The French Data Protection Authority fined €500,000 to Futura Internationale. The company is accused of infringement under the GDPR in connection with Telephone Advertising Campaigns.
The French data protection authority (the “Commission Nationale de l’Informatique et des Libertés” or “CNIL”) issued this fine on November 21, 2019. The organisation received a €500,000 penalty for a severe data breach in connection with cold calling campaigns.
Futura Internationale was sanctioned for many reasons. Such as, it failed to provide adequate information and it didn’t implement on the opt-out requests of the prospective clients.
Sources have also informed that it recorded excessive comments on the clients. Moreover, the company hadn’t provided any protection to international transfers of data to call centres situated outside the EEA.
This infringement is another add-up in the recent numbers of data breaches. The company can’t prove itself innocent in the whole scenario because the GDPR has brought its essential provisions long ago.
Organisations are well aware of the regulations under GDPR, and if any company has made its clients’ data vulnerable, it must be ready for massive penalties.
Back to back breaches are indicating that CNIL must not expect that enterprises are demonstrating effective measures of GDPR compliance.
Overview of Futura International before a data breach
A complaint was made against Futura Internationale in February 2018. The company was persistently making calls regardless of repeated opt-out requests.
In the meantime, during its investigation, CNIL found that the requests by current and prospective clients have been ignored.
The authority noticed the continuity of unsolicited marketing operations and many violations of the GDPR. The CNIL, in September 2018 sent a formal notice for Futura Internationale for taking corrective measures.
In June 2019, a rapporteur created a report regarding Futura Internationale offences and recommended sanctions.
In November 2019, the CNIL ascertained that the required corrective measures outlined in 2018, remained unimplemented by the company.
What is the applicability of the GDPR, if a data breach or privacy rights violation began before it entered into Application?
The fact which one must not skip deeming is that the investigation of unusual activates of Futura Internationale initiated before GDPR’s applicability.
Therefore, the CNIL referred to the case-law of the European Court of Human rights and the French Administrative Supreme Court about constant violations. The CNIL established that the flood of infringements ceased in June 2019. Because of that time the violation report issued to the organisation.
Serious and Repeated breaches of the Core Principles of the GDPR. As the CNIL dig deeper, it came across many facts and realities of offences.
It found that the Futura Internationale along with its subcontractors (African call centres) showed involvement in the health data processing of their prospective clients. In addition, they made and record excessive comments about the clients.
Little by little, they took steps that took them far from the compliance route and it ended up violating the GDPR’s minimisation principle.
Subsequently, the company passed some defensive statements in its favour. It said, as the investigation proceeded, it tried to fix the breach by informing call operators through the specific banner.
Even after this statement, the CNIL considered it unacceptable and insufficient to prove itself innocent.
The Futura Internationale must design an automated process to protect operators from recording certain terms in the concerned database.
Now, the Futura Internationale is under strict orders to fix the offences it made under GDPR. If it failed to properly redesign and inculcate the GDPR violations, then it will pay a fine of €500 per day of a data breach.
The fine (€500,000) imposed on the company manifests 2.55 of its annual turnover. The CNIL states that lack of on-time response, nature, gravity, and duration of the violations are the factors that justified the fine.
The Futura Internationale augmented that it entails some time to get familiarize itself with the framework of the GDPR. But the high authority rebuffed the statement as the company’s breached the GDPR’s obligations that existed beforehand.
The enterprise tried to convince the CNIL to reduce the fine as its turnover had decreased by €7 million between 2017 and 2018.
But, for one more time, the CNIL rejected the argument. The authorities deemed that Futura Internationale is a midsized company and encountered ups and downs in revenue several times.
But, the company has presented inconvincible propositions only. In accordance with the CNIL, the fine amount of the company is appropriate and will decrease future misconduct.