France

COSMOSPACE

250,000 €

GDPR enforcement action by French Data Protection Authority (CNIL) on 2024-09-26.

Rank · Sector

#76

of 366 in Media, Telecoms and Broadcasting

Rank · France

#42

of 74

Rank · All fines

#319

of 3,042

Case details

Authority: French Data Protection Authority (CNIL)
Date: 2024-09-26
Controller / Processor: COSMOSPACE
Sector: Media, Telecoms and Broadcasting
Quoted Articles: Art. 5 (1) c), e) GDPR, Art. 9 GDPR
Type of violation: Non-compliance with general data processing principles

Summary

The French DPA imposed a fine of EUR 250,000 on COSMOSPACE. The controller is a company that offers personalized clairvoyance consultations by telephone. As part of its services, the controller regularly processed multiple categories of sensitive data (Art. 9 GDPR) without obtaining prior consent. The controller also stored customer data for six years after the end of the business relationship for marketing purposes. According to the French DPA, a maximum of three years would have been admissible. This resulted in a fine of EUR 200,000. The fine was increased by EUR 50,000 because the processor also infringed the French Post and Electronic Communications Code.

Open original source Links to the regulator's original publication or another source.