Personal data

The French Data Protection Authority imposed on AG2R LA MONDIALE a 1.75 million euros fine for failing to comply with the obligations under the General Data Protection Regulation regarding data retention periods and information to be provided to individuals.

Two breaches were mainly highlighted: an excessive retention period for personal data and a lack of information provided to people during telemarketing calls by subcontractors.

On March 17, 2021, the European Commission presented a proposal for a regulation to create a digital green certificate to facilitate free movement within the European Union in the current context of the COVID-19 pandemic.

This contemplated digital tool was discussed in a joint opinion from the European Data Protection Board and the European Data Protection Supervisor dated March 31, 2021, published on April 6, 2021.

In an order dated March 12, 2021, the Conseil d’Etat (French Administrative Supreme Court) refused to suspend the partnership between the French State and Doctolib in the context of the COVID-19 vaccination campaign.

The plaintiffs had requested this suspension in summary proceedings, arguing that the safeguards provided by Amazon Web Services for data hosting were insufficient.

When visiting a website or using mobile apps, users must be informed and give their consent before cookies or other trackers are deposited or read, unless these trackers benefit from one of the exemptions provided for by law.

Following the publication of its guidelines and recommendation on October 1, 2020, the French Data Protection Authority has given until March 31, 2021 to bring websites and mobile apps into compliance with the new rules.

In a deliberation No. 2021-006 issued on January 19, 2021, the Commission Nationale de l’Informatique et des Libertés (French Data Protection Authority, hereinafter the “CNIL”) gave its opinion on a draft Decree aimed at strengthening the system for tracing the chains of COVID-19 transmission, known as the “Contact Covid” information system, as part of the French Government’s strategy to fight against the spread of the virus.

This article outlines the CNIL’s main observations and recommendations which aim at maintaining the protection of often sensitive personal data while the draft Decree foresees a considerable and substantial extension of the information collected.

Having received several complaints against the Carrefour group, the French Data Protection Authority carried out inspections between May and July 2019 at Carrefour France (mass retail sector) and Carrefour Banque (banking sector).

During these inspections, it found a number of breaches in the processing of customer and potential user data, and consequently imposed a 2,250,000 euros fine on Carrefour France and a 800,000 euros fine on Carrefour Banque. The breaches mainly concerned the information provided to individuals and the respect for the rights of such individuals.