BRICO PRIVÉ

Description

The French DPA (CNIL) has imposed a fine of EUR 500,000 on BRICO PRIVÉ. CNIL conducted three inspections at BRICO PRIVÉ between 2018 and 2021 and identified several deficiencies in the processing of personal data of prospects and customers. The controller, for example, had not complied with the data retention periods it had established. In this regard the data of more than 16,000 customers who had not placed an order in the last five years had been retained. The same applied to more than 130,000 people who had not logged into their customer accounts for five years. In addition, the controller violated its information obligations under Art. 13 GDPR. Furthermore, the controller failed to fulfill its obligation to fully comply with the deletion requests received. The CNIL also found that the controller did not implement sufficient technical and organizational measures to ensure information security. Thus, for example, the controller did not require the use of a secure password during the process of opening an account the company´s website or when employees accessed the customer relationship management software. The fine is composed proportionately of EUR 300,000 for violations of Art. 5(1) e) GDPR, Art. 13 GDPR, Art. 17 GDPR and Art. 32 GDPR and EUR 200,000 for violations of Art. 82 Loi informatique et libertés and Art. L. 34-5 CPCE.