CNIL imposes €1.75M fine to AG2R La Mondiale for violations of right to be informed and storage limitation principle
The French data protection authority (‘CNIL’) published, on 22 July 2021, its decision, of 20 July 2021, whereby its Restricted Committee imposed a fine of €1.75 million to AG2R La Mondiale, a mutual insurance group company, for violations of Articles 5(1)(e), 13, and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’), following an audit carried out in 2019. In particular, the decision outlines that AG2R La Mondiale had stored the data belonging to millions of prospective and current clients for an excessive period as it had not complied with the required time periods.
Regarding the personal data of prospective clients, CNIL found that AG2R La Mondiale did not respect the maximum retention period of three years stated in CNIL’s standard on data retention periods, and as such, the data of 2,000 individuals who had not been in contact with AG2R La Mondiale for over three years had been stored. Regarding the personal data of clients, CNIL found that AG2R LaMondiale did not respect the statutory maximum retention period stated in the Insurance Code and the Commercial Code, and had stored personal data such as health data and banking details of two million individuals beyond the necessary period.
Regarding the right to be informed, CNIL clarified that the information provided to data subjects during telemarketing calls by third parties, on behalf of AG2R La Mondiale, did not comply with Articles 13 and 14 of the GDPR as the processor failed to inform data subjects of the recording of their personal data, the existence of the right to object, or generally regarding the processing of their personal data or their rights as data subjects.
Lastly, CNIL noted that AG2R La Mondiale had since taken steps to comply with the GDPR.