CNIL (France) – SAN-2025-017

28 January 2026

Claratab: links to the Articles

{{DPAdecisionBOX

|Case_Number_Name=SAN-2025-017
|ECLI=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=claratab
|
}}

The DPA imposed a fine of 3.500.000 € on a data controller for breaching various articles of GDPR and national law (LIL). The controller had not validly obtained consent, nor provided necessary information, nor ensured personal data security. What’s more, the processor matched the data with a social media company database to provide targeted advertising.

== English Summary ==

=== Facts ===
A company edits a website, where clients can create an account, buy products and join the company’s loyalty program. At those occasions, the company collects personal data such as technical data (IP address for example), identity information, contact information.

Then, the company transmits some data to a social media company, which match data with the user profiles. The correspondence allows both companies to show targeted advertising to the users of the social media.

About 10.8 millions of clients are in the transmitted data set, and 1.6 million of them is concerned by the targeted advertising.

After two controls, online and on-site, the DPA opened an investigation in 2023. 24 September 2025, the investigation has been closed by the rapporteure. The DPA examined the case in 16 October 2025, and its decision has been made in 30 December 2025.

=== Holding ===
The dispute relates to various points.

Above all, the responsibility is briefly discussed, as the company recognized its role as controller. The social media company isn’t affected by the procedure.

Consent (article 6 GDPR ; article 4 GDPR ; Recital 32 GDPR) :
[[Article 6 GDPR]] notes that a processing is lawful only if it is founded on a legal basis.
Here, the controller relied on consent as a legal basis to carry out the processing.

[[Article 4 GDPR]] specifies that consent is a manifestation of free, informed, unambiguous and specific will. [[Recital 32 GDPR]] adds that when the processing serves several purposes, each purpose needs a specific consent (one purpose equals one consent manifestation). What’s more CJEU recalls that the data subject must be informed regarding every circumstance of the processing, in accessible and comprehensible terms, to easily understand the consequences of the processing.

In this case, the controller collected personal data via a membership form. The data subject was offered to join the loyalty program with a push button “yes/no”. If the data subject joined the loyalty program by pushing yes, he was invited to consent to receive “loyalty offers” via SMS and email.

The DPA recalled that, as this form did not contain information on the transmission to the social media platform, or even on targeted advertising, the consent cannot be considered as informed and specific. Indeed, the DPA noticed that advertising SMS and emails are distributed via a different channel than targeted advertising in social media, and this difference of channel gives the advertising a different nature.

What’s more, the DPA noted that the information was hard to find for data subjects. The data subject needed to find the links to the information, which was far from the consent button, at the end of the page. Then, the data subject had to consult two documents, which contained each one a part of the information (CGV and Privacy policy).

So, the DPA said that the processing is unlawful as consent is not given validly (not specific, not informed).

Information ([[Article 13 GDPR]]):

On a second time, the DPA looked at the information given to the data subject, under [[article 13 GDPR]].

The web site presented legal basis and purpose were separately, without being matched, and data retention period was not indicated. What’s more, the purpose “targeted advertising” was not visible on the page.

The controller updated its web site during the investigation.

The DPA noted the effort but sanctioned the violation of article 13.

On the violation of [[article 32 GDPR]]:

The DPA recalls that the definition of security measures must consider the state of art, the cost of such measures, the risks of the processing and the category of personal data considered. The rapporteure notes that the controller processed personal data of 10.8 million data subjects, immediately available from their account. The security measures must adapt to such circumstances.

Here, the DPA first highlighted that the password policy of the website required a password with an entropy of 26 bits, whereas the CNIL and ANSSI’s recommendations required an entropy of 50 bits minimum.

The controller recognized the violation of [[article 32 GDPR]] and took mitigation measures such as modifying its password policy.

What’s more, the DPA watched the storage conditions of client’s passwords. The controller used SHA256 as hash function, which is too quick to execute for an attacker. So, the DPA considered that the storage conditions were not secure enough.

To conclude, the DPA considered that the controller had not taken sufficient measures to ensure security of personal data processed, and so violated article 32 GDPR.

On the violation of PIA obligation ([[article 35 GDPR]]) :

The DPA considered jointly [[article 35 GDPR]], [[Recital 91 GDPR]], [https://ec.europa.eu/newsroom/article29/items/611236 G29 guidelines on PIA], and the [https://www.legifrance.gouv.fr/jorf/id/JORFTEXT000037559518 CNIL’s deliberation n°2018-326] (11 october 2018). The DPA noted that a large amount of personal data was processed, and that the controller cross-referenced this data with data from the social media database. However, the controller did not realize any privacy impact assessment. Therefore, the controller violated his obligation.

On the violation of [https://www.cnil.fr/fr/le-cadre-national/la-loi-informatique-et-libertes#article82 article 82 LIL] about cookies :

[https://www.cnil.fr/fr/le-cadre-national/la-loi-informatique-et-libertes#article82 Article 82 LIL] transposes [https://eur-lex.europa.eu/eli/dir/2002/58/oj/eng article 5 §3 of the Eprivacy directive]. It obliges data controllers to collect consent from data subject, in order to place cookies. An exception is made for purely technical cookies. But controller’s website contained more than 11 cookies, placed on the user’s terminal without its consent. One of these was a cookie that enabled the personalization of interactions between the data subject and a chatbot, collecting browsing history in particular.

Thus, after noting that these cookies were not technical cookies, and that no consent was collected, the DPA considered that the controller violated article 82 LIL.

Fines :

Two fines of 2.500.000 € (GDPR fine) and 1.000.000 € (LIL fine) are imposed to the controller.

== Comment ==
”Share your comments here!”

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the French original. Please refer to the French original for more details.

<pre>
The National Commission for Information Technology and Civil Liberties, meeting in its restricted formation composed of Mr. Philippe-Pierre CABOURDIN, Chairman, Mr. Vincent LESCLOUS, Vice-Chairman, Ms. Laurence FRANCESCHINI, Ms. Isabelle LATOURNARIE-WILLEMS, Mr. Didier KLING, and Mr. Bertrand du MARAIS, Members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties, in particular Articles 20 et seq.;

Having regard to Decree No. 2019-536 of 29 May 2019 implementing Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties;

Having regard to Resolution No. 2013-175 of 4 July 2013 adopting the Rules of Procedure of the National Commission for Information Technology and Civil Liberties;

Having regard to Decision No. 2025-1154 QPC of 8 August 2025 of the Constitutional Council;

Having regard to Decision No. 2023-001C of 21 December 2022 by the President of the French Data Protection Authority (CNIL) instructing the Secretary General to conduct or have conducted an audit of the data processing operations implemented by or on behalf of Company X;

Having regard to the decision of the President of the French Data Protection Authority (CNIL) appointing a rapporteur to the restricted panel on 17 April 2025;

Having regard to the report of Ms. Anne Debet, Commissioner-Rapporteur, dated 12 May 2025, served on Company X on 13 May 2025;

Having regard to the written observations submitted by Company X on 23 June 2025;

Having regard to the rapporteur’s response notified to Company X on 16 July 2025;

Having regard to the further written observations submitted by Company X on 12 September 2025;

Having regard to the closure of the investigation notified to Company X on September 24, 2025;

Having regard to the oral submissions made during the hearing of the restricted panel on October 16, 2025;

Having regard to the other documents in the file;

The following were present at the hearing of the restricted panel on October 16, 2025:

– Ms. Anne DEBET, Commissioner, who presented her report;

As representatives of Company X:

– […]

Company X having been informed of its right to remain silent regarding the allegations against it and having been given the last word;

The restricted panel adopted the following decision:

I. Facts and Procedure

1. Company X (hereinafter “the Company”) is […] whose registered office is located […].

2. In 2021, the company employed 363 people, and the “X” brand had more than […] stores in France. In 2022, the company generated revenue of […] euros, with a net profit of nearly […] euros. In 2023, it generated revenue of more than […] euros, with a net profit of nearly […] euros. In 2024, the company’s revenue exceeded […] euros, with a net profit of more than […] euros.

3. Founded […], the company is […], whose business consists of […] in-store and online, via the website “[…]” published by company X. This website allows users to create a customer account, make purchases, and join a loyalty program valid both online and at the checkout of stores within the X network. According to information released by the company on February 10, 2023, the loyalty program had nearly 10.5 million members in France, over 200,000 in Belgium, over 15,000 in Luxembourg, and members in several other European Union countries.

