Having received several complaints against the CARREFOUR group, the CNIL carried out inspections between May and July 2019 at CARREFOUR FRANCE (retail sector) and CARREFOUR BANQUE (banking sector). On this occasion, the CNIL noted shortcomings in the processing of data on customers and potential users. The President of the CNIL therefore decided to initiate sanction proceedings against these companies.
At the end of this procedure, the Restricted Panel – the CNIL body responsible for imposing sanctions – effectively considered that the companies had failed to comply with several obligations under the RGPD.
It therefore fined CARREFOUR FRANCE 2,250,000 euros and CARREFOUR BANQUE 800,000 euros. However, it did not issue an injunction as it found that significant efforts had been made to bring all the breaches noted into compliance.
The full document is available at this link.