As has now become known, the French retailer and wholesaler Carrefour has to pay a penalty of 3, for various violations of the General Data Protection Regulation (GDPR) Pay millions of euros. The reason given by the CNIL data protection authority was the storage of 28 millions of customer data from a bonus program.

However, these were not current customers – behind the stored data records were people who had not had a business relationship with the retailer for five to ten years. The Carrefour website was also criticized. The company previously saved customer data here for up to four years after the last purchase.

In addition, the data protection authority complained, among other things, that the trader only responded late or not at all to requests for information. Although the violations found during an inspection would certainly have justified a much higher penalty, the CNIL decided not to do so. According to the authority, Carrefour would have made massive efforts to remedy the grievances. Thus, at least at the retailer and wholesaler Carrefour, the handling of customer data now seems to be GDPR-compliant again.

At the beginning of last year, the French data protection authority imposed “Commission Nationale de l’Informatique et des Libertés ”fined the search engine giant Google a record fine of 50 millions Euro. But in Germany, too, the data protectionists were not inactive. The Federal Data Protection Commissioner Ulrich Kelber imposed a fine on provider 1 & 1 totaling 10 million euros . The reason given by the supervisory authority was customer authentication on the hotline. Here it was sufficient to identify yourself based on your name and the date of birth. Then it was possible to obtain extensive information on further personal customer data.