4. By decision no. 2023-001C of 21 December 2022, the President of the French Data Protection Authority (hereinafter, “the CNIL” or “the Commission”) instructed the Secretary General to conduct or have conducted an audit to verify the compliance of the processing operations implemented by the company with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “GDPR”) and with Law no. 78-17 of 6 January 1978, as amended, relating to information technology, data files and civil liberties (hereinafter “the French Data Protection Act” or “the amended Law of 6 January 1978”).

5. Pursuant to this decision, a CNIL delegation conducted an online audit of the website “[…]” on January 5, 2023, and an on-site audit at the premises of Company X on January 26, 2023. Reports No. 2023-001/1 and No. 2023-001/2, drawn up following these audits, were sent to the company by letters dated January 6 and 27, 2023.

6. The company provided the delegation with additional information on February 10 and 23, March 14, April 18 and 28, August 23, and September 26, 2023.

7. For the purpose of reviewing this information, the Chair of the Commission appointed Ms. Anne Debet as rapporteur on April 17, 2025, pursuant to Article 22 of the Law of January 6. 1978 as amended.

8. In accordance with Article 56 of the GDPR and based on the information in the file, the CNIL (French Data Protection Authority) informed all European supervisory authorities on December 27, 2024, of its competence to act as the lead supervisory authority for the cross-border processing carried out by the company, resulting from the fact that the company’s principal place of business is located in France. Following exchanges between the CNIL and the European data protection authorities within the framework of the one-stop-shop mechanism, it appears that the Belgian, Luxembourg, Dutch, Spanish, German, Irish, Italian, Danish, Swedish, Portuguese, Finnish, Austrian, Romanian, Polish, Lithuanian, and Norwegian authorities are concerned by the processing carried out.

9. On May 12, 2025, following her investigation, the rapporteur served the company with a report detailing the breaches of Articles 6, 13, 32, and 35 of the GDPR and Article 82 of the French Data Protection Act that she considered to have occurred in this case. This report recommended that the restricted panel impose an administrative fine on the company, as well as an order to bring its data processing activities into compliance with the aforementioned provisions, subject to a penalty payment. The rapporteur also recommended that this decision be made public, but that the company should no longer be identifiable by name after a period of two years from its publication.

10. On June 23, 2025, the company submitted observations in response to the sanction report.

11. The rapporteur responded to the company’s observations on July 16, 2025.

12. On September 12, 2025, the company submitted further observations in response.

13. By letter dated September 24, 2025, the rapporteur, pursuant to Article 40, III of Decree No. 2019-536 cited above, informed the company that the investigation was closed.

14. On the same day, the company was informed that the case was placed on the agenda of the restricted panel meeting of October 16, 2025.

15. The rapporteur and the company presented oral observations at the restricted panel meeting.

II. Reasons for the Decision

A. On the European Cooperation Procedure

16. Pursuant to Article 60(3) of the GDPR, the draft decision adopted by the restricted panel was transmitted on 1 December 2025 to the relevant European supervisory authorities.

17. As of 29 December 2025, none of these authorities had raised a relevant and substantiated objection to this draft decision, so, pursuant to Article 60(6) of the GDPR, they are deemed to have approved it.

B. On the Processing Activities in Question and Company X’s Status as Data Controller

18. Article 4(7) of the GDPR defines the data controller as “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.”

19. Regarding targeted advertising, the European Data Protection Board (hereinafter “EDPB”), in its Guidelines 8/2020 on targeting social media users adopted on 13 April 2021, indicates that the target acts as a data controller when it “determines the purposes and means of the processing by actively collecting, processing and transmitting the personal data of data subjects to the social media provider for advertising purposes” (§61).

20. Firstly, the restricted panel notes that the processing operations at issue in these proceedings relate to:

– on the one hand, the operation of the website “[…]”, which it publishes and through which it collects and processes users’ technical data (IP address, internet connection, browser type, information about the device used) and data collected using cookies;

– and, on the other hand, to the operation of customer accounts and the X brand’s loyalty program, the company collects and processes the personal data of its customers and members of this program when an account is created (title, surname, first name, email address, password, date of birth, telephone number, postal address, and chosen nearest store), when a loyalty card is issued (the same information being collected), and subsequently through the use of said card.

21. The restricted panel notes that the company informed the supervisory delegation, by letter dated April 28, 2023, that it is responsible for the processing of personal data implemented from the website “[…]” as well as within the framework of its loyalty program. The company is also designated as being responsible for the aforementioned processing in the “Personal Data Policy” and Article 12 of the “General Terms and Conditions of the X Loyalty Program” appearing on the website “[…]”.

22. Secondly, the restricted panel notes that this procedure also concerns processing related to the presentation of targeted advertising on the social network Z, managed by the Y group, in order to promote products sold by X. In this context, company X transmits the email address and/or telephone number of members of its loyalty program (when they have consented to receive marketing communications) to the Y group, so that the latter can match them with the data of users of its social network. Based on this comparison, Y identifies, among the members of the X loyalty program, those who are also members of its social network, as well as social network users with a similar profile. This processing allows for the display of advertisements to them as part of Company X’s marketing campaigns. The investigation revealed that the data was transmitted to Group Y on a weekly basis from the end of 2018 until February 2024.

23. The restricted panel notes that the company informed the supervisory delegation that it acted as the data controller for the transmission of data to Group Y and for matching this data with that of users of the social network Z. Regarding the processing carried out for campaigns launched after this matching, Company X indicated that it and Group Y acted as joint controllers.

24. The restricted panel considers that Company X, by collecting and transmitting the personal data of its loyalty program members to Group Y, in order to display advertisements promoting its products to them on the social network Z, determines the purposes and means of the processing.

25. Consequently, and without it being necessary in these proceedings to also rule on the share of responsibility attributable to Group Y, Company X must be considered the controller of the targeted advertising displayed on social network Z, for the purposes of which it transmitted personal data to Group Y until February 2024.

C. On the failure to comply with the obligation to process data lawfully

26. In law, Article 6(1) of the GDPR provides that “processing shall be lawful only if and to the extent that at least one of the following conditions applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; (b) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract; (c) processing is necessary for compliance with a legal obligation to which the controller is subject; (d) the processing is necessary to protect the vital interests of the data subject or of another natural person; (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

27. Article 4(11) of the GDPR provides that consent, as referred to in Article 6(1)(a) of the GDPR, means freely given, specific, informed and unambiguous evidence by which the data subject, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

28. Furthermore, recital 32 of the GDPR stipulates that this “clear affirmative action” can, for example, take the form of a ticking box when visiting a website, and that in any event, “there can be no consent in the event of silence, pre-ticked boxes, or inactivity. The consent given should be valid for all processing activities having the same purpose(s). Where the processing has several purposes, consent should be given for all of them.”

29. Regarding the methods for obtaining consent, the Court of Justice of the European Union (CJEU) clarified in its 2019 Planet49 GmbH decision that “the expression of will referred to in Article 2(h) of Directive 95/46 must, in particular, be ‘specific’, in that it must relate precisely to the data processing concerned and cannot be inferred from an expression of will having a separate purpose” (CJEU, Grand Chamber, 1 October 2019, Planet49 GmbH, C-673/17, ECLI:EU:C:2019:801, paragraph 58).

30. Furthermore, by way of illustration, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 specify that “a controller who requests consent for various specific purposes should provide separate consent for each purpose so that users can give specific consent for specific purposes […] The data controller should accompany each separate consent request with specific information concerning the data processed for each purpose so that data subjects are aware of the impact of their choice […] (§§60 and 61).”

31. The CJEU has reiterated in this regard that the controller must provide the data subject with “information in light of all the circumstances surrounding the processing of the data, in an intelligible and easily accessible form and formulated in clear and plain language, the data subject being required to know in particular the type of data to be processed, the identity of the controller, the duration and methods of processing and the purposes of the processing. Such information must enable the data subject to easily determine the consequences of any consent he or she might give and ensure that such consent is given in full knowledge of the facts (see, by analogy, judgment of 1 October 2019, Planet49, C-673/17, EU:C:2019:801, paragraph 74).” (CJEU, 11 November 2020, Orange România SA, C-61/19, paragraph 40).

