Due to various breaches of the General Data Protection Regulation (GDPR), the French data protection supervisory authority (CNIL) has imposed a fine of 600,000 Euros on pay-TV provider Groupe Canal+. In addition to numerous internal errors, the company also stumbled across serious shortcomings on the part of its data processors.
Background to the fine
Between November 2019 and January 2021, the CNIL received around 31 complaints against Groupe Canal+, a company that provides TV channels and distributes paid television services. The complaints related to difficulties encountered by data subjects in effectively enforcing their rights under the GDPR.
Due to the complaints CNIL began an investigation, which resulted in the CNIL concluding the company had violated several obligations set out in the GDPR and the French Postal and Electronic Communications Act (CPCE), the latter specifying how marketing communications may be sent in France. A fine of 600,000 Euros was ultimately imposed on Groupe Canal+.
In its decision of 12 October 2023, the CNIL held the following violations had been found:
- Violation of the conditions for consent (Art. 7 GDPR),
- Non-compliance with information obligations (Art. 13 and 14 GDPR),
- Non-compliance with the rights of data subjects (Art. 12 and 15 GDPR),
- Inadequate data processing agreement (Art. 28 (3) GDPR),
- Failure to ensure the security of personal data (Art. 32 GDPR) and
- Failure to report data breaches to the authority (Art. 33 GDPR).
The amount of the fine was determined taking into account the offences identified as well as the company’s cooperation and all measures taken in the proceedings to comply with the alleged offences.
GDPR fines explained
Do not repeat the mistakes of other companies! Better read our analyses of the GDPR fines from European supervisory authorities.
Assessment of the company´s violations:
Violation of the conditions for consent (Art. 7 GDPR)
Groupe Canal+ regularly carries out advertising campaigns. However, the company was unable to prove that it had obtained the necessary consent from the data subjects in advance. As part of the investigation, the company provided the CNIL with two templates for standard forms for collecting data from interested parties, provided by the business partners from whom the data is collected. Neither the collection forms nor the links contained the information that Groupe Canal+ was the recipient of the data.
The CNIL found that up to four million prospective customers whose data was collected by the service provider were advertised to electronically. For all of these leads, the company was unable to provide proof that valid informed consent had been obtained, either from the service providers or from Groupe Canal+ itself. The company countered that the service provider was responsible for obtaining consent and stated that there was no control over the forms used to obtain consent, arguing that this had to be done in the capacity of an independent controller.
According to Art. 7 (1) GDPR, “where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of their personal data”. Informed and valid consent has therefore not been given. In addition, the measures taken by Groupe Canal+ with its data suppliers proved to be insufficient to ensure that the consent of the individuals was valid before the data was collected.
Non-compliance with information obligations (Art. 13 and 14 GDPR) and non-compliance with data subject rights (Art. 12 and 15 GDPR)
The checks carried out by the CNIL revealed additional violations:
- Failure to inform data subjects when creating a MyCanal account: The privacy policy referred to in the registration form when creating an account was inaccurate with regard to retention periods and therefore violated Art. 13 GDPR.
- Violation of the obligation to inform data subjects during telephone canvassing: The company’s service provider responsible for telephone canvassing did not systematically provide all the information required by the GDPR.
- Failure to fulfil obligations in connection with the exercise of data subject rights (Art. 12 GDPR): In particular, the company failed to respond within the statutory period of one month.
- Failure to comply with the right of access (Art. 15 GDPR): The company did not respond to some requests and thus violated the data subject’s right of access.
Art. 13 and 14 GDPR, together with the information obligations, represent one of the most important regulations in data protection. As a result, controllers should always ensure that data subjects are informed in a precise, transparent, comprehensible and easily accessible form in clear and simple language.
In this context, attention must be paid to the regular monitoring of processors. Within the framework of the contractual relationship, the client remains responsible for the data processing and must ensure that the requirements of the GDPR are complied with as part of its accountability obligations. If you (like Groupe Canal+) use service providers for telephone canvassing, you must ensure in particular that the data subjects are adequately informed by the service provider.
Insufficient data processing agreements (Art. 28 (3) GDPR)
The CNIL also found that various data processing agreements did not fulfil the requirements of Art. 28 (3) GDPR. In particular, contracts were found that had been concluded before the GDPR came into force and had not been updated since then in order to fulfil the requirements of the GDPR.
The company argued that the relevant contract had already been cancelled in 2016 and that the contract with the new service provider regulated the missing information as part of an additional agreement. The CNIL followed these arguments and came to the conclusion that there was no breach with regard to this specific contractual relationship. As part of the investigation, the CNIL nevertheless found violations in relation to other data processing agreements that did not fulfil the requirements of Art. 28 GDPR or were not signed and therefore not valid.
Even though the GDPR has been applicable since 2018, many companies still have outdated contracts (especially those concluded before the GDPR), which is also an indication of a lack of regular checks on processors.
Failure to ensure the security of personal data (Art. 32 GDPR)
The CNIL found a further breach in the storage of employees’ passwords for an application used in the company. The storage was carried out by hashing with the so-called Message-Digest Algorithm 4 (MD4), which was already considered outdated and not robust enough to guarantee confidentiality at the time of the CNIL’s findings. Although the CNIL found other measures that ensured the security of the data and also corresponded to the state of the art, in the case of the MD4 algorithm it maintained its view that there was a violation of Art. 32 GDPR.
This makes it clear that the technical aspects should not be disregarded in the context of the GDPR. The GDPR repeatedly refers to the state of the art and thus also shows the importance of data controllers keeping an eye on technical changes and developments in order to be able to take measures against new risks or adapt existing measures if necessary.
Failure to report a data breach to the authority (Art. 33 GDPR)
It was discovered that Groupe Canal+ had become aware of a data breach in its own area of responsibility on 5 February 2020. Subscribers were able to access information from other subscribers after updating the customer area. Despite the high number of data subjects affected and the high sensitivity of the data (which, according to the CNIL, is why a risk to the rights and freedoms of data subjects should be assumed), the company did not inform the CNIL as the competent supervisory authority. This constitutes a violation of Art. 33 GDPR.
The company argued that it had followed the guidelines of the European Data Protection Board and the European Union Agency for Cybersecurity and saw no need for a report due to the limited sensitivity and duration of the incident. Groupe Canal+ justified this by stating that the data was only accessible to seven users. The CNIL disagreed with the argument put forward, stating that the number of affected individuals was significant at 10,154 and that there was a breach of privacy for these individuals. Therefore, the company should have informed the CNIL of the data breach. The CNIL therefore concluded that there had been a breach of Article 33 GDPR.
The high fine imposed by the data protection authority emphasises the importance of a precise risk analysis. In particular, it makes it clear that failure to report a data breach is considered a serious offence.
The data protection officer should therefore be informed of every data breach and carry out a risk analysis. This allows the severity of the personal data breach and the associated risks to the rights and freedoms of data subjects to be assessed in each individual case and the necessary measures to be identified. A functioning process is particularly important in this regard in order to be able to comply with the reporting deadline of 72 hours.
Conclusion
The fine of 600,000 Euros imposed on Groupe Canal+ underlines how seriously the supervisory authorities take violations of the GDPR.
Companies should see this case as a warning and ensure that their data protection measures comply with legal requirements, are regularly reviewed and include technical and organisational measures to protect data in addition to legal measures. Successful data protection management is of great importance here and crucial to minimising risks and maintaining customer confidence in the security of their personal data.
The Groupe Canal+ case also shows that the monitoring of all these measures does not end at the boundaries of the company itself – but includes suppliers and data processors.