French Data Protection Authority Fines GROUPE CANAL+ 600,000 Euros for GDPR Violations

The French Data Protection Authority (CNIL) has imposed a fine of 600,000 euros on GROUPE CANAL+, a prominent producer and distributor of pay television offers, for multiple violations of the General Data Protection Regulation (GDPR) and the French Post and Electronic Communications Code (CPCE). The fine comes as a result of various breaches, particularly in terms of commercial prospecting and individual rights.

CNIL initiated the investigation following a series of complaints from individuals who experienced difficulties in asserting their rights concerning their personal data managed by GROUPE CANAL+.

Among the key violations identified were:

1. Failure to Obtain Valid Consent: GROUPE CANAL+ regularly conducted commercial prospecting campaigns through electronic means but was unable to provide evidence of obtaining prior consent from individuals. The company's attempt to prove consent validity by presenting data collection forms from commercial partners was inadequate as it did not include recipient information, a crucial component of informed and valid consent.
2. Lack of Information and Respect for Individual Rights: The investigation also revealed that GROUPE CANAL+ failed to provide comprehensive information, especially when individuals created a MyCanal account. The company's service provider for telephone prospecting didn't consistently provide required GDPR information, and there were delays in responding to complaints and requests, further infringing on individuals' rights.
3. Absence of a Contractual Framework for Data Processing: GROUPE CANAL+ did not meet GDPR requirements in its processing carried out by a data processor, as the contract lacked essential information.
4. Insufficient Data Security Measures: A breach of the GDPR's data security obligations occurred when the storage of employee passwords at the company was deemed insufficiently secure.
5. Failure to Report Data Breach: CNIL's investigations revealed a data breach where certain subscriber data was accessible to others for five hours. However, GROUPE CANAL+ did not notify CNIL about this incident, another breach of GDPR requirements.

The restricted committee at CNIL, responsible for issuing sanctions, determined the fine amount based on the severity of these violations, taking into consideration the company's cooperation and measures taken to rectify the breaches.

This action underscores the importance of maintaining compliance with the GDPR and the obligations related to data protection and individual rights. GROUPE CANAL+ has been made public as a result of these significant violations.