32. The rapporteur asserts that the processing of targeted advertising displayed on social network Z, for the purposes of which company X transmits the personal data of its loyalty program members to group Y, lacks a legal basis due to the absence of valid consent from the data subjects. She considers that the methods used to obtain consent, as well as the information provided by company X to its loyalty program members, do not allow for the collection of specific and informed consent from these members to the aforementioned processing.

33. In its defense, the company maintains that the consent of the individuals whose data was transmitted was obtained:

– firstly, upon their joining the X loyalty program, insofar as these individuals consented to receive marketing communications through various channels (email and/or SMS) and to the matching of this data with that of Z, such processing being, according to the company, mentioned in its “personal data policy”;

– Furthermore, when these individuals registered on Z, they accepted the social network’s “Terms of Service” and “Privacy Policy,” thereby authorizing the display of targeted advertisements from advertisers.

34. The company argues that loyalty program members who had agreed to receive marketing communications from X and who had a Z account could reasonably expect to see advertisements for X products on the social network, and that they could also withdraw or modify their consent at any time.

35. The company further notes that the only data transmitted was the email address and/or telephone number of the individuals concerned, and that this data was encrypted, first by company X before any transmission, using the SHA256 hash function, and then by group Y, “using a JavaScript pixel,” which it claims guarantees that the transmitted data cannot be used by Y if there is no match with a user Z. The company also specifies that this encrypted data was deleted by group Y after a match, whether successful or not.

36. Moreover, it argues that the number of individuals concerned should be put into perspective since, while the data of 10.5 million people was indeed transmitted to group Y, only 1.6 million of them actually saw an advertisement between June 2022 and February 2024 – the match rate being approximately 15%. Furthermore, the company states that it did not derive any significant financial benefit from this processing. Finally, it specifies that it voluntarily ceased all targeted advertising campaigns with Group Y in February 2024.

37. In this case, the restricted panel notes that the company carried out targeted advertising operations on the social network Z from the end of 2018 to February 2024. To this end, it transmitted to Group Y, the operator of this social network, the email addresses and/or telephone numbers of members of its loyalty program who had consented to receive marketing messages by SMS and/or email, so that Group Y could match this data with that of Z users and display advertisements for X products, firstly, to social network users who are also members of the X loyalty program and, secondly, to users with a profile similar to these individuals.

38. The company stated, both during the audit and in its defense submissions, that the aforementioned data processing was based on the consent of the data subjects.

39. Firstly, regarding the consent that the company claims to obtain via the membership form for the X loyalty program, the restricted panel notes that, according to the findings of the delegation during the online audit of January 5, 2023, when creating an account on the website “[…]”, the user is presented with a form on which they must provide, among other things, their title, surname, first name, telephone number, date of birth, and email address. This form also includes a section allowing the data subject to join the X loyalty program via a push button (yes/no) accompanied by the message “I join the La Team X loyalty program and immediately receive €5.”

40. If the user expresses their wish to join the loyalty program by activating the push button, they are asked to consent to be contacted by SMS to “receive their loyalty benefits” and/or by email to receive “the best offers from X,” via checkboxes (yes/no). A hyperlink “Details of the conditions HERE” is located at the bottom of the form, allowing the user to be redirected to the “General Terms and Conditions of the X Loyalty Program.” A second hyperlink, “Learn more about your rights and how we process your personal data”, also located at the bottom of the form, refers to the company’s “personal data policy” (also accessible from the footer of each page of the site), which specifies in its article 3 (in its version in force at the time of the control) that the company processes the personal data of individuals in particular in the context of “membership in the loyalty program and the management of the Loyalty Program, in particular the matching of members’ data with that of company Z”. “Company Z” is also mentioned among the data recipients (Article 8), as it is specified that “The Personal Data collected by X may be transmitted: […] to Company Z, which undertakes, as a data processor, not to transfer, for any reason whatsoever, the data it processes, once the matching process is complete, to partners, including commercial partners.” Furthermore, regarding the data retention period, Article 7 specifies that “with regard to the loyalty program, Company Z undertakes to automatically delete the data transferred by X once the matching process is complete, and to retain neither a copy nor a backup of the personal data concerned.”

41. Furthermore, the “General Terms and Conditions of Sale,” accessible from the footer of each page of the website, stipulate in Article 10 that “the data collected is reserved for the use of the Customer Marketing Department, the Digital Strategy & Innovation Department of Company X, and Company Z, acting as a subcontractor. As such, the data collected may be transferred to the United States. […] The personal information collected is necessary for processing the order, its delivery, the invoicing, and for matching customer data with that of Company Z.” Article 11 stipulates that “in accordance with applicable regulations, the member is informed that all the information provided by them in the questionnaire included in the Membership Application is necessary for processing and issuing the X Card, as well as for the process of matching customer data with that of Company Z.”

42. The restricted panel notes, firstly, that the form described in paragraphs 39 and 40 does not contain any information on the transmission of data to Group Y for targeted advertising purposes. The information contained on this form relates to joining the loyalty program and receiving marketing messages by SMS and/or email.

43. Thus, based solely on the information contained in the form, it cannot be considered that the information provided to members is sufficient to ensure that their consent to the transmission of their data to social network Z for targeted advertising purposes is informed. While this information does refer to electronic marketing (by SMS and/or email), which aims to promote products marketed by Company X, as does the targeted advertising carried out on social network Z, the advertising messages are delivered through separate channels and in different environments. Indeed, the transmission of data to Group Y for targeted advertising on social network Z—that is, advertising via banners displayed on the website—is of a different nature than advertising by email or SMS, which does not necessarily involve the transmission of data to a third party. However, this purpose of targeted advertising on social network Z—for which the data is transmitted to Group Y—is not clearly stated on the form. Under these circumstances, the restricted panel considers that it cannot be assumed that, by reviewing the content of this form, individuals have provided specific and informed consent to the processing of their personal data for this purpose.

44. Furthermore, regarding the documents on the website “[…]”, namely the “General Terms and Conditions of the Loyalty Program”, the “Personal Data Policy”, and the “General Terms and Conditions of Sale”, the restricted panel notes, firstly, that individuals must take the initiative to consult them by clicking on several links if they wish to access the information they contain and, secondly, that they contain partial information that is not sufficiently explicit to allow data subjects to have a clear understanding of the processing involved and, consequently, to give informed and specific consent.

45. Firstly, concerning the “General Terms and Conditions of the X Loyalty Program”, which aim to explain to members the consequences of their membership, they do not mention the transfer of data to Group Y when they agree to be contacted by X via SMS or email. As for the information provided in the “Personal Data Policy” and the “General Terms and Conditions of Sale,” according to which individuals’ data is “matched” with “that of Company Z,” this also appears insufficient to obtain informed consent from the individuals concerned, since this simple statement does not clearly explain the purpose of this transfer, to which individuals are not even asked to give their explicit consent.

46. The restricted panel further observes that this information is contained in two separate documents, themselves accessible via several links at the bottom of the account creation form and from the footer of each page of the website. Individuals are required to click on several links located away from the checkboxes and the push button used to obtain consent for marketing communications by SMS and/or email (these checkboxes and this button, moreover, as mentioned in paragraph 43, serve distinct purposes).

47. In light of the above, this process does not truly allow data subjects to provide explicit and informed consent through a positive action for the processing in question, as could have been achieved, for example, by including a checkbox on the loyalty program membership form clearly stating the purpose of this processing and offering individuals the option to accept or decline its implementation.

48. Secondly, regarding the consent given by Z users when creating an account on the social network, the restricted panel notes firstly that not all individuals whose data is transmitted hold an account on the Z social network. Indeed, the restricted panel notes that the company does not dispute that it transmitted to Group Y the data of all loyalty program members who had agreed to receive marketing messages by email and/or SMS, without knowing at that stage whether or not they were registered on Z, the objective being to identify loyalty program members who were already users of the social network. In this regard, the restricted panel further notes that, according to the information provided by the company, the rate of correspondence between the data transmitted by X and that held by Group Y is only 15%.

