Blog details

Fine imposed by CNIL for failing to comply with retention periods and transparency duties under GDPR

Fine imposed by CNIL for failing to comply with retention periods and transparency duties under GDPR

A recent fine imposed by CNIL of France for €1.75 million relates to two GDPR violations by SGAM AG2R LA MONDIALE. 


A recent fine imposed by CNIL on the Mutual Insurance Group company- SGAM AG2R LA MONDIALE for GDPR violations, will cost the company €1.75 million. The company was found to have customer personal data which was kept beyond the legal retention period allowed under the GDPR. In addition, customers contacted by the company by phone were not provided key information required under the GDPR. Following the fine, CNIL also decided to make the decision public. Measures have been taken to achieve compliance, as has been noted by CNIL. 


SGAM AG2R LA MONDIALE was found to have been keeping customer data years after customers had been out of contact with the company. 


Following an inspection by CNIL, the insurance group was found to have violated article 5(.1) (.e) of the GDPR, by failing to limit the retention period of customer data. There was no implementation of systems to ensure that customer data was not kept beyond the maximum legal retention period, and as result there was data in the company’s records relating to almost 2000 customers who had not been in contact with the company in 3-5 years. There was also a group of over 2 million customers whose personal data, including sensitive health and financial details, was kept beyond the legal retention period allowed after the end of a contract. 


The fine imposed by CNIL included a violation of Articles 13 and 14 of the GDPR. 


Articles 13 and 14 of the GDPR outline information which must be provided to data subjects when personal data is collected from them (Article 13), and also when personal data has not been collected from them (Article 14). SGAM AG2R LA MONDIALE employed a subcontractor to contact data subjects on its behalf. Upon investigation, it was revealed that the information provided to data subjects by the company’s subcontractor did not include all the necessary elements as required under the GDPR. Data subjects were not given sufficient information regarding the processing of their personal data and other rights. In addition, the data subjects were not given the option of accessing more comprehensive information whether via email or by pressing a key on their phone. 


A fine of €1.75 million has been imposed on the company as they take measures to achieve compliance. 


CNIL made the decision to impose a total fine of €1,750,000 on SGAM AG2R LA MONDIALE and to make the decision public. There is no indication that the Mutual Insurance Group has contested the fine. The company has in fact, taken measures to come into compliance with GDPR Articles 5(1) (e), 13 and 14 GDPR. The restricted committee of the CNIL has taken note of the compliance measures adopted by the company concerning the limitation of the retention period and the information of data subjects.


Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
TikTok, multada por la autoridad de control de Holanda
July 29, 2021
Next post
La CNIL impone una multa por incumplimiento con los períodos de retención y los deberes de transparencia bajo el RGPD
August 3, 2021

Leave a Comment