French shoe retailer: Spartoo SAS has been guilty of GDPR violations. The French regulator: CNIL has imposed a whopping £224,000 fine on the retail store for the infringement of GDPR. The EU supervisory authorities have also been a part of this investigation along with the CNIL.
Located in France, Spartoo SAS is one of the leading brands within the European online shoe retail market. After the GDPR implementation, the French Data Protection Authority (the CNIL) launched an on-site investigation of Spartoo.
The CNIL ruled out its verdict on 28 July 2020, on the basis of not one, but four different infringements of the GDPR. Spartoo is expected to appeal the CNIL’s decision within two months.
The power held by the CNIL is sanctioned by the law under GDPR Article 56, whereby the supervisory authority of the main or single establishment of a data controller is competent to act as the lead supervisory authority for the cross-border processing carried out by that controller.
Spartoo is based in France and operates 16 retail websites for customers in 13 EU Member States along with operations and sales in the UK.
The CNIL found that Spartoo was in violation of the following provisions of the GDPR:
- Data minimization under Article 5.1(c)
- Storage limitation under Article 5.1(e)
- Right to be informed (transparency) under Article 13
- Security of processing under Article 32
The fine was calculated on the basis of the financial information provided by the company. This fine is approximately 0.1% of Spartoo’s annual global turnover, which like many other lenient fines is well below the 4% maximum limit set by GDPR Article 83.
The factors that influence the decision of the value of the fine were:
- Most of the violations existed prior to the GDPR
- The high-risk nature of some data (in particular bank details)
- The number and severity of the infringements without a legitimate purpose or adequate information
- The number of data subjects impacted
Any company worried about the transition period for Brexit in the UK can benefit from a free 30-minute consultation with a leading privacy expert on the Seers platform 504. Our experts are ready and equipped to advise on various essential components of GDPR compliance, as well as, Brexit readiness and fulfilling EU/ UK Representative obligations.
You can book your 30 min free consultation here 404.