49. The restricted panel notes that, in any event, the consent given by users of the social network Z cannot replace the consent that should have been obtained by company X. Firstly, the restricted panel recalls that the company, as data controller, was required to ensure, before implementing the processing and therefore before transmitting the data to the Y group, that the data subjects had given their consent, which was not the case here. Secondly, it appears from the documents provided by the company in its observations of June 23, 2025, that when registering on Z, the data subjects accept the terms of use of the social network and the display, by the Y group, of targeted advertisements based on data transmitted by its partners. This consent thus relates exclusively to the operations carried out on the Z social network, and not to the processing carried out upstream by company X.

50. Under these circumstances, the processing carried out by Company X cannot be based on the consent obtained by Group Y.

51. Thirdly, regarding the encryption of data using the SHA256 hash function and a “JavaScript pixel,” which the company relies on, the restricted panel notes, firstly, that only the email addresses transmitted to Group Y were hashed, while the telephone numbers were transmitted in plain text. Secondly, the restricted panel notes that while hashing does allow for secure transmission, which is a good practice, it considers that this does not change the fact that the data is transmitted within the framework of the aforementioned processing, which is the subject of the breach in question.

52. Fourth, the restricted panel considers that the fact that Group Y deleted certain data following its receipt and comparison has no bearing on the processing carried out by Company X, as the data was indeed transmitted by X.

53. Finally, regarding the number of individuals affected by the processing in question, the restricted panel notes that, while 1.6 million people saw personalized advertising for X products on Z between June 2022 and February 2024, all the data of loyalty program members who had agreed to receive marketing messages by SMS and/or email, namely 10.5 million people, were effectively transmitted to Group Y, and therefore these individuals must be considered as being affected by the processing carried out.

54. In light of all the foregoing, the restricted panel considers that a breach of Article 6(1)(a) has occurred, insofar as the consent on which it intended to base its targeted advertising processing carried out through campaigns on the social network Z, and for the purposes of which it transmitted data to Group Y, was not validly obtained.

55. While the restricted panel acknowledges that the company ceased all data transmissions to Group Y in February 2024 and that an injunction is therefore moot on this point, the breach nevertheless remains established retroactively.

D. On the failure to inform individuals pursuant to Article 13 of the GDPR

56. Article 13 of the GDPR lists the information that must be provided to the data subject when personal data is collected directly from them. This information includes, in particular, the identity and contact details of the data controller, the purposes of the processing, its legal basis, the recipients or categories of recipients of the data, and whether the data controller intends to transfer data to a third country. This article also requires the data controller, where necessary to ensure “fair and transparent processing” of personal data, to inform individuals about the data retention period, their various rights, their right to withdraw their consent at any time, and their right to lodge a complaint with a supervisory authority.

57. The rapporteur considers that at the time of the control operations, the information contained in the company’s “personal data policy”, accessible from the account creation form (and therefore at the time of registration for the loyalty program), as well as from the footer of each of the site’s pages, was incomplete since the legal bases for processing were not given by purpose, the retention periods within the framework of the loyalty program were not indicated and the information on data transfers was not up to date on the grounds that it referred to the “Privacy Shield” data protection shield, which no longer guarantees, since the decision of the CJEU of 16 July 2020 (CJEU, Grand Chamber, 16 July 2020, Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems, Case C-311/18 – “Schrems II” judgment), a sufficient legal guarantee to allow the transfer of personal data from the European Union to the United States.

58. The rapporteur also notes that none of the company’s information documents, namely the “General Terms and Conditions of the Loyalty Program,” the “Personal Data Policy,” and the “General Terms and Conditions of Sale,” ever mentioned the purpose of targeted advertising on the Z social network or the corresponding legal basis, nor did they contain any information regarding the joint liability between Group Y and Company X, which the company claims, concerning campaigns launched on the Z social network.

59. In its defense, while the company acknowledges that its 2023 “Personal Data Policy” could have been clearer, it maintains that it did contain a list of the processing operations implemented, including the matching of members’ data with Company Z, and that each processing operation stated its purpose and was linked to its legal basis. It specifies that, in any event, the information notice relating to this matching was removed as soon as the transmission of data to Group Y ceased in 2024. To demonstrate this, it provides its new “Personal Data Policy” of September 2025, which, according to it, clarifies the various processing operations implemented and explains the corresponding legal basis for each processing purpose. It also explains that it updated the information relating to international data transfers on June 20, 2025, by removing references to the “Privacy Shield” data protection framework. Finally, it indicates that it amended the “General Terms and Conditions of the Loyalty Program” in September 2025 to state that the data of loyalty program members is retained for two years.

60. First, the restricted panel notes that it appears from the findings made during the online check of 5 January 2023 that the “personal data policy” accessible from the website “[…]” contained at that date an article 3 entitled “Why X collects and uses your data”, in which the company first informed users that it “may have to process [their] personal data on several grounds”, before listing several legal bases provided for by the GDPR, such as the performance of a contract or pre-contractual measures, consent, legitimate interest or a legal obligation. In the following paragraph, the company indicated “the reasons” for processing the data and provided a list of the purposes for which the processing was carried out, for example, the management and administration of the website, the processing of requests to exercise rights, membership in the loyalty program and its management, or the analysis of connection and browsing data for targeted advertising of the services offered by the website. The restricted panel considered that such a presentation of the legal bases and purposes, without a clear correspondence between these two elements, was imprecise. It did not allow users to fully understand the processing carried out or to understand that certain processing was based on their consent and that they could therefore withdraw it if they wished.

61. The restricted panel notes that the “Personal Data Policy” submitted by the company in its second set of observations in defense, in September 2025, now includes, in Article 4, a table presenting the various purposes of the processing, along with their corresponding legal bases and the processing operations concerned. This presentation allows users to be clearly informed, for each processing operation, of its purpose and legal basis.

62. Secondly, regarding the information on targeted advertising on the Z social network, the restricted panel notes that Article 3 of the company’s “Personal Data Policy,” in its version in force at the time of the audits, specified that the data collected by the company was processed “for membership in the loyalty program and the management of the loyalty program, including matching members’ data with that of company Z.” Article 10 of the “General Terms and Conditions of Online Sale,” accessible from the footer of each page of the website, also specified that the data collected from the user was reserved “for the use of the Customer Marketing Department, the Digital Strategy & Innovation Department of Company X, and Company Z, acting as subcontractors,” and that “personal information [was] necessary […] for matching customer data with that of Company Z.” Article 11, meanwhile, stipulated that “in accordance with applicable regulations, the member is informed that all the information provided by them in the questionnaire included in the Membership Application [was] necessary for processing and issuing the X Card, as well as for the process of matching customer data with that of Company Z.”

63. The restricted panel notes that although these statements refer to the matching of members’ data in the loyalty program with that of “company Z”, neither the “general terms and conditions of sale”, nor the “personal data policy”, nor any other information document prepared by company X mentions the purpose of this matching, namely the production of targeted advertising on the social network Z. The legal basis for such processing is not mentioned either.

64. The restricted panel notes that, since the company ceased all data transmission to Group Y in February 2024, such information notices are now irrelevant.

65. Thirdly, the restricted panel observes that the information provided by the company to its clients at the time of the online audit of January 5, 2023, stating that the transfer of data to partners located outside the European Economic Area was based on the EU-U.S. Privacy Shield, was misleading insofar as, as the rapporteur points out, this instrument no longer guarantees, since the CJEU decision of July 2020 cited above, a sufficient legal safeguard to permit the transfer of personal data from the European Union to the United States.

66. The restricted panel acknowledges the amendment made by the company on June 20, 2025, to its personal data policy, which now states that such transfers are governed by the EU-US Data Privacy Framework (the European Union-United States data protection framework, which the European Commission, in a decision of July 10, 2023, considered to offer a level of protection substantially equivalent to that of the European Union).

67. Fourth, the restricted panel observes that the “personal data policy,” accessible from the website “[…]”, contained, as of the date of the online audit of January 5, 2023, no information regarding the data retention periods for members within the framework of the loyalty program.

68. It notes that the new “Personal Data Policy,” dated September 2025, specifies that data “relating to the customer account and the use of the loyalty number are kept for two (2) years from the last login to the account or use of the loyalty number.” The restricted panel considers that this clarification now allows individuals to be fully informed of the retention period for their data collected in connection with their membership in the loyalty program and acknowledges the company’s compliance on this point.

