On 31 December 2020, the French DPA (“CNIL”) announced a fine of EUR 7,300 was imposed against a company in the advertising sector for sending prospecting emails without being able to demonstrate obtaining valid consent of data subjects. The CNIL found that the said company failed to comply with data minimization and storage limitation principles, the data subjects’ right to object to the processing activities, as well as the obligation to properly inform the data subjects. Furthermore, the CNIL concluded that Article 28 of the GDPR was also breached due to the absence of mandatory clauses in the contract concluded between the company and its hosting provider.
On 5 January 2021, the CNIL announced another fine of EUR 20.000 against a controller in the food service sector for sending prospecting emails to approximately 653.000 recipients without obtaining their prior consent. In addition, the CNIL found the said controller in violation of the data subjects’ right of access, as well as the obligations to properly inform them and to implement technical and organizational measures to ensure an appropriate level of security.
The full press releases for the two fines are available here and here (both only in French).