The French Supervisory Authority (CNIL) wrapped up 2020 with a EUR 20,000 fine against NESTOR, a French food preparation and delivery company catering to office employees (see full Decision SAN-2020-018 in French).
The CNIL highlighted various breaches of the General Data Protection Regulation (GDPR) and the ePrivacy Directive regarding the processing of prospects and clients’ personal data by the CNIL, most notably:
- The lack of prior consent of the prospects to receiving direct marketing communication by electronic means, thereby violating Article L.34-5 of the French Post and Electronic Communications Code (CPCE);
- The failure to properly inform individuals (Article 12 and 13 GDPR) whether:
- Upon the creation of their account on the company’s platform, or
- Upon indirect collection through external sources;
- The failure to properly address Data Subjects’ Access Requests (DSAR – Article 15 GPDR).
While the fine is rather limited in view of the maximum potential amount of EUR 20 million or four percent of the turnover (whichever the greater), this decision presents an opportunity to examine web scraping and direct marketing practices, which are rapidly developing.(more…)