National Commission for Informatics and Freedoms
- Nature of the deliberation: Sanction
- Legal status: In force
- Publication date on Légifrance: Thursday, July 22, 2021
The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mr. Bertrand du MARAIS, Mrs. Christine MAUGÜE and Mr. Alain DRU, members;
Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;
Considering the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;
Considering Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms;
Having regard to deliberation no 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Information Technology and Freedoms;
Considering the decision n ° 2019-164C of September 26, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing operations implemented by the group AG2R LA MONDIALE or on its behalf;
Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated November 12, 2020;
Having regard to the report by Mrs Sophie LAMBREMON, rapporteur commissioner, notified to SGAM AG2R LA MONDIALE on April 26, 2021;
Having regard to the written observations made by SGAM AG2R LA MONDIALE on May 26, 2021;
Having regard to the oral observations made during the session of the restricted formation;
Having regard to the other documents in the file;
The following were present during the restricted training session on June 17, 2021:
Mrs Sophie LAMBREMON, commissioner, heard in her report;
As representatives of SGAM AG2R LA MONDIALE, speaking during the meeting:
[…]
SGAM AG2R LA MONDIALE having spoken last;
The restricted committee adopted the following decision:
I. Facts and procedure
1. The AG2R LA MONDIALE Mutual Insurance Group Company (hereinafter “SGAM AG2R LA MONDIALE” or “the company”) is a mutual insurance company created on January 16, 2008. Its head office is located [… ] in Paris [75008].
2. SGAM AG2R LA MONDIALE belongs to the AG2R LA MONDIALE group (hereinafter “the group”), a French organization for social and asset protection fulfilling, on the one hand, an administrative management mission for supplementary pensions for employees in the private sector. and, on the other hand, an insurance activity. The group insures around 15 million people in France, individually or collectively, and supports more than 500,000 companies. The group employs around ten thousand people.
3. Within the group, SGAM AG2R LA MONDIALE is responsible for coordinating the insurance activity of provident, long-term care, health, savings and supplementary retirement. It has several subsidiaries, including the companies […] and […].
4. In 2019, the turnover generated by the insurance activity carried out by SGAM AG2R LA MONDIALE amounted to 9.6 billion euros for a net income of 350 million euros. In 2020, its turnover amounted to 9.3 billion euros for a net profit of 222 million euros.
5. On October 29, 2019, in application of the decision n ° 2019-164C of September 26, 2019 of the President of the Commission, a delegation of the CNIL carried out an on-site control operation within the premises of the AG2R LA MONDIALE group. . The purpose of this mission was to verify that the AG2R LA MONDIALE group complied with all the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter “the Regulation” or “the RGPD “) and of the law n ° 78-17 of January 6, 1978 modified relating to data processing, files and freedoms (hereinafter” the law of January 6, 1978 modified “or” the Data Protection Act “) .
6. The control focused more particularly on the processing of personal data of the group’s customers and prospects. The verifications carried out focused in particular on the retention periods for personal data and on the information brought to the attention of the persons concerned with regard to the processing carried out by SGAM AG2R LA MONDIALE.
7. At the end of the control, report n ° 2019-164 / 1 was notified to SGAM AG2R LA MONDIALE, by letter dated October 30, 2019. On November 12, 2019, the company forwarded it to the CNIL the additional documents requested during the inspection. Following additional requests from the Commission services, the company provided new elements and documents on 9 December 2019, 17 January and 10 February 2020.
8. For the purposes of examining these elements, the President of the Commission appointed Ms Sophie LAMBREMON on 12 November 2020 as rapporteur, on the basis of article 22 of the law of 6 January 1978 as amended.
9. At the end of her investigation, the rapporteur, on April 26, 2021, notified SGAM AG2R LA MONDIALE of a report detailing the breaches of the GDPR that she considered constituted in this case and indicating to the company that it had a period of one month to communicate its written observations in application of the provisions of article 40 of decree n ° 2019-536 of May 29, 2019. The report notification letter specified to the company that the file was registered for the restricted training session on June 17, 2021.