69. In light of the foregoing, the restricted panel considers that, at the time of the online audit of January 5, 2023, the information documents presented on the website “[…]” and intended, in particular, to inform individuals about the processing of their personal data, did not provide complete, clear, and accurate information, which constitutes a breach of the provisions of Article 13 of the GDPR.

70. The restricted panel observes that the company complied during the investigation and that, therefore, the issuance of an injunction, as proposed by the rapporteur, appears unnecessary. Nevertheless, the measures adopted do not call into question the existence of the breach for past events.

E. On the breach of the obligation to ensure data security pursuant to Article 32 of the GDPR

71. In law, Article 32 of the GDPR requires the data controller, “taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, of varying likelihood and severity, to the rights and freedoms of natural persons, [to] implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

72. It follows from these provisions that the data controller is required to ensure that the automated data processing it implements is sufficiently secure. The adequacy of the security measures is assessed, firstly, with regard to the characteristics of the processing and the risks it entails, and secondly, taking into account the state of the art and the cost of the measures.

1) On the strength of user account passwords

73. With regard to passwords, overly permissive complexity rules, which allow the use of insufficiently strong passwords, can lead to attacks by unauthorized third parties, such as “brute-force” or “dictionary” attacks, which consist of successively and systematically testing numerous passwords and thus lead to the compromise of the associated accounts and the personal data they contain.

74. The need for a strong password is thus recommended both by the French National Cybersecurity Agency (ANSSI), notably in its guide “Recommendations relating to multi-factor authentication and other passwords” of October 8, 2021, and by the Commission.

75. Indeed, in its deliberation no. 2022-100 of July 21, 2022, adopting a recommendation on passwords and other shared secrets—which, while not mandatory, provides relevant guidance on the security measures to be taken—the CNIL (French Data Protection Authority) reiterates that, to ensure a sufficient level of security and confidentiality, a password policy with a sufficiently high level of entropy should be adopted. The Commission clarifies in this regard that “entropy” refers to the amount of randomness inherent in a system. For a password or cryptographic key, this corresponds to its degree of unpredictability, and therefore its resistance to a brute-force attack.

76. Thus, assuming authentication relies solely on a username and password, the Commission recommends that the complexity set in the password policy ensure the equivalent of an entropy of at least 80 bits. This corresponds, for example, to a minimum of 12 characters including uppercase letters, lowercase letters, numbers, and special characters chosen from a list of at least 37 possible special characters; or to a minimum of 14 characters including uppercase letters, lowercase letters, and numbers without any mandatory special characters; or to a passphrase composed of at least 7 French words.

77. Failing that, the Commission considers that authentication based on a password with an entropy of at least 50 bits also ensures a sufficient level of security and confidentiality, i.e. for example a password with a minimum length of eight characters, composed of three of the four categories of characters (uppercase letters, lowercase letters, numbers and special characters, the latter having to be taken from a set of at least 11 characters), if it is accompanied by a mechanism to restrict access to the account such as, for example, the time-out of access to the account after several failures (temporary suspension of access whose duration increases with each attempt), the implementation of a mechanism to protect against automated and intensive submissions of attempts (e.g. “captcha”) and/or the blocking of the account after several unsuccessful authentication attempts (a maximum of ten). In this regard, the CNIL has made available to stakeholders an online tool for easily calculating password entropy.

78. The Commission also specifies, in the aforementioned decision, that stakeholders may implement security measures other than those described in this recommendation if they can demonstrate that these measures guarantee at least an equivalent level of security. It further specifies that, in light of current best practices, any data controller using passwords must guarantee a minimum level of security based, firstly, on a sufficient level of entropy, possibly with a mechanism for restricting account access, and secondly, on implementation and governance rules that ensure password security throughout its entire lifecycle.

79. The rapporteur notes that, during the online inspection of 5 January 2023, the delegation observed that when creating a user account on the website “[…]”, an eight-character password, with the sole requirement of containing at least one number, was accepted. She also notes that the company confirmed the findings of the inspection delegation and added that it used a tool called “[…]”, which blocked brute-force password attacks. This blocking was achieved either by displaying a CAPTCHA or by blocking requests to the login page from the originating IP address. The rapporteur considers that such passwords, lacking sufficient complexity, did not ensure the security of the personal data processed by the company or prevent unauthorized third parties from accessing it.

80. The company does not dispute the insufficient strength of the passwords identified during the CNIL’s online audit, but states that it implemented corrective actions as early as November 6, 2024. It specifies that it strengthened password complexity requirements by imposing a combination of eight characters including a special character, a number, and uppercase and lowercase letters to achieve a minimum entropy of 50 bits. It also asserts that in June 2025, it further strengthened passwords by requiring them to be composed of a minimum of twelve characters and expanding the range of special characters, now set at 37, to achieve an entropy of 80 bits.

81. The restricted panel notes that the investigation revealed that the passwords of individuals creating an account on the website “[…]” (which contains the surname, first name, date of birth, telephone number, email address, and postal address of the individuals concerned) could, at the time of the online audit of January 5, 2023, be composed of eight characters, the only complexity criterion imposed on users being the inclusion of a number in their password. Thus, the passwords generated according to the criteria defined by the company had an entropy of 26 bits, whereas the CNIL (French Data Protection Authority) recommends an entropy of at least 50 bits when authentication includes a mechanism for restricting access to the account.

82. The restricted panel considers that such password construction did not ensure data security or prevent unauthorized third-party access. While the company subsequently amended its password policy following the audits to require an eight-character combination including a special character, a number, and uppercase and lowercase letters, and later twelve characters with an expanded range of special characters, the restricted panel notes that such passwords (which had an entropy of 26 bits at the time of the audits) were insufficient to ensure the security of the processed data in light of best practices.

83. As the rapporteur pointed out, the panel reiterates that the company processed a significant volume of personal data, as, according to the information provided, it processed the data of more than 10.8 million loyalty program members, accessible through customer accounts, including names, surnames, first names, dates of birth, telephone numbers, email addresses, and postal addresses.

84. In light of the foregoing, the restricted panel considers that, on the date of the audits, Company X’s password policy did not ensure the security of the personal data processed, which constitutes a breach of Article 32 of the GDPR.

85. The panel notes that during the proceedings, the company rectified this situation by adopting a new password policy that now ensures a level of security in line with best practices. Under these circumstances, issuing an injunction, as proposed by the rapporteur, no longer appears appropriate.

2) On the storage of passwords

86. The secure storage of passwords is a basic precaution for the protection of personal data. As early as 2013, ANSSI warned and reminded people of good practices regarding password storage, indicating that passwords should “be stored in a form transformed by a one-way cryptographic function (hash function) and slow to compute such as PBKDF2” and that “password transformation must involve a random salt to prevent an attack by precomputed tables” (ANSSI, “CERTA-2013-ACT-046 News Bulletin”, November 15, 2013, https://www.cert.ssi.gouv.fr/actualite/CERTA-2013-ACT-046/). The French National Cybersecurity Agency (ANSSI) also specified in its recommendations on multi-factor authentication and passwords that “the recommended cryptographic hash functions, such as the SHA2 family, are very fast to execute, which, in the context of password storage, is an advantage for attackers, allowing them to test numerous passwords” (https://cyber.gouv.fr/publications/recommandations-relatives-lauthentification-multifacteur-et-aux-mots-de-passe).

87. Similarly, in its deliberation no. 2017-012 of 19 January 2017, the CNIL already indicated that it “recommends [that the password] be transformed using a non-reversible and secure cryptographic function (i.e. using a public algorithm known to be strong whose software implementation is free from known vulnerabilities), incorporating the use of a salt or a key,” a recommendation confirmed in its deliberation no. 2022-100 of 21 July 2022. Indeed, non-robust hash functions have known vulnerabilities that do not guarantee the integrity and confidentiality of passwords in the event of a brute-force attack after the servers hosting them have been compromised. The CNIL also recommends, in its “GDPR Developer’s Guide” published on January 27, 2020, that password storage be done “using a proven library, such as Argon2, yescrypt, scrypt, balloon, bcrypt, and, to a lesser extent, PBKDF2.”

88. Thus, user password storage must be carried out securely. In this regard, it is recommended to store password hashes rather than passwords in plain text. To obtain such a password hash, it is generally necessary to use a mathematically sound cryptographic hash function that is slow to execute, while using a long, random salt for each password (at least 128 bits long), in order to protect against attackers who have pre-calculated lookup tables between passwords and their respective hashes.

89. The rapporteur notes that the passwords for user accounts on the company’s website were stored hashed using the SHA256 hash function and the addition of a salt. She considers that such storage methods constitute a breach of Article 32 of the GDPR, since this function is not designed to allow the secure storage of passwords. Its computational speed could enable an attacker with access to the hashed passwords to create a lookup table between all the most common passwords and their SHA256 derivatives, in order to recover the original passwords from their hashed versions in the database.

90. In its defense, while the company does not dispute the password storage methods identified during the audits, it specifies that the salt used consisted of a 60-character alphanumeric string (480 bits), the user’s email address, the user’s password, and a random component. It maintains that this solution complied with the recommendations of the French National Cybersecurity Agency (ANSSI), which suggests “a random salt at least 128 bits long,” as well as with the recommendations of the French Data Protection Authority (CNIL). It argues that it was therefore confident it was acting in accordance with regulatory requirements and best practices, and that the ANSSI recommendations were ambiguous, given that it noted that “cryptographic hash functions (such as the SHA2 or SHA3 families) seemed at first glance to be good tools for storing passwords.”

91. In its observations in response dated June 23, 2025, the company stated that it had redesigned its storage system and replaced the SHA256 function with Argon2.

92. The restricted panel reiterates that the SHA256 hashing function, belonging to the SHA2 family, is not considered suitable for the secure storage of passwords, as also noted by the French National Cybersecurity Agency (ANSSI) in its Recommendation R29 of October 8, 2021, concerning multi-factor authentication and passwords. It considers that there is a substantial risk that an attacker, gaining access to the company’s information system and its users’ password hashes, could very quickly find the password corresponding to each hash stored by the company, given that the hashing algorithm is very fast and cannot slow down the attacker.

93. It notes that while adding a salt increases the number of possible password hashes and protects against attackers using pre-calculated tables, it has no impact on the search time for stored hashes. Although ANSSI indicates in its aforementioned recommendations that it is advisable to use a randomly chosen salt for each account, with a length of at least 128 bits, it does not infer from this that passwords can be stored using the SHA256 hash function, which it considers very fast to execute and, in the context of password storage, an advantage for attackers. Similarly, the CNIL indicated in its deliberation of July 21, 2022, that every password must, before being stored, be transformed using a specialized, irreversible, and secure cryptographic function incorporating a salt.

94. In this case, the restricted panel considers that, while the company had implemented a recommended security measure by using a 128-bit random salt, this measure remained insufficient because the passwords were encrypted with a hash function that was too fast for an attacker to execute.

95. The restricted panel therefore considers that it was incumbent upon Company X to use a slow hash function for password storage, as clearly indicated in the aforementioned recommendations of the French National Cybersecurity Agency (ANSSI) and the French Data Protection Authority (CNIL), in order to slow down an attacker in identifying the passwords in the event of an attack, such as a brute-force or dictionary attack.

96. In light of the foregoing, the restricted panel considers that, at the time of the audits, the password storage methods of Company X did not ensure their confidentiality, which constitutes a breach of Article 32 of the GDPR.

97. The panel notes that during the proceedings, the company rectified this issue by modifying its password storage system, which now ensures the security and confidentiality of the data. Under these circumstances, issuing an injunction, as proposed by the rapporteur, no longer appears appropriate.

F. On the failure to carry out a data protection impact assessment pursuant to Article 35 of the GDPR

98. In law, Article 35(1) of the GDPR provides that “where a type of processing, in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may cover a set of similar processing operations which present similar high risks.”

99. According to paragraph 4 of this article, “the supervisory authority shall establish and publish a list of the types of processing operations for which a data protection impact assessment is required […]”.

100. According to recital 91 of the GDPR, an impact assessment “should apply, in particular, to large-scale processing operations which aim to process a substantial volume of personal data at regional, national or supranational level, which may affect a large number of data subjects […]”.

101. For clarification, the guidelines of the Article 29 Working Party (the “WP29,” now the European Data Protection Board) concerning data protection impact assessments (DPIAs) and how to determine whether processing is “likely to result in a high risk” for the purposes of Regulation (EU) 2016/679, as amended and last adopted on 4 October 2017, established a list of nine criteria to be considered in order to provide a more concrete view of processing operations that require an impact assessment due to a high inherent risk. These criteria include, in particular, the collection of personal data on a large scale and the merging or combination of data sets.

102. These guidelines add that, “in most cases, the controller can consider that processing that meets two criteria requires a DPIA.”

103. Following the EDPB’s lead, the CNIL, in its deliberation no. 2018-326 of 11 October 2018, established guidelines on data protection impact assessments (DPIAs). The deliberation outlines the circumstances under which a DPIA is required and refers in particular to the criteria identified by the EDPB.

104. Furthermore, the CNIL reiterates in this deliberation that “generally speaking, processing that meets at least two of the criteria mentioned above must be subject to a DPIA.”

105. Finally, in the aforementioned Guidelines 8/2020 on social media targeting, the EDPB specifies that in cases of joint controllership, “the joint controllers must assess whether a DPIA is necessary. If a DPIA is necessary, they are both responsible for fulfilling this obligation” (§108).

106. The rapporteur notes that the company had not carried out an impact assessment before implementing the targeted advertising processing on social network Z. She considers that, since this involved large-scale data processing and data matching between companies X and Y, it was likely to present a high risk to the rights and freedoms of natural persons and that an impact assessment should therefore have been carried out.

107. In its defense, the company acknowledges that it had not carried out an impact assessment before implementing the aforementioned processing, but that such an assessment became irrelevant, as the processing in question had ceased. It further states that it has implemented regular monitoring of its processing activities in order to identify those that will require a DPIA in the future.

108. The restricted panel notes that by processing the data of more than 10.8 million people in the European Union, the company was implementing large-scale personal data processing and, moreover, that the processing in question involved cross-referencing data between that held by Company X and that held by Group Y. These points are not disputed by the company.

109. Therefore, given that the processing in question involves a significant volume of data, is likely to result in a high risk to the rights and freedoms of individuals, and that two of the criteria defined by the EDPB were met, the restricted panel considers that the company should have conducted an impact assessment prior to implementing the processing operations related to targeted advertising carried out on social network Z, for the purposes of which it transmitted data to Group Y.

110. The restricted panel thus considers that, by failing to conduct such an assessment, Company X breached the provisions of Article 35 of the GDPR.

111. The restricted panel notes that, since the company has ceased all data transmission to Group Y, conducting a DPIA for the aforementioned processing is now unnecessary. Under these circumstances, issuing an injunction, as proposed by the rapporteur, no longer appears appropriate.

G. On the failure to comply with the obligation to inform the data subjects and obtain their consent before storing information (cookies) on their electronic communications terminal or accessing this information (reading cookies) pursuant to Article 82 of the French Data Protection Act

112. In law, Article 82 of the French Data Protection Act, transposing Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter, “the ePrivacy Directive”), provides that “any subscriber or user of an electronic communications service must be clearly and fully informed, unless they have already been so informed, by the data controller or their representative:

1° Of the purpose of any action intended to access, by means of of electronic transmission, to information already stored in their electronic communications terminal equipment, or to store information in that equipment;

2. The means available to them to object to such access or storage.

Such access or storage may only take place if the subscriber or user has given their consent after receiving this information. This consent may be given through appropriate settings on their connection device or any other device under their control.

These provisions do not apply if access to information stored in the user’s terminal equipment or the storage of information in the user’s terminal equipment:

1. Either has the sole purpose of enabling or facilitating communication by electronic means;

2. Or is strictly necessary for the provision of an online communication service at the user’s express request.

113. This article expressly stipulates that access to or storage of information on a user’s device may only take place after the user has given their consent. Consequently, this article necessarily provides the user with the option to refuse this storage, or to withdraw their consent to the placement of cookies and/or trackers on their device.

