Background information
- Date of final decision: 26 September 2024
- Cross-border case
- LSA: France
- CSAs:
- For TELEMAQUE: Germany, Austria, Belgium, Cyprus, Spain, Greece, Hungary, Italy, Latvia, Luxembourg, Netherlands, Portugal, Czech Republic, Sweden.
- For COSMOSPACE: Germany, Austria, Belgium, Croatia, Denmark, Spain, Greece, Italy, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovenia, Sweden.
- Legal Reference (s): Article 5 (Principles relating to processing of personal data), Article 9 (Processing of special categories of personal data)
- Decision: Administrative fine
- Key words: Sensitive data, Data retention, Commercial prospecting, Telephone call recording
Summary of the Decision
Origin of the case
COSMOSPACE and TELEMAQUE provide remote clairvoyance services, one by telephone and the other by online chat and text messages.
Inspections carried out by the CNIL in 2021 revealed several breaches, including the collection of sensitive data without prior explicit consent (in particular health data and data relating to sexual orientation), the retention of data for an excessive period, the sending of commercial prospection communications to people who had not given their consent and, in the case of COSMOSPACE, systematic recording of telephone calls.
Key Findings
- Failure to comply with the obligation to minimise personal data collection and processing by COSMOSPACE (Article 5.1.c of the GDPR)
- Failure to comply with the obligation to retain data for a period limited to the intended purpose (Article 5.1.e of the GDPR)
- Failure to comply with the obligation to obtain prior consent from individuals to process special categories of personal data (Article 9 of the GDPR)
- Failure to comply with the obligation to obtain consent to receive commercial prospecting by electronic means (Article L.34-5 of the French Postal and Electronic Communications Code (CPCE))
Decision
The CNIL imposed a fine of EUR 250,000 on COSMOSPACE and a fine of EUR 150,000 on TELEMAQUE. These fines were adopted in cooperation with about fifteen European counterparts of the CNIL in both cases.
The amounts of these fines were decided on the basis of the seriousness of the breaches, the number of people concerned - the database shared by the two companies containing the data of more than 1.5 million people - and the sensitivity of the data processed. The financial situations of the companies and their structures were also taken into account, in order to set dissuasive but proportionate fines.
Further information: