The French data protection authority the CNIL has sanctioned a €500,000 penalty on Futura Internationale for breaching the EU General Data Protection Regulation on some of the cold calling campaigns they conducted.
The CNIL found that Futura Internationale did not supply enough information to web browsers, process current and clients’ opt-out requests and captured comments about them. The French authority also ruled that Futura Internationale didn’t supply enough security measures to allow the international transfers of data to call centers located outside of the European Union. While this enforcement action is not a surprise as it is linked to breaching crucial provisions of the GDPR. This reveals a lot in relation to the CNIL’s expectations that companies implement and demonstrate effective measures to adhere with GDPR.
By taking this decision the CNIL have displayed that documentary compliance not enough for GDPR compliance to be in place. In others word companies conducting cold-calling marketing campaigns must:
- Permit people to effectively exercise their rights under the GDPR, including the right to opt-out from direct marketing, and put processes in place to see to it that such objections are automatically put in place.
- Provide any third-party operators concise instructions on what information they must supply consumers and which comments they may save and put in place appropriate automated processes to stop the capturing of certain excessive terms in their client relation database.
- Establish appropriate safeguards for the transfer of personal data to any data centers that are outside the EU, such as entry into of standard contractual clauses.
The CNIL’s decision was also meant to try and prevent similar future breaches and send the following message to companies, regardless of their size and revenue stream:
- When provided with a formal notice by the CNIL to stop certain breaches of the GDPR, businesses should adhere promptly to avoid a finding of an ongoing infringement.
- Businesses must cooperate with the CNIL in order to avoid the potential fine and avoid being found breach of the GDPR.
- A drop in a company’s turnover will not necessarily be taken into account in the penalty calculation if profits remain in the same order of magnitude.