Company: Non-compliance with general data processing principles

The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact assessment, which would have been mandatory given the amount of data being processed and the cross-referencing of data.

GDPR Articles: Art. 6 (1) a) GDPR, Art. 13 GDPR, Art. 32 GDPR, Art. 35 GDPR
Industry: Industry and Commerce