COSMOSPACE: Non-compliance with general data processing principles

The French DPA imposed a fine of EUR 250,000 on COSMOSPACE. The controller is a company that offers personalized clairvoyance consultations by telephone. As part of its services, the controller regularly processed multiple categories of sensitive data (Art. 9 GDPR) without obtaining prior consent. The controller also stored customer data for six years after the end of the business relationship for marketing purposes. According to the French DPA, a maximum of three years would have been admissible. This resulted in a fine of EUR 200,000. The fine was increased by EUR 50,000 because the processor also infringed the French Post and Electronic Communications Code.

GDPR Articles: Art. 5 (1) c), e) GDPR, Art. 9 GDPR
Industry: Media, Telecoms and Broadcasting