Background information
- Date of decision: 8 June 2023
- Cross-border case or national case: Cross-border case
- LSA: France
- CSAs: Belgium, Luxembourg, Italy, Spain, Portugal, Bulgaria, Berlin and Ireland
- Legal references: Article 5 (1)(e)(Principles relating to processing of personal data), Article 6 (Lawfulness of processing), Article 9 (Processing of special categories of personal data), Article 32 (Security of processing), Article 33 (Notification of a personal data breach to the supervisory authority)
- Decision: Administrative fine
- Key words: Health records, Sensitive data, Data security, Data retention, Consent, Data Breach
Summary of the Decision
Origin of the case
KG COM operates several websites in order to offer its customers clairvoyance readings via an online chat or by phone. Following the publication of a press article in 2020 revealing the existence of a personal data breach involving the company, the CNIL carried out three investigation missions.
During its investigations, the CNIL identified several infringements, in particular concerning the systematic recording of telephone calls, the collection of health data and information relating to sexual orientation, the retention of banking data without the consent of the person, the obligation to notify a data breach or the rules relating to cookies.
Key Findings
The French SA has identified several infringements of the GDPR and a breach of the French Data Protection Act by KG COM:
-
Failure to minimise the personal data collected and used (Article 5.1.c GDPR)
-
Failure to have a legal basis for the use of banking data (Article 6 GDPR)
-
Failure to obtain prior consent to the collection of special categories of data (Article 9 GDPR)
-
Failure to ensure data security (Article 32 GDPR)
-
Failure to notify the CNIL of data breaches (Article 33 GDPR)
-
A breach of the obligations related to the use of cookies (Article 82 of the Data Protection Act)
Decision
The French SA imposed two fines on KG COM:
- A fine of EUR 120,000 for failing to comply with the General Data Protection Regulation (GDPR). This fine was taken in cooperation with the European CNIL counterparts in the context of the one-stop shop, as KG COM has customers and prospects from several EU Member States.
- A fine of EUR 30,000 for non-compliance relating to use of cookies (Article 82 of the Data Protection Act). In this case, the CNIL has the jurisdiction to act alone.
For further information:
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.