France
SGAM AG2R LA MONDIALE
GDPR enforcement action by French Data Protection Authority (CNIL) on 2021-07-20.
Case details
- Authority
- French Data Protection Authority (CNIL)
- Date
- 2021-07-20
- Controller / Processor
- SGAM AG2R LA MONDIALE
- Sector
- Finance, Insurance and Consulting
- Quoted Articles
- Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 14 GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The French DPA (CNIL) has fined private insurer SGAM AG2R LA MONDIALE EUR 1,750,000.
The CNIL had carried out an inspection at the AG2R LA MONDIALE group in 2019.
On this occasion, the CNIL found that the controller kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canvassing campaigns.
With regard to the data of prospects, the controller did not comply with the maximum retention period of three years defined in the reference framework and in the Group's processing register. As a result, the controller retained the data of nearly 2,000 customers who had not been in contact with the controller for more than three years, and in some cases five years.
In relation to customer data, the controller did not comply with the maximum statutory retention periods stipulated in the Insurance Code and the Commercial Code. In this case, the controller retained the data of more than 2 million customers, some of which were sensitive (health) or specific (banking data), beyond the legally permitted retention periods after the end of the contract.
Related fines