Blog details

Unlawful use of data results in significant fine for canvassing company

Unlawful use of data results in significant fine for canvassing company

Unlawful use of data results in significant fine for canvassing company

A company was fined by CNIL for unlawfully using data obtained from a data broker for commercial prospecting purposes. 


On April 4, 2024, the French data protection authority, CNIL, imposed a significant fine of 525,000 euros on the company HUBSIDE.STORE. The fine was as a result of multiple violations of data protection regulations, primarily involving the unlawful use of personal data obtained from data brokers for commercial prospecting purposes. The investigation conducted by CNIL revealed that HUBSIDE.STORE had acquired personal data from data brokers without taking adequate measures to ensure that the individuals whose data was being processed had provided valid consent for the use of their data for commercial solicitations. This constitutes a clear breach of the fundamental principle of consent in data protection law, which requires that individuals must explicitly and affirmatively agree to the processing of their personal information for specific purposes. 


HUBSIDE.STORE violated French law and GDPR Article 6 by using data collected by a broker who used misleading forms to gain consent for advertising campaigns.


HUBSIDE.STORE engages in telephone and SMS canvassing campaigns to advertise products. The company acquires its prospect data from data brokers, publishers of competition, and product testing websites. Brokers collect this data by distributing participation forms for competitions or online product tests on various websites. Following an investigation, the CNIL determined that the misleading appearance of the data collection forms used by the brokers involved in the initial collection made it impossible to obtain valid consent from the individuals concerned, for purposes that data was being used by HUBSIDE.STORE. CNIL noted that the name of the company HUBSIDE.STORE was not consistently included among the list of partners mentioned in those forms who may contact the individuals involved. With regard to commercial prospecting via phone calls, CNIL emphasized that informing the affected individuals, at the time of data collection, of the possibility of receiving commercial offers from the company is non-negotiable. As a result, the company  was not legally permitted to conduct its SMS and telephone marketing campaigns. As a result, CNIL found HUBSIDE.STORE to be in violation of Article L. 34-5 of the French Postal and Electronic Communications Code, as well as  Article 6 of the GDPR. 


CNIL fined HUBSIDE.STORE 525,000 Euros for the unlawful use of data obtained from a data broker. 


CNIL imposed a fine of 525,000 euros and made the decision public. The fine imposed on HUBSIDE.STORE was specifically determined based on the severity of the data breaches identified and the company’s responsibility in handling the collected data. The fine, equivalent to approximately 2% of the company’s turnover, reflects these factors. Additionally, the restricted training imposed on the company considers HUBSIDE.STORE’s extensive commercial prospecting activities. This fine was imposed in collaboration with relevant European supervisory authorities (Belgium, Italy, Spain, and Portugal), within the framework of the one-stop shop, as HUBSIDE STORE processes data of customers and prospects from several EU member states.


CNIL’s decision emphasizes companies’ need to comply with data protection laws and respect individuals’ rights.


CNIL’s decision sends a strong message to companies that they must comply with data protection laws and respect the rights of individuals whose personal data they process. The fine is also a reminder that data brokers must ensure that the personal data they collect and sell is obtained lawfully and with the valid consent of the individuals concerned. This case highlights the importance of taking a proactive approach to data protection compliance. Companies must have systems and procedures in place to ensure that they are collecting, using, and storing personal data in accordance with the GDPR. This includes obtaining valid consent from individuals, and ensuring that data they procure can be used for the intended purposes.

At Aphaia, we commit to being the partner guiding you through a comprehensive journey of ensuring compliance, strengthening your data defenses, and providing peace of mind in an ever-evolving digital landscape.  Contact us today.

Prev post
CPPA Enforcement Division issues its first advisory
April 11, 2024
Next post
The EDPB releases its Opinion on ‘Pay or Ok’ Models
April 25, 2024