114. Since the entry into force of the GDPR, the “consent” referred to in Article 82 above must be understood in accordance with Article 4, paragraph 11 of the GDPR, meaning that it must be freely given, specific, informed, and unambiguous, and manifested by a clear affirmative action.

115. The restricted panel also reiterates that only trackers strictly necessary for providing an online communication service expressly requested by the user, and trackers whose sole purpose is to enable or facilitate electronic communication, are exempt from this requirement to obtain prior consent for their placement or reading.

116. The rapporteur notes that the findings made by the delegation during the online inspection of January 5, 2023, revealed the placement of several cookies on the user’s device before their consent was obtained. Among these cookies is the “IADVIZE” cookie, an online chat tool (“chatbox”) with an expert advisor that allows for unique user identification and recording of conversation history. She also notes that seven other cookies enable content personalization based on the user’s browsing history and the analysis of their browsing activity. She therefore considers that these cookies are subject to the requirement of obtaining consent. It also notes that these cookies were not deleted from the browser after the user refused “non-essential” cookies, and that they continued to be read despite this refusal. It considers these facts to constitute a breach of Article 82 of the French Data Protection Act.

117. In its defense, the company admits that the cookies in question were indeed placed before any user consent was obtained. It specifies that, for some of them, it had considered that they could fall within its legitimate interest and insists that the cookies concerned are not intended to collect or transmit data to third parties for profiling or marketing purposes, but are solely intended to optimize the user experience on the website. It adds that, since the audits, it has taken measures to ensure that these cookies are no longer placed without the user’s consent.

118. The restricted panel notes that it appears from the findings made during the online check of 5 January 2023 that, upon arrival on the website ” […] “, the user sees a pop-up window relating to cookies, at the bottom of which are two buttons entitled respectively “Learn more” and “Accept and close”, as well as a link in the top left of the window entitled “continue without accepting”.

119. The delegation observed that even before the user had expressed a choice regarding the placement and reading of cookies on their device, and while the pop-up window was still displayed, eleven cookies were placed on their device.

120. The restricted panel further notes that it is clear from these findings that after clicking on the “continue without accepting” link (and thus refusing the placement and reading of non-essential cookies), the aforementioned eleven cookies were not deleted from the browser and continued to be read.

121. The restricted panel notes that, among these eleven cookies, the “iadvize-5593-vuid” cookie was placed. The company clarified that “IADVIZE” is “an online chat tool (‘chatbox’) with an expert advisor to assist users with their purchases. The cookie [in question] uniquely identifies the user and personalizes the display and conversation based on their browsing activity on the site. It also allows the user to be recognized on each visit in order to maintain their conversation history.” The company noted that during the investigation, it specified that, since January 17, 2023, this online chat no longer appears on all pages of the site but only on contact pages and certain product pages where its usefulness is most relevant to the user – consent is now systematically requested before any cookie related to this service is placed.

122. The restricted panel considers that this cookie, by enabling unique user recognition and recording of conversation history, did not have the sole purpose of enabling or facilitating electronic communication, nor was it strictly necessary for providing a service expressly requested by users of the company’s website. The restricted panel notes in this regard that the company acknowledged that placing such a cookie required the consent of individuals, and that this consent was not obtained in this case.

123. The restricted panel notes that the company provided, during the investigation, a screenshot indicating that consent from individuals has been obtained since January 17, 2023, following the online check of January 5, 2023.

124. Furthermore, the restricted panel notes that, among the eleven cookies mentioned above, the following were also placed: the cookies “t2s-p”, “t2s-analytics”, and “t2s-rank”, whose purpose is to personalize editorial content based on the user’s browsing history in order to offer them suitable products; and the cookies “wizville_cookie_page_load”, “wizville_cookie_session_start_at”, “wizville_cookie_first_visit”, and “wizville_cookie_page_count”, whose purpose is to remember browsing information on the website “[…]” visited by the user, in order to display or No, a satisfaction questionnaire intended to gather user feedback on the website. It considers that such cookies, which allow for the personalization of website content based on information obtained about users, such as their browsing history, in order to display a satisfaction questionnaire or tailored products, are not intended to enable or facilitate electronic communication and are not strictly necessary for providing an online communication service at the user’s express request.

125. It notes that the company provided, during the investigation, a screenshot of the “wizville” cookie management system demonstrating that consent has been obtained from individuals since March 1, 2023. It also provided a screenshot of the “t2s” cookie management system, as well as screenshots of the website “[…]”, demonstrating that, since June 3, 2025, “t2s” cookies are no longer placed without user consent.

126. In light of the foregoing, the restricted panel considers that by placing and reading the aforementioned cookies on the user’s terminal without first obtaining their consent, Company X violated the provisions of Article 82 of the French Data Protection Act.

127. The restricted panel notes that, following the audit, Company X complied by demonstrating that the aforementioned cookies were no longer placed on users’ terminals before their consent was obtained. It nevertheless reiterates that the compliance measures adopted do not absolve the company of its liability for past actions.

III. On corrective measures

128. Article 20-IV of Law No. 78-17 of 6 January 1978, as amended, provides that: “when the data controller or its processor fails to comply with the obligations arising from Regulation (EU) 2016/679 of 27 April 2016 or from this Law, the President of the National Commission for Information Technology and Civil Liberties may […] refer the matter to the restricted panel of the Commission for the issuance, after adversarial proceedings, of one or more of the following measures: […]

2° An order to bring the processing into compliance with the obligations arising from Regulation (EU) 2016/679 of 27 April 2016 or from this Law or to comply with the requests made by the data subject to exercise their rights, which may be accompanied, except where the processing is carried out by the State, by a penalty payment not exceeding 100 €000 per day of delay from the date set by the restricted panel;

[…]

7. Except where the processing is carried out by the State, an administrative fine may not exceed €10 million or, in the case of an undertaking, 2% of its total worldwide annual turnover for the preceding financial year, whichever is higher. In the cases referred to in points 5 and 6 of Article 83 of Regulation (EU) 2016/679 of 27 April 2016, these ceilings are increased to €20 million and 4% of said turnover, respectively. The restricted panel shall take into account, in determining the amount of the fine, the criteria specified in the same Article 83.

129. Article 83 of the GDPR, as referred to in Article 20, paragraph IV, of the French Data Protection Act, provides that: “Each supervisory authority shall ensure that administrative fines imposed pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive,” before specifying the factors to be taken into account when deciding whether to impose an administrative fine and when determining its amount.

130. The CJEU has reiterated in this regard that “only an administrative fine whose amount is determined based on the actual economic or material capacity of its recipient […] is capable of meeting the three conditions set out in Article 83(1) of the GDPR, namely that it be effective, proportionate and dissuasive” (CJEU, Grand Chamber, 5 December 2023, C-807/21, “Deutsche Wohnen”; CJEU, Fifth Chamber, 13 February 2025, C-383/23, “Ilva A/S”).

131. Finally, Article 22(2) of the French Data Protection Act provides that “the restricted panel may make public the measures it takes.”

A. On the imposition of an administrative fine and its amount

132. The restricted panel recalls that the relevant criteria of Article 83 of the GDPR must be examined to determine whether an administrative fine should be imposed on the company and, if so, to determine its amount.

1. On the imposition of an administrative fine

133. The rapporteur proposes that the restricted panel impose an administrative fine on the company in light of the breaches of Articles 6, 13, 32, and 35 of the GDPR, as well as Article 82 of the French Data Protection Act.

134. In its defense, the company argues that the breaches identified are not serious, that the data subjects have not suffered any harm, and that no sensitive personal data was affected by the breaches. It also emphasizes its full cooperation with the CNIL (French Data Protection Authority) and the speed with which it implemented the necessary corrective measures, even before being informed of the initiation of sanction proceedings. Finally, it denies any negligence or deliberate action and maintains that it had no prior CNIL decision that could serve as a reference for the processing carried out with Group Y.

135. The restricted panel recalls that, in assessing the appropriateness of imposing a fine, it must take into account the criteria specified in Article 83 of the GDPR, such as the nature, seriousness, and duration of the infringement, the scope or purpose of the processing concerned, the number of data subjects, the measures taken by the controller to mitigate the damage suffered by the data subjects, whether the infringement was committed negligently, the degree of cooperation with the supervisory authority, the categories of data concerned, and the level of damage suffered by the data subjects.

