariott International, September 30, 2020, COM0804337).

The authority also complains that CARREFOUR did not implement the corrective measures necessary to protect the data processed on its website, after being notified of this security breach.

In this case, the authority considers that the implementation of mandatory prior authentication is the only measure that can completely prevent the risk of unauthorized access to data.

It is specified that pursuant to Article 33 of the GDPR, any violation of personal data, as long as it creates a risk for the rights and freedoms of the persons concerned, must be notified in principle to the supervisory authority (see in particular, UODO v. U. Sp. z o. o.November 12, 2020, DKN.5101.25.2020).

However, the CNIL notes CARREFOUR’s decision not to notify a data breach affecting 275 of its customers, where the risk analysis clearly shows that the breach does not warrant application of the exception to the notification requirement in view of the malicious origin of the breach.

A textbook case applying rules already firmly established within the Member States, the CNIL ‘s decision reminds data players that compliance with the most fundamental principles of personal data law, and in particular the GDPR, is not an option.

Otherwise, full cooperation with the supervisory authority will not allow the data controller to escape the penalty, but only to hypothetically reduce its amount and limit its reputational impact.

As a reminder, the company’s turnover retained by the CNIL being 14.9 billion euros, the penalty pronounced in view of the breaches found could have been otherwise substantial and reach 3 billion euros.

Recent news

The availability of the sign

Updated on 07/01/2021

To be registered as a trademark, the chosen sign must, in addition to being lawful and distinctive, be available (…)

How can a banal brand become notorious or not, VENTEPRIVEE.COM a future case study?

Updated on 16/12/2021

The trademark VENTE PRIVEE.COM was adopted without the owner apparently questioning its distinctive character.

Under what circumstances can a competitor lawfully use a third party’s trademark on the Internet?

Updated on 16/12/2021

The brand has the power to unite a customer base. Impulsively, instinctively, thoughtlessly. Sometimes, blind (…)

The use of a third party’s product in an advertisement: the Courts’ assessment of the incidental character.

Updated on 23/12/2021

Advertisers frequently use third-party products in their ads that are copyrighted creations.