10. This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into line with the provisions of Articles 5-1-e), 13 and 14 of the GDPR, together with a penalty for each day of delay. the end of a period of three months following the notification of the deliberation of the restricted formation, as well as an administrative fine. He also proposed that this decision be made public, but that it no longer be possible to identify the company by name after a period of two years from its publication.
11. On May 3, 2021, through its counsel, the company requested to consult the file of the procedure in the premises of the CNIL. On May 6, 2021, a consultation was held at the premises of the CNIL, during which the company’s board took a copy of the requested documents.
12. On May 26, 2021, through its counsel, the company filed comments in response to the sanction report.
13. On May 11, 2021, the company made a request that the session before the restricted panel be held in camera. By letter of May 20, 2021, the president of the restricted party rejected this request.
14. The company and the rapporteur presented oral observations during the restricted formation session on 17 June 2021.
II. Reasons for the decision
A. On the breach of the obligation to keep personal data for a period not exceeding that necessary for the purposes for which they are processed pursuant to article 5-1-e) of the GDPR
15. Pursuant to article 5-1 e) of the Regulation, personal data must be “kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed; personal data may be kept for longer periods as long as they will be processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1), provided that the appropriate technical and organizational measures required by this Regulation are implemented in order to guarantee the rights and freedoms of the data subject (limitation of retention) “.
1. On the retention of personal data of prospects
16. The rapporteur firstly noted that, during the control on October 29, 2019, the company had informed the delegation that the companies in the AG2R LA MONDIALE group had a framework setting the retention periods for personal data. prospects (from rented third-party files) and customers (people with an individual insurance contract with the company or its subsidiaries). However, the company declared during this same check that the retention periods defined in this reference document were not effectively implemented within its information systems, with the exception of processing relating to the fight against money laundering. , local actions and health data. She clarified that a privacy policy implementation plan was planned and should have started in the first half of 2020.
17. The rapporteur then noted that the repository relating to retention periods and the group’s processing register provided, for prospecting aimed at the distance selling network, for the retention of personal data of prospects for a maximum period of three years after the registration in the database or the last contact at the initiative of the prospect. However, by letter dated November 12, 2019, the company provided the delegation of control with an extraction from the application dedicated to commercial prospecting for distance selling, showing the presence of data from prospects who did not have of contact with the company for more than three years, sometimes for more than five years.
18. In its observations of May 27, 2021, the company first of all underlined that a reference framework relating to the retention periods for personal data of customers and prospects having been defined, no breach could be criticized against it under the definition of retention periods.
19. Next, the company explained that it had taken actions in order to respect the maximum retention period for the personal data of prospects as defined both in its repository and in the group’s processing register.
20. The restricted committee notes that, with regard to the definition of the retention periods applicable to the data of the company’s prospects, it should first of all be noted that on the day of the control, a reference framework relating to the retention periods. retention of customer and prospect data had indeed been established for the companies of the AG2R LA MONDIALE group, but that the retention periods defined therein were, according to the declarations made by the company during the audit, “not actually implemented in the company information system, except for processing relating to the fight against money laundering, local actions and health data “.
21. The restricted committee then notes that, during the control of October 29, 2019, the delegation noted the presence, in an active database, of the personal data of 1,917 prospects who had not had contact with the company for more than three years. years, including 1405 prospects who have not had contact with the company for more than five years, without the company being able to justify the need to apply retention periods greater than the maximum period of three years that she had fixed herself. The restricted committee notes that the three-year period constitutes a conservation period that is proportionate and in accordance with the recommendations made by the CNIL within the framework of the simplified standard n ° NS-056 (deliberation n ° 2013-213 of July 11, 2013) concerning automated processing of data relating to the commercial management of customers and prospects implemented by insurance, capitalization, reinsurance and assistance organizations and by insurance intermediaries. If since the entry into force of the GDPR on May 25, 2018, the simplified standards no longer have any legal value, they still constitute a point of reference for data controllers, allowing them to ensure their compliance.
22. The restricted committee also notes that the company certifies, since the audit, having formulated and executed requests to delete prospect data and implement monthly purges of prospect data in the database underlying the data. application dedicated to commercial prospecting for distance selling.
