On October 12th, the French Data Protection Authority (Commission nationale de l’informatique et des libertés i.e. CNIL) imposed a (very) heavy fine on CANAL+ after identifying various breaches of the rules laid down by the RGPD.
What should we learn from this CNIL sanction and what lessons can we draw from it?
- Prospecting without proof is worthless!
Since the company was unable to provide proof that it had validly collected the consent of individuals to receive commercial prospecting, the CNIL was forced to condemn it for lack of consent. Simple. Effective. And formidable.
Moral: once again, the question of proof is crucial in defending your interests. So, while it’s imperative to obtain consent, it’s also important to obtain and keep proof of it.
- “It’s not me, it’s him!”
The CNIL also noted that the data collection forms used by CANAL+’s service providers did not specify the identity of the data recipients. In this context, the CNIL found the company in breach of its obligation to obtain the consent of the data subject.
Moral: it is strongly recommended – not to say imperative – to agree with your service providers on the rules applicable to the provision of information to individuals, prior to the implementation of any processing operation.
- For the best and for a limited time
The Commission found that the company’s privacy policy was too imprecise when it came to data retention periods, and concluded that the company had not properly informed individuals when they created their accounts.
Conclusion: take care with your privacy policies, and pay particular attention to the statements made regarding data retention periods.
- Allo? Allooooo?
The CNIL also noted that the company had failed to respond to several requests from people wishing to exercise their right of access, and/or had failed to meet the one-month deadline set by the regulation for replying.
Lesson learned: the mailbox set up to enable people to contact you to exercise their rights must be consulted regularly, and each request must be dealt with promptly and, in any event, within the 30-day time limit stipulated in the Regulations.
- On your marks, get set, contract, go!
The European regulation stipulates that it is imperative to conclude a contract with one’s personal data processors that includes a certain amount of information.
In the case of CANAL+, the CNIL found that the contract did not contain all the required information. The company was therefore condemned.
Moral: before setting up any data processing operation, check the quality of your service provider and, if it falls within the definition of a personal data processor, make sure you sign a proper contract with it.
- Don’t bury your problems!
Faced with a data breach, it can be tempting to keep a low profile so that the difficulties don’t come to light. However, the RGPD specifies that any breach must be documented internally or even, when the risk is high, notified to the CNIL and, in some cases, to the data subjects directly. The CNIL was thus able to consider that CANAL+ had failed in its obligation to declare a data breach insofar as it did not notify the Commission that for a period of 5 hours the data of certain subscribers had been accessible to others.
Tip: If your first reaction to a data breach is to put an end to the disturbance and take all necessary measures to limit its consequences, you need to assess the situation quickly before making the necessary notifications. The time limit stipulated by the Regulation is (only) 72 hours following the discovery of the violation.
