Canal+ has clearly gone beyond the limits! The CNIL criticizes it for several breaches of the famous GDPR, particularly in terms of telephone canvassing, the creation of MyCanal accounts and data security.
Even though it is a practice as old as time, cold calling can quickly transform your daily life into real hell, especially when it turns out to be abusive. This is why, at the start of the year, the Government tightened its supervision with imposed schedules and a more limited frequency of calls (see our article). But not all companies necessarily follow the rules. After receiving several complaints from Canal+ customers, the National Commission for Information Technology and Liberties (CNIL) looked into the case of the encrypted channel, a true follower of this controversial practice. And it discovered several breaches of the General Data Protection Regulation (GDPR) and the Postal and Electronic Communications Code (CPCE). This is why, on October 19, she announced in a statement impose a fine of 600,000 euros on Canal+ for not having respected its obligations in terms of commercial prospecting and human rights.
Canal+ fine: several breaches of the GDPR
The CNIL indicates that it has received several complaints concerning the difficulties encountered by users in having their rights taken into account by the company, particularly during telephone canvassing. Thus, Canal+ is criticized for not having ensured with its data suppliers that they had obtained valid consent from people likely to receive commercial prospecting by email – this is often a box to be checked when subscribing to a newsletter or a service – the company having not been able to provide proof of their agreement. A measure however required by the GDPR. In addition, the data collection forms did not include any information on the identity of the recipients to whom the data is transmitted, which is nevertheless necessary to obtain valid and informed consent.
The CNIL also identified a breach of the obligation to inform people when creating a MyCanal account, because the confidentiality policy to which the collection form referred when creating the account was imprecise on the retention periods. The same goes for telephone canvassing calls made by its service provider, the latter not systematically providing all the information required by the GDPR. According to advisors, this oversight is simply due to the fact that prospects hang up too quickly, or that some are already subscribed to Canal+ when they are contacted. Note that response times to complaining customers have not always been respected.
The company, a subsidiary of the Vivendi group, also failed to fulfill its obligation to provide a contractual framework for the processing carried out by its subcontractors. In addition, the CNIL identified a security defect in the storage of employee passwords, which did not meet current security standards. A hack of the firm could then have led to a gigantic data leak. To make matters worse, the digital policeman noted a data breach, which exposed subscriber information to other subscribers for a period of five hours. Worse still, this violation had not been notified to him, as the law requires.
In response to all these failings, the CNIL decided to impose a fine of 600,000 euros on the television channel and to make its decision public. The amount was defined taking into account the cooperation of Canal+ and the measures it took to comply with regulations during the procedure.