23. Therefore, if the restricted training takes note that SGAM AG2R LA MONDIALE now implements the retention periods defined in the aforementioned reference system and the group’s processing register, thus allowing the personal data of prospects are not kept for periods exceeding those necessary with regard to the purposes for which they are processed, it notes that on the day of the control, the retention periods that the company had defined, and which correspond to the periods necessary to achieve the purposes pursued, were not respected. The company thus kept the personal data of its prospects for excessive periods of time, in the absence of any particular justification, and while they had shown no interest in the products and services offered by the company for more than three or even five years.
2. On the retention of customers’ personal data
24. As indicated above (point 16), the company had, at the time of the audit, a framework relating to the retention periods of the data of its customers and prospects, which was however not implemented. within its information systems, except for processing relating to the fight against money laundering, local actions and health data.
25. In the context of her report, the rapporteur underlined that the specific nature of the insurance sector should be taken into account when assessing the proportionality of the retention period of customer data by an insurance company. . In particular, the retention periods for customer data in insurance matters must allow compliance with the legal deadlines provided for, in particular, by the Insurance Code and the Commercial Code. However, in the present case, the rapporteur noted that by letter of 12 November 2019, the company had provided documents showing the retention in an active database of the personal data of a large number of customers, after the end of the contract. insurance, for periods longer than those fixed by the applicable legal provisions. The data kept related, in particular, to identity, personal, professional and bank details, personal and professional life, insurance, as well as, in the context of certain contracts, personal health.
26. In defense, the company indicated that it had taken corrective actions since the inspection and produced justifications in order to attest to its efforts to bring it into conformity.
27. The restricted committee notes first of all that it emerges from the information communicated by the company after the control of October 29, 2019, that the data of thousands of customers holding contracts of the type fires, accidents and various risks, which can be kept between two years after the end of the contract (Article L. 114-1 of the Insurance Code, setting the limitation periods for actions deriving from an insurance contract, no other purpose having been put forward by the company to justify retention at the end of the expiration of the contracts) and ten years for certain accounting documents (Article L. 123-22 of the Commercial Code), were retained for periods exceeding ten years and sometimes longer at thirty.
28. Next, the restricted committee notes that the personal data of nearly 100,000 customers with savings, asset savings, additional retirement, funeral and provident insurance contracts, which can be kept for variable periods of up to thirty years. years after the conclusion of the contract for the purpose of managing disputes (article L. 114-1, last paragraph, of the Insurance Code), have been terminated for a longer period. In addition, no other purpose was put forward for post-contract processing.
29. In addition, the restricted committee notes that the personal data of more than two million customers, collected within the framework of health contracts, have been kept for periods exceeding the legal period of five years following the termination of the contract ( deadline modeled on that of Article 2224 of the Civil Code, included in the company’s repository). It also notes that the data retention period of 1.3 million customers with a health contract exceeds ten years while that of thousands of customers exceeds thirty years.
30. Finally, the restricted committee notes that apart from data concerning health services, on the day of the audit, there was no archiving mechanism allowing customer data to be kept for accounting, tax or other purposes. litigation within the limit of the limitation periods, whether by transferring them to a dedicated archive database or by setting up access restrictions to this data so that they can only be consulted by persons specially empowered, having an interest in knowing them because of their functions (for example, the department in charge of litigation).
31. The restricted committee also observes that, in defense, the company has not provided any evidence of such a nature as to justify such data retention periods. Conversely, it indicated that it had initiated a large compliance plan. In this regard, the company explained in particular that an IT project had been initiated in 2017 in order to achieve an effective and full implementation of the retention periods for data relating to its customers. The company specified that the deployment of the IT project should have been completed in May 2018, but that the schedule could not be kept due to the complexity of the information systems of the AG2R LA MONDIALE group and the interdependence of applications. The company said it has defined a new strategy for deleting customer data over three years, based on a risk and data lifecycle approach, according to the following schedule:
2020: sensitive processing scope (social action, fight against money laundering);
2021: health and welfare scope;
June 2021: deadline for the process of anonymizing data related to savings products;
2022: savings and supplementary retirement scope (longer data lifecycles – actions being prescribed by thirty years).
32. The restricted committee notes that the company has provided, in support of its commitments, proof of deletion of customer data already carried out, in 2020 and 2021, in accordance with the defined IT project, on several applications attached to the Health-Welfare scope. In addition, the company provided a document dated May 2021 showing that the process of anonymizing customer data related to savings products is underway.
