Published on 9 September 2021 by Laure Marolleau

French Data Protection Authority imposes a 1.75 million fine on AG2R LA MONDIALE

The French Data Protection Authority (Commission nationale de l’informatique et des libertés or “CNIL”) imposed on AG2R LA MONDIALE a 1.75 million euros fine for failing to comply with the obligations under the General Data Protection Regulation (“GDPR”) regarding data retention periods and information to be provided to individuals.

Two breaches were mainly highlighted: an excessive retention period for personal data and a lack of information provided to people during telemarketing calls by subcontractors.

All started in 2019 when the CNIL carried out an inspection on AG2R LA MONDIALE group to verify the compliance of the processing operations implemented as part of its task to manage the supplementary pensions of private sector employees and its insurance activity.

The inspection focused on the processing of personal data of the group’s customers and prospects. The checks carried out concerned in particular the personal data retention period and the information provided to data subjects concerning the processing carried out by SGAM AG2R LA MONDIALE which is responsible for coordinating the group’s provident, long-term care, health, savings and supplementary pension insurance activities.

Based on the elements that had been gathered, the CNIL considered that the company had failed to comply with two fundamental obligations under the GDPR, i.e., the obligation to limit the data retention period and the obligation to provide information to individuals. It, therefore, imposed a 1,750,000 euros fine and decided to make its decision public.

Excessive data retention periods (Article 5-1-e of the GDPR)

The CNIL noted that while the company had, as of the day of the inspection, a reference framework for the retention periods of its customers’ and prospects’ data, this framework was not implemented within its information systems.

Regarding the prospects

During the inspection, the CNIL noted the presence, in the active database, of the personal data of 1,917 prospects who had not had any contact with the company for more than three years, including 1,405 prospects who had not had any contact with the company for more than five years, without the company being able to justify the need to apply retention periods in excess of the maximum period of three years that it had itself set.

For the CNIL, the three-year retention period constitutes a proportionate retention period that complies with the recommendations made in the context of simplified standard No. NS-056 (deliberation No. 2013-213 of July 11, 2013) concerning the automated processing of data relating to the commercial management of customers and prospects implemented by insurance, capitalization, reinsurance and assistance organizations and by insurance intermediaries.

The CNIL specified in this regard that even though the simplified standards no longer have any legal value since the GDPR came into force on May 25, 2018, they still constitute a benchmark for data processors, enabling them to ensure compliance.

Regarding the customers

While the retention periods for customer data in insurance matters must allow compliance with the legal deadlines provided for, in particular, by the French Insurance Code and Commercial Code, the CNIL has nevertheless noted in practice the retention in the active database of personal data of a large number of customers, after the end of the insurance contract, for periods longer than those set by applicable legal provisions.

The stored data related, in particular, to identity, personal, professional and bank details, personal and professional life details, insurance details and, for certain contracts, health details of individuals:

  • the data of thousands of customers holding fire, accident and miscellaneous risk insurance contracts, which may be kept for a period between two years after the end of the contract (Article L. 114-1 of the French Insurance Code setting out the limitation periods for legal actions deriving from insurance contracts, no other purpose having been specified by the company to justify keeping the data after the expiry of the contracts) and ten years for certain accounting documents (Article L. 123-22 of the French Commercial Code), were kept for periods exceeding ten years and in some cases for more than thirty years.
  • the personal data of nearly one hundred thousand clients holding savings, asset savings, supplementary retirement, funeral and provident policies, which may be kept for variable periods of up to thirty years after the termination of the policy for the purpose of managing potential disputes (Last paragraph of Article L. 114-1 of the French Insurance Code), were kept for a longer period. In addition, no other purpose was specified to justify processing after the contract.
  • the personal data of more than two million customers, collected in the context of health insurance contracts, were kept for periods exceeding the legal period of five years following the termination of the contract (a period based on that provided for under Article 2224 of the French Civil Code and which was included in the company’s reference framework). For 1.3 million customers with a health insurance contract, the retention period exceeded ten years, and for thousands of customers, thirty years.

From an organizational point of view, the CNIL noted the absence of an archiving mechanism that would allow customer data to be kept for accounting, tax or litigation purposes within the maximum applicable limitation periods, either by transferring them to a dedicated archive or by putting in place access restrictions to ensure that they could only be consulted by specially designated persons having an interest in knowing such data as part of their professional duties (for example, the litigation department).

Lack of information provided to people during telemarketing calls (Articles 13 and 14 of the GDPR)

Articles 13 and 14 (Article 14 concerns the situation where personal data are not collected directly from the data subject) of the GDPR require the data controller to provide the data subject with various information relating in particular to the identity and contact details of the data controller, the purposes of the processing carried out, its legal basis, the recipients or categories of recipients of the data, the fact that the data controller intends to transfer the data to a third country, etc.

During the inspection, the CNIL noted that SGAM AG2R LA MONDIALE entrusted its subcontractors with some of telemarketing call operations carried out among its customers and prospects. Call scripts were established by the company or its subsidiaries. 30% of the outgoing telephone conversations made by its two subcontractors were recorded in order to improve the quality of the service of SGAM AG2R LA MONDIALE.

The listening of a sample of the last fifty telephone calls made by these two subcontractors allowed the CNIL to note:

  • the failure to inform the contacted persons of the very principle of the call recording or of their right to object to it;
  • the failure to provide information, even in summary form, concerning the processing of their personal data or the other rights they have with regard to their data;
  • the failure to provide information on the possibility of obtaining more complete information on the protection of their personal data, for example by sending an e-mail or by pressing a button on their phone keypad.