136. First, the restricted panel considers that the criterion laid down in Article 83(2)(a) of the GDPR relating to the nature, seriousness, and duration of the infringement should be applied, taking into account the nature, scope, and purpose of the processing concerned, as well as the number of data subjects.

137. The restricted panel notes, firstly, that several of the identified breaches relate to targeted advertising operations carried out on the social network Z, for the purposes of which the company transmitted the personal data of members of its loyalty program to the Y group. It has been demonstrated that such processing was carried out without the data subjects having given their informed and specific consent, without them having been clearly informed, and without a prior impact assessment. The restricted panel notes, firstly, that two of these breaches concern fundamental principles of data protection, relating to the lawfulness of processing and the provision of information to data subjects. It observes in this regard that these breaches fall within the scope of Article 83(5) of the GDPR, and are therefore liable to the highest fine provided for by European law. Secondly, the restricted panel emphasizes the particularly high number of people affected, as the company acknowledged that the data of all members of its loyalty program, namely more than 10.5 million people, had been transmitted to Group Y. Thirdly, regarding the duration of the breaches, the restricted panel notes that the company had been transmitting data to Group Y on a weekly basis since the end of 2018, and that this transmission lasted for more than five years, namely until February 2024. While the company did, on its own initiative, cease the processing in question, which is to its credit, the restricted panel nevertheless notes that it only did so after being subjected to an audit by the CNIL (French Data Protection Authority) which, according to its own statements, raised numerous questions.

138. Regarding the failure to ensure the security of personal data, the restricted panel notes that it concerns basic security obligations, namely the strength of the passwords used and their secure storage. It also notes that this failure affects all of the company’s customers and members of its loyalty program, as the password complexity rules and storage methods are the same for everyone.

139. Finally, regarding the failure related to cookies placed on the user’s device when visiting the website “[…]”, the restricted panel recalls that on the date of the online inspection, the company was processing its users’ data without having obtained their prior consent, by placing cookies on their devices that were subject to obtaining prior consent. It considers that this failure constitutes a substantial infringement of the right to respect for the private life of the individuals concerned.

140. Secondly, the restricted panel considers that the criterion laid down in Article 83(2)(b) of the GDPR, relating to whether the infringement was committed intentionally or negligently, should be taken into account.

141. The restricted panel emphasizes that the number of breaches identified reveals particular negligence on the part of the company. More specifically, with regard to the breach of Article 6(1)(a) of the GDPR, the restricted panel considers that, given the massive scale of the processing in question, the company should have exercised greater vigilance.

142. Furthermore, with regard to the breach of Article 32 of the GDPR, it should be recalled that the Commission regularly communicates on the importance of authentication measures in security matters, that its recommendations relating to password policy were already well known at the time of the audits, and that since December 2022, it has also made available to organisations, on its website, a tool allowing them to easily check the strength of a password. It further notes that it has regularly adopted financial penalties for breaches of Article 32 of the GDPR due to insufficient measures to guarantee the security of processed data, notably in its deliberations No. SAN-2019-007 of July 18, 2019, No. SAN-2022-018 of September 8, 2022, No. SAN-2023-023 of December 29, 2023, and No. SAN-2024-002 of January 31, 2024.

143. Moreover, regarding the breach of Article 82 of the French Data Protection Act, the restricted panel notes that the Commission has supported digital stakeholders since 2013 by publishing a recommendation and guidelines outlining the principles that must be respected to allow the use of cookies and other tracking technologies. New recommendations and guidelines were adopted in 2020 and have also been widely disseminated. The restricted panel also notes that it has already sanctioned numerous organizations for failing to comply with the obligation to obtain user consent before any read and/or write operation (deliberation no. SAN-2020-012 of December 7, 2020, upheld by the Council of State in its decision no. 44209 of January 28, 2022; deliberation no. SAN-2020-013 of December 7, 2020, upheld by the Council of State in its decision no. 451423 of June 27, 2022).

144. Finally, while acknowledging that the company has implemented measures to ensure its compliance, some of which were taken even before notification of the sanction report, the restricted panel notes that these actions do not absolve the company of its responsibility for past actions.

145. Consequently, the restricted panel considers that an administrative fine should be imposed for the breaches of Articles 6, 13, 32, and 35 of the GDPR and Article 82 of the French Data Protection Act.

2. On the amount of the administrative fine

146. In its defense, the company argues that the amount proposed by the rapporteur is disproportionate and excessive in light of the actual infringement of individuals’ rights. It also cites its deteriorating financial situation in 2024, as well as the potential impact of a high financial penalty on its business. It argues that its net income has decreased, from […] euros in 2023 to […] euros in 2024, and illustrates the specific characteristics of its business model as well as the low margin typical of its sector.

147. The restricted panel notes first that the breaches relating to Articles 6 and 13 of the GDPR are breaches of fundamental principles of the GDPR, which, under Article 83 of the GDPR, may be subject to an administrative fine of up to €20,000,000 or up to 4% of annual turnover, whichever is higher. It further recalls that administrative fines must be dissuasive and proportionate.

148. Secondly, the restricted panel considers that the company’s business and financial situation must also be taken into account. It notes first that the turnover achieved in 2023 was […] euros, with net income amounting to […] euros.

149. The restricted panel then recalls, as detailed in paragraph 130, that to ensure the effectiveness, deterrent effect, and proportionality of the fine imposed, the actual or material economic capacity of the recipient must be taken into account. Such economic capacity cannot be assessed solely on the basis of the net income generated by the company (which may be affected by exceptional items), but must consider a range of financial analysis elements, such as turnover, as referred to in Article 83 of the GDPR, the profit and loss statement, debt, cash flow, etc. In this case, the restricted panel considers that while the company’s net income did indeed decline between 2023 and 2024, an analysis of all the company’s financial data demonstrates that, contrary to its claims, it is not in a deteriorating financial situation, as evidenced in particular by the available cash and reserves held by the company in 2023.

150. Thus, in light of the company’s responsibility, its financial capacity, and the relevant criteria of Article 83(2) of the GDPR mentioned above, the restricted panel considers that an administrative fine of two million five hundred thousand (€2,500,000) is appropriate for the breaches of Articles 6(1)(a), 13, 32, and 35 of the GDPR, and one million (€1,000,000) is appropriate for the breaches of Articles 6(1)(a), 13, 32, and 35 of the GDPR. A fine of €10,000 to penalize the breach of Article 82 of the French Data Protection Act appears dissuasive and proportionate.

B. On the issuance of an injunction

151. In her initial report, the rapporteur proposed that the restricted panel issue an injunction against the company to bring its data processing into compliance with the provisions of Articles 6, 13, 32, and 35 of the GDPR and Article 82 of the French Data Protection Act, accompanied by a penalty payment.

152. In its defense, the company argues that issuing an injunction is unnecessary, since it implemented compliance measures during the proceedings.

153. In light of the points discussed above and the company’s compliance with all the identified breaches, the restricted panel considers that there is no need to issue an injunction.

C. On the Publication of the Sanction

154. The company contests the rapporteur’s proposal to make this decision public, arguing in particular that such publicity risks undermining its commercial stability and the confidence of its members, without benefiting the public interest and while giving an advantage to its competitors.

155. The restricted panel considers that the publication of this decision is justified in light of the breaches in question and the number of people affected, the use of targeted advertising on the social network Z being, in particular, a widespread practice among economic actors. In this context, it is important to inform the people concerned about the applicable rules regarding consent. The restricted panel considers, however, that, from this perspective, publication of the decision without the company being specifically identified is sufficient.

FOR THESE REASONS

The CNIL’s restricted panel, after deliberation, decides:

– to impose on company X an administrative fine of three million five hundred thousand (3,500,000) euros for all the breaches found, broken down as follows:

–

o two million five hundred thousand (2,500,000) euros for the breaches of Articles 6(1)(a), 13, 32, and 35 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;

o one million (1,000,000) euros for the breach of Article 82 of Law No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties;

– to publish its decision on the CNIL website and on the Légifrance website, without explicitly identifying the company upon publication.

The President

Philippe-Pierre CABOURDIN

This decision may be appealed to the Council of State within two months of its notification.
</pre>

FTC Hosts Workshop on Noncompete Agreements

Ombudsman – 25/12378