Commercial prospecting is undoubtedly one of the risk areas of the GDPR, where it is important to be rigorous to ensure compliance with the law. A company has just learned this the hard way, as the CNIL has recently issued a fine of €500,000 for non-compliance with the GDPR rules. It is worth noting that the company in question made about €500,000 in profits (in 2018), so the fine imposed by the CNIL will a priori absorb the entire profits of the company for the year 2019.
Let’s review the facts before discussing the points of non-compliance and the actions the company could have taken to avoid such a sanction. Note that our goal is not to point fingers but to enable other companies to learn from this case.
The Facts
The case is interesting - although quite typical for anyone familiar with GDPR compliance: a company decides to conduct commercial prospecting by phone to sell its services (here, building insulation). To do this, it uses call centers based in North Africa. These subcontractors call prospects en masse but fail to record their objections to telemarketing. Inevitably, this triggers a complaint from a person who is subject to repeated telemarketing despite their objection (and the sending of a registered letter).
The CNIL then initiates an on-site inspection, which reveals a series of infractions:
- Numerous complaints from people being approached despite their objection
- Excessive comments about the company’s clients - insults or remarks about their health status - in free text fields
- Recording of telephone conversations without the knowledge of the called individuals and without prior information
Following the inspection, the CNIL issued a formal notice to the company to comply, but the latter did not deem it necessary to follow the Commission’s instructions. This proved to be a poor decision, as a sanction procedure was then initiated and carried through to completion.
There are four breaches here that are interesting to analyze and comment on.
Error 1: Non-Compliance with Individuals’ Opposition
The decision highlights the importance of respecting individuals’ rights in risk-related processing. Commercial prospecting in B2C is generally perceived as a nuisance by individuals and, as such, must be strictly regulated from a legal perspective.
Here, we see that the company had not established GDPR compliance processes: a person who opposed commercial solicitation should not have been called again if these processes were in place. In fact, the lack of process in this type of treatment will inevitably generate litigation, because if the company grows, it is only a matter of time before someone takes offense and contacts the CNIL.
The actions the company should have taken were as follows:
- Ensure the existence of an opposition list.
- Conduct tests to verify the effectiveness of the list.
- Create fake profiles in its database that refer to internal personnel responsible for GDPR compliance, to ensure that in case of process failure, the flaw is quickly detected.
Error 2: Collecting Excessive Data
Free text fields - particularly in CRM software - pose structural problems, as they allow operators who are in contact with the public to enter data without any limit. This generally results in the entry of excessive data, which is a disaster from a GDPR perspective. In fact, the issue is so significant that the CNIL systematically checks for the existence of free text fields during inspections and has developed internal software to detect excessive data.
It is legally possible to implement a free text field in software, but it is necessary to ensure that the subsequent data entered are adequate and relevant to the purposes in order to comply with Article 5 of the regulation. This implies a range of material measures ranging from the awareness of data entry operators to the regular extraction and verification of data.
The compliance actions for the company were as follows:
- Remove free text fields from the CRM software.
- Train a GDPR officer to ensure the regular compliance of entered data.
Error 3: Transfers of Personal Data Outside the EU
Companies often think they are saving money by outsourcing commercial solicitation services to French-speaking countries outside the European Union - until the costs related to GDPR compliance are discussed.
Outsourcing outside the EU is possible, but it is often very costly to implement due to the complexity of the GDPR (note that the case of major Cloud operators, such as AWS, Google, or Microsoft, are special cases in this regard).
It is indeed necessary to both validate the legal framework of the transfer and also to visit the site to ensure the respect of GDPR obligations by the subcontractor on all implemented tools. For a process as risky as commercial prospecting, one should seriously consider the overall costs of such an operation and the risks of sanctions / damage to the company’s brand image before embarking on such an operation.
The compliance actions for the company were as follows:
- Perform a real cost calculation for GDPR compliance of the call center and integrate the hidden costs of GDPR compliance.
- If necessary, repatriate activities within the EU.
Error 4: Failure to Cooperate with the CNIL
While it was possible to gain the favor of the CNIL before the entry into force of the GDPR by cooperating with it in case of discovering an infraction, the margin for maneuver is now almost nil (see Art. 83).
In case of an inspection, it is therefore essential to ensure that all points raised by the CNIL are managed and addressed by GDPR compliance professionals. With sanctions exceeding 10 million euros for SMEs and 2% of the global turnover for groups, it is not possible to manage a formal notice - which will probably lead to a sanction - without responding to all of the Commission’s observations.
Here, the company could probably have reduced its sanction to €250,000 if it had implemented adequate means to respond to each point raised by the Commission. But apparently, this was not the choice it made.
If you are subject to a formal notice, or an inspection, surround yourself with experts who have at least 10 years of experience in these matters!
Témoignages
"Legiscope nous permet d'économiser plus de 500 heures de travail de conformité par an ! C'est plus de 3 mois temps plein !"
— Sylvain GraveronHow to get a valid consent under the GDPR
Implementing Privacy By Design (GDPR)
What is GDPR ?
Does GDPR Apply to Companies Outside of the European Union?
What is a Data Processor?
What is personal data ?
How to Conduct the Triple Test to Assess the Legitimate Interests of the Data Controller (GDPR)
Article 28 of the GDPR: Obligations, Enforcement, and Compliance Strategies
Role and missions of the Data Privacy Officer (GDPR)
The Principle of Data Minimization in the GDPR
What is the Principle of Accountability?
Comprehensive GDPR Audit Guide for Ensuring Compliance
DPO or compliance officer ?
Comprehensive GDPR Data Storage Compliance Guide 2024
Tutorial: how to get a valid GDPR consent