French supermarket giant Carrefour has been hit with €3m worth of GDPR fines after its financial division was found to be in violation of a number of consumer data privacy laws.
The GDPR fines were issued by France’s Commission Nationale De L’Informatique et des Libertes (CNIL), who said that Carrefour failed to meet the key requirements of the General Data Protection Regulation (GDPR) requirements with a range of practices that were in violation of customer’s rights and industry best practices for information security.
The supermarket giant was hit with two separate GDPR fines, the first of which involved a €2.25 million penalty for its supermarket arm, while its financial division was hit with a €800,000 fine.
The fines were issued by French authorities after Carrefour was found to have been harvesting customer data for a prolonged period without notification or justification, inserting cookies on customers’ devices without notifications and failing to comply with customer requests to be removed from certain databases.
Teiss has broken down the offences into the following categories:
1. Failure to inform customers: CNIL noted that the carrefour.fr and carrefour-banque.fr sites did not provide clear and easy-to-understand instructions to customers wishing to join the loyalty programme or the Pass card, making it extremely difficult for customers to obtain accurate information about these programmes. The websites also did not provide sufficient information with regard to data transfers outside the European Union and the legal basis for processing customer data.
2. Policy on cookies: According to CNIL, the carrefour.fr and carrefour-banque.fr sites automatically placed advertising cookies on customers’ devices whenever they visited these sites without asking if they wanted to accept cookies in the first place. As per GDPR, websites are required to obtain clear and precise consent from visitors before placing cookies on their terminals.
3. Policy on Data Retention: CNIL noted that Carrefour France retained the data of more than 28 million customers who had been inactive for five to ten years and the carrefour.fr site also retained the data of 750,000 users who had been inactive for five to ten years.
CNIL said retaining the data of inactive customers for so long is excessive and exceeds what appears necessary in the field of mass distribution, given the consumption habits of customers who mainly make regular purchases.
4. Asking verified customers to furnish identity proof: Carrefour France asked customers to furnish identity proof whenever they wanted to exercise their rights even if there was no doubt as to the identity of the persons exercising their rights. The company also failed to process several requests for the exercise of rights within the time limits required by the GDPR.
5. Not responding to data requests: CNIL also found during its investigation of the Carrefour Group that Carrefour France did not respond to several requests from people wishing to access their personal data and in several cases, did not delete customers’ personal data when asked to do so. At the same time, the company failed to honour several requests from customers who did not wish to receive advertising by SMS or email.

This is, according to Cordery Compliance, in addition to the fact that Carrefour transferred data without being honest to its customers, in a clear violation of the GDPR’s mandates for data protection.
CNIL said in a statement that “having received several complaints against the Carrefour group, the CNIL carried out checks between May and July 2019 with the companies Carrefour France (retail sector) and Carrefour Banque (banking sector). On this occasion, CNIL noted shortcomings in the processing of customer and potential user data. The President of the CNIL, therefore, decided to initiate a sanctioning procedure against these companies.”
“At the end of this procedure, the restricted committee – the CNIL body responsible for pronouncing sanctions – effectively considered that the companies had failed to meet several obligations under the GDPR.”
“It thus sanctioned the Carrefour France company with a fine of €2,250,000 euros and the Carrefour Banque company with a fine of €800,000. On the other hand, it does not issue an injunction when it noted that significant efforts had made it possible to bring all the shortcomings identified into compliance,” CNIL’s statement concluded.