On Wednesday, July 5th, 2020, the CNIL (the French data protection authority) imposed a sanction of 250,000 € on Spartoo, an online sales company specializing in online ready-to-wear fashion, shoes and bags. Following a control launched in 2018, the CNIL had initiated a sanction procedure in cooperation all European authorities of the countries in which Spartoo is established.
This is the first sanction by the CNIL as the “lead” supervisory authority – i.e. the authority that serves as the sole interlocutor for a data controller located in several European countries.
At the end of its audit, the CNIL found Spartoo in breach of the relevant provision (GDPR) several times:
- the principle of data minimization
- the obligation to limit the duration of data retention
- the obligation to inform persons
- the obligation to ensure data security
Cooperation with other authorities has enabled the CNIL to identify certain shortcomings taking place in other EU countries.
Given the seriousness of the breaches and the very high number of people concerned, the CNIL made the sanction public.