33. Therefore, if the restricted committee notes that SGAM AG2R LA MONDIALE has provided evidence of the steps taken to ensure that the personal data of its customers are no longer kept for periods exceeding those necessary for the purposes for which they are processed, it considers that on the day of the control, these data were kept for excessive periods. The limited committee also notes that the breach partially remains to this day, insofar as the implementation of the retention periods for customer data is not fully deployed in the company’s information systems. In particular, it emerges from the documents provided by the company that almost all of the “Health and Safety” scope would be in compliance by the end of 2021 and that work relating to the “Retirement savings” scope would continue in 2022 The company specified in its defense observations and confirmed during the restricted training session that the compliance work relating to the implementation of customer retention periods in its information systems would be completed at the end of the year 2022.
34. In view of all of these elements, the restricted committee considers that the breach of article 5-1-e) of the GDPR is characterized.
B. On the breach relating to the obligation to inform individuals pursuant to Articles 13 and 14 of the GDPR
35. Articles 13 and 14 of the GDPR require the data controller to provide the data subject with various information relating in particular to their identity and contact details, the purposes of the processing implemented, their legal basis, the recipients or the categories of recipients. data, the fact that the controller intends to transfer data to a third country. In addition, the regulations impose, when this appears necessary to guarantee “fair and transparent processing” of personal data in this case, to inform people about the retention period of the data, the existence of the various rights enjoyed by persons, the existence of the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority.
36. Article 14 of the GDPR, which concerns the situation in which personal data are not collected directly from the data subject, provides that the latter must also be informed of the categories of personal data concerned as well as, if this is necessary to ensure fair and transparent processing, of the source from which this data originates. In addition, it specifies that this information must be communicated to the data subject “within a reasonable time after obtaining the personal data, but not exceeding one month, having regard to the particular circumstances in which the personal data are processed. or if the personal data are to be used for the purposes of communication with the data subject, at the latest at the time of the first communication to that person “.
37. The rapporteur noted, as emerges from the findings made during the on-site inspection of 29 October 2019, that SGAM AG2R LA MONDIALE entrusted its subcontractors […] and […] part of the prospecting operations telephone to be conducted with its customers and prospects. In this context, the CNIL delegation was informed that call scripts were established by the company or its subsidiaries and that 30% of outgoing telephone conversations made by its two subcontractors were recorded for the purpose of improving the service quality of SGAM AG2R LA MONDIALE.
38. The rapporteur noted that listening to a sample of the last fifty telephone calls made by these two subcontractors revealed the lack of information from the people contacted, i.e. the very principle of recording the call. ‘appeal or their right to oppose it. In addition, the rapporteur also underlined that, in the context of these recordings, people were not made the recipient of any information, even summary, relating to the processing of their personal data or to the other rights they have at their disposal. with regard to their data. Finally, these people were not offered the possibility of obtaining more complete information relating to the protection of their personal data, for example by sending an email or pressing a key on their keyboard. telephone.
39. In defense, the company indicated that it had made immediate corrections, following the on-site inspection, in order to provide the persons concerned with information that complies with the requirements of the GDPR. It thus declared that, since the end of 2019, written instructions relating to the information of the persons concerned were given to the subcontractors […] and […], as well as updated telephone call scripts containing most of the information required by Articles 13 and 14 of the GDPR. The company specified that the said scripts had been completed with final missing mentions in 2021. Finally, the company indicated that an information notice dedicated to the treatments implemented within the framework of the recording of outgoing telephone calls was now provided in the “data protection” section of the AG2R website, indicating the legal basis for the processing and specifying the recipients of the recordings as well as the procedures for exercising rights. The company specified that people contacted by telephone were now informed, by the teleoperator, of the fact that they could consult this information notice by going to the AG2R website.
40. The restricted committee notes that at the date of the control, the people contacted by telephone by the companies […] and […] on behalf of SGAM AG2R LA MONDIALE were not correctly informed of the processing of personal data. implemented, in disregard of the applicable provisions of the GDPR. Indeed, on the one hand, essential information relating in particular to the very principle of the recording of the call or, as the case may be, to the right to oppose it, to the purposes of the recording and to its duration. conservation, were not communicated to the persons concerned by the subcontractors of SGAM AG2R LA MONDIALE. On the other hand, the restricted training emphasizes the absence of instructions given by SGAM AG2R LA MONDIALE to its subcontractors in order to bring to the attention of the persons concerned the mandatory information provided by the GDPR. In addition, it notes that the telephone call scripts intended for the subcontractor […] did not contain any mention relating to the provision of any information relating to the protection of their personal data to the persons concerned.
41. In view of the above, the restricted committee considers that on the day of the inspection, the company did not comply with the provisions of articles 13 and 14 of the GDPR.
42. The restricted committee nevertheless notes that, since the audit, the company has complied with the requirements arising from articles 13 and 14 of the GDPR. In this regard, the restricted committee noted that the telephone service providers […] and […] effectively deliver information to people contacted by telephone concerning the identity of the data controller, the principle and the purpose of recording the data. conversation, the recipients of the recordings, their retention period, the existence of the rights available to the data subjects, as well as the possibility of obtaining additional information relating to the processing of personal data carried out by the company by consulting the “data protection” section of the AG2R website (in which the information notice dedicated to the processing operations carried out in connection with the recording of outgoing telephone calls is available).
43. Therefore, the restricted committee considers that the aforementioned facts constitute a breach of Articles 13 and 14 of the GDPR, but that the company has justified having brought itself into compliance by providing, on the closing date of the investigation, a complete information to people contacted by telephone within the meaning of the aforementioned provisions.
III. On corrective measures and their publicity
44. Under the terms of III of article 20 of the amended law of 6 January 1978:
“When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also , if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, refer the matter to the restricted committee for the pronouncement, after contradictory procedure, one or more of the following measures: […]
2 ° An injunction to bring the processing into line with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to meet the requests presented by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a penalty payment the amount of which may not exceed € 100,000 per day of delay from the date set by the restricted group; […]
7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous financial year, whichever is higher. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83. ”
45. Article 83 of the GDPR provides that “Each supervisory authority shall ensure that the administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive “, before specifying the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of this fine.
46. In the first place, the company argues that if a fine were to be imposed, the restricted committee should take account of the measures adopted in order to bring them into conformity. Regarding the retention periods of prospect data, the company emphasizes that corrective actions were quickly deployed in order to delete the data of prospects whose maximum retention period has been reached and that regular purges are now carried out. With regard to the retention periods for customer data, she recalls that the complexity of the information systems of the AG2R LA MONDIALE group has delayed the full and complete implementation of the legal retention periods, this being however in progress and already partially completed. During the restricted training session, the company indicated that it had invested in total […] for several years. In addition, the company emphasizes that the information delivered to people contacted by telephone now meets the requirements of Articles 13 and 14 of the GDPR. Finally, the company invites the restricted formation to take into account its full cooperation during the procedure and underlines a decrease in its turnover and its net profit.
47. The restricted committee recalls that it must take into account, for the imposition of an administrative fine and for the determination of its amount, the criteria specified in Article 83 of the GDPR, such as the nature, severity and duration of the breach, the measures taken by the controller to mitigate the damage suffered by the data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the breach.
48. In addition, the restricted panel recalls that insofar as the company is accused in this case of breaches of Articles 5-1-e), 13 and 14 of the Rules, the maximum amount of the fine that may be retained amounts to 20 million euros or 4% of annual worldwide turnover, whichever is greater.
49. The restricted committee considers first of all that the company has shown serious negligence with regard to the infringement of fundamental principles provided for by the GDPR, namely the principle of limitation of the retention period of data. and the obligation to inform data subjects of the processing of their personal data.
50. The restricted committee then notes that the breach relating to retention periods concerned a very large number of people, in particular the company’s customers. In fact, retention on an active basis for periods longer than the authorized legal periods, which may exceed thirty years, concerned the personal data of more than two million customers collected during the conclusion of insurance contracts.
51. The restricted committee also emphasizes that, among the customer data kept for excessive periods of time, there are sensitive data, bank details and information relating to the personal life of customers.
