On August 5, 2020, the CNIL (French Data Protection Authority) fined SPARTOO, an online shoe retailer, €250,000 (or approximately $296,000), for failing to meet several obligations under the General Data Protection Regulation. Based on a CNIL inspection in May 2018 and investigation launched in 2019, the agency imposed sanctions in cooperation with several other European authorities for the company’s breach of the principle of data minimization and the breach of its obligation to limit the retention period of data, over allegations that the company created permanent recordings of full telephone calls with customer service that it used only for employee training, including calls that recorded customers’ bank information, with no set retention periods and no plan to regularly erase or archive the data. SPARTOO was also found to have breached the obligation to inform individuals, for allegedly sharing inconsistent information regarding its data privacy policy on the website and failing to share the reason why the data was collected with their employees. In addition, the CNIL found that SPARTOO breached the obligation to ensure data security, for allegedly failing to require strong passwords to access the site and for storing unencrypted scans of bank cards.
The CNIL arrived at the €250,000 fine based on the number of breaches committed, the severity of the breach involving recorded calls containing customers’ bank data, and the number of people affected by the breaches – finding that the data of several thousand active customers, 3 million former customers and more than 25 million prospective customers, were kept longer than necessary. In addition to the fine, SPARTOO was ordered by the CNIL to comply with the GDPR requirements within three months, or risk a accruing a penalty of 250 euros per day for each day of delay.