France France

Carrefour Banque

800,000 €

GDPR enforcement action by French Data Protection Authority (CNIL) on 2020-11-18.

Rank · Sector
#36
of 321 in Finance, Insurance and Consulting
Rank · France
#24
of 73
Rank · All fines
#194
of 3,039

Case details

Authority
French Data Protection Authority (CNIL)
Date
2020-11-18
Controller / Processor
Carrefour Banque
Sector
Finance, Insurance and Consulting
Quoted Articles
Art. 5 GDPR
Type of violation
Non-compliance with general data processing principles

Summary

The French DPA (CNIL) imposed a fine on Carrefour Banque for violation of its obligation to process data fairly (Article 5 (1) GDPR).
If a person who subscribed to the Pass card (a credit card that can be attached to a loyalty account) also wanted to participate in the loyalty program, he or she had to tick a box in which he or she agreed to Carrefour Banque sending his or her surname, first name and e-mail address to "Carrefour fidélité". Carrefour Banque expressly indicated that no further data would be transmitted. However, the CNIL noted that other data such as postal address, telephone number and the number of children had been transmitted, although the company undertook not to transmit any further data.

Open original source Links to the regulator's original publication or another source.

Related fines

France
France
2025-09-01
200,000,000 €
ETid-2862
GOOGLE LLC
Media, Telecoms and Broadcasting
France
France
2025-09-01
150,000,000 €
ETid-2864
INFINITE STYLES SERVICES CO. LIMITED
Industry and Commerce
France
France
2025-09-01
125,000,000 €
ETid-2863
GOOGLE IRELAND LIMITED
Media, Telecoms and Broadcasting
France
France
2021-12-31
90,000,000 €
ETid-978
Google LLC
Media, Telecoms and Broadcasting
France
France
2021-12-31
60,000,000 €
ETid-979
Google Ireland Ltd.
Media, Telecoms and Broadcasting
France
France
2021-12-31
60,000,000 €
ETid-980
Facebook Ireland Ltd.
Media, Telecoms and Broadcasting
Back to all fines