52. The restricted committee also notes that the compliance measures put in place following the inspection have not made it possible to fully remedy the breach relating to the retention periods of data as it concerns customers, which persists. still partially to this day. In any case, the compliance measures adopted do not exempt the company from its liability for the past.
53. In addition, the restricted committee considers that the investments made by the company to achieve the implementation of the retention periods defined in its information systems are not disproportionate in relation to its turnover, size of the group and the scope of the work to be carried out given the complexity of said information systems underlined by the company itself, which existed before the entry into force of the GDPR. The limited training considers that it is precisely the lack of anticipation that has contributed to failures in the implementation of the retention periods for the company’s customer data within its systems and, therefore, to the lack of compliance with the GDPR more than three years after its entry into force.
54. Finally, the restricted committee recalls that administrative fines must be dissuasive but proportionate. It considers in particular that the activity of the company and its financial situation must be taken into account in determining the sanction and in particular, in the event of an administrative fine, its amount. It notes in this regard that the company reports a decrease in its turnover, from 9.7 billion in 2019 to 9.3 billion in 2020, as in its net income, from 350 million in 2019 to 222 million in 2020. If the restricted team notes the net result has decreased quite significantly, it emphasizes that it remains largely positive. In view of these elements, the restricted committee considers that the pronouncement of a fine of 1,750,000 euros appears justified, in particular given the need to penalize breaches of elementary principles of the GDPR, committed by a major player in protection. social in France, concerning several million people and relating to data of a sensitive or particular nature, such as bank details.
55. Consequently, the restricted committee considers that it is necessary to pronounce an administrative fine of 1,750,000 euros with regard to the breaches of articles 5-1-e), 13 and 14 of the GDPR.
56. Secondly, an injunction to bring processing into line with the provisions of Articles 5-1-e), 13 and 14 of the GDPR was proposed by the rapporteur in her sanction report.
57. In defense, the company maintains that the actions it has taken with regard to all the breaches identified must lead to the rapporteur’s proposal for injunctions not being followed up.
58. Regarding the breach of the obligation to define and respect a retention period for personal data proportionate to the purpose of the processing pursuant to article 5-1-e) of the GDPR, the company indicates that it has undertaken many actions and have made the aforementioned substantial investments to achieve compliance on this point.
59. The restricted training notes, with regard to prospect data, that the company now implements the retention periods defined by the company in its guidelines, which are proportionate to the purposes pursued and moreover comply with the recommendations made by the CNIL. in the matter. With regard to customer data, the company testifies to having committed itself to a serious process of compliance. In this regard, the restricted committee notes moreover that the company documents having successfully completed a significant part of the implementation of these retention periods in these systems, only a residual part of the “Health and Safety” scope remaining to be covered as well. that the “Additional savings and retirement” scope, and that the company has undertaken to complete its compliance by December 31, 2022.
60. Regarding the failure to provide information to individuals pursuant to Articles 13 and 14 of the GDPR, the restricted committee takes note of the company’s compliance on this point. In fact, the company demonstrates that it has sent written instructions to its service providers so that full information is delivered to people contacted by telephone on its behalf, and that it has attached call scripts supplemented with mandatory information. In addition, listening to samples of telephone calls communicated by the company attests to the effective delivery of this information to the persons concerned. In addition, an information notice dedicated to this processing and containing additional information has been included in the privacy policy. The person is now systematically informed by the teleoperator, at the start of the telephone call, of the fact that he can read this notice by going to the AG2R website.
61. In view of the foregoing, the restricted panel considers that there is no longer any need to maintain the proposed injunctions.
62. Thirdly, the restricted committee considers that the publication of the sanction is justified in view of the fact that the breaches of the elementary principles of the GDPR identified in this case concern a major player in social and asset protection in France, which manages the personal data of millions of people. The restricted committee notes that in this context, the publication of the sanction makes it possible to inform the persons concerned of the nature and extent of these breaches.
FOR THESE REASONS
The restricted formation of the CNIL, after having deliberated, decides to:
– pronounce against SGAM AG2R LA MONDIALE an administrative fine in the amount of 1,750,000 (one million seven hundred and fifty-thousand) euros;
– make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the expiration of a period of one year from its publication.
This decision may be appealed against to the Council of State within two months of its notification.
