You know the old joke about the fortune teller whose office is closed due to unforeseen circumstances… well it has become real in France where the French data protection authority (CNIL) has found two companies providing remote clairvoyance services, in breach of the GDPR. They didn’t see that coming!
Why happened? CNIL found one of the two companies, Cosmospace, in breach of its Art 5(1)(c) GDPR obligation to minimise personal data collection and processing. CNIL found that Cosmospace systematically recorded all calls made between clairvoyants, customers, and switchboard operators. Cosmospace justified the recordings as being necessary to monitor the service quality. They hadn’t foreseen CNIL rejecting this assertion and responding that this purpose could only justify uncomplete and unsystematic recordings.
What GDPR rules were broken? CNIL found that both companies exceeded the Arti 5(1)(e) GDPR recommended retention period, which is limited to three years. Both companies retained their customers' data for six years from the end of the contractual relationship, for commercial prospection purposes.
CNIL also found that Telemaque and Cosmospace failed to comply with Article 9 GDPR (obligation to obtain prior consent from individuals to process special categories of data), as well as infringing Art L.34-5 of the French Postal and Electronic Communications Code, as they shared a common database and the data subjects were not informed that the database was shared and had not did not consented to this processing of their personal data.
The CNIL fined Telemaque €150K and Cosmospace €250K. We wonder if they knew beforehand that it was on the cards?
ADDITIONAL INFORMATION: