One of the most substantial GDPR fine so far in France was issued on 21 November 2019, by the French Data Protection Authority (CNIL).
GDPR fine in the amount of €500,000 was issued to the French company Futura Internationale for the violation of the GDPR by conducting non-compliant phone marketing campaigns (among other violations and irregularities).
GDPR violations in marketing
French CNIL determined the violation of the GDPR concerning the inability of the French company to respect the individuals’ objection to the processing of their personal data for direct marketing.
The Futura Internationale also did not provide a clear notification on recording individuals’ phone calls and collected an excessive amount of information on data subjects in their CRM.
The French company also demonstrated the unwillingness to implement appropriate data transfer mechanisms for the transfers to non-EU call center providers and did not show an expected level of cooperation with the French Data Protection Authority.
![5 biggest GDPR fines so far [2020]](https://no-cache.hubspot.com/cta/default/5699763/288d9cee-1cc9-4ce3-b094-935769a860a0.png)
Second largest GDPR fine so far in France
The investigation was initiated last year upon the individual complaint about the phone marketing campaign that was conducted by a third-party company for Futura Internationale.
The complaint was made by the individual who objected to the processing of his/her data and was still receiving marketing calls. The request to stop processing personal data was stated orally and in writing. However, the company did not process the request and continued with the calls.
Among other discrepancies, the Futura Internationale was using services provided by call centers that were located outside the EU and did not have a data transfer agreement and did not incorporate appropriate measures of data protection. The company also did not have a system for managing data subjects requests.
What was the GDPR violation?
French CNIL issued a statement in which they specified these GDPR violations:
•Failure to process data which are adequate, relevant and limited to what is necessary for the purposes for which they are processed
(Article 5(1)(c) of the GDPR)
•Failure to inform the data subjects from whom personal data are collected directly or indirectly
(Article 12 and 14 of the GDPR)
•Failure to define and implement an effective right of objection procedure
(Article 21 of the GDPR)
•Failure to cooperate with the supervisory authority
(Article 31 of the GDPR)
•Failure to provide the appropriate safeguards regarding the transfer of personal data outside the EU
(Article 44 of the GDPR)
For always staying up to date on GDPR fines so far issued in the EU we recommend this GDPR tracker!
![Pseudonymization according to the GDPR [definitions and examples]](https://dataprivacymanager.net/wp-content/uploads/2019/11/Pseudonymization-according-to-the-GDPR-definitions-and-examples-768x402.png)
