French DPA: 1.75 million penalty against AG2R LA MONDIALE

8 September 2021 France

Background information

Date of final decision: 2021/7/20
Cross-border case or national case: national case
Controller: AG2R LA MONDIALE
Legal Reference: Data retention period (Article 5.1.e GDPR), Information (Articles 13 & 14 GDPR)        
Decision: Fine                                     
Key words: Insurances, data retention, information

Summary of the Decision

Origin of the case

CNIL carried out an inspection in 2019 at the AG2R LA MONDIALE group. The purpose of this was to verify the compliance of the processing operations implemented as part of its task to manage the supplementary pensions of private sector employees and its insurance activity.

Key Findings

During its inspection and the ensuing exchanges between CNIL and the AG2R LA MONDIALE group, CNIL found that the AG2R LA MONDIALE Mutual Insurance Group (SGAM AG2R LA MONDIALE), responsible for coordinating the group’s provident, dependency, health, savings and supplementary pension insurance activities, was keeping data on millions of people for an excessive period of time and was not complying with its information obligations in the context of telephone canvassing campaigns.

Based on these elements, the CNIL considered that the company had failed to comply with articles 5-1-e, 13 and 14 of the GDPR.

Decision

Breach of Article 5-1-e of the GDPR
The company had not implemented the retention periods it had defined. As a result, the data of almost 2,000 of prospects who had not had any contact with the company were kept for more than three or five years. Furthermore, the company was storing the data of more than 2 million customers, including some of a health or bank details, beyond the legal retention periods allowed after the end of the contract.

Following the procedure, the company has been shown to be partially compliant and has made commitments as to when it will be fully compliant.

Breach of Articles 13 and 14 of the GDPR
Telephone calls made by the company’s data processors could be recorded without the person contacted being informed of the principle of recording or of her right to object to it. No further information was provided to the prospects about their other rights and they had no possibility of accessing more comprehensive information.

Following the inspection and the procedure, the company has made the necessary changes to comply with the GDPR.

 

CNIL imposed a fine of 1,750,000 euros and made its decision public.

For further information: https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000043829617

 

The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As it is represented here as it appeared on the SA's website or other channels of communication, the news item is only available in English or in the Member State's official language with a short introduction in English. Any questions regarding this news item should be directed to the supervisory authority concerned.