France’s data protection regulator, CNIL, recently announced that it has fined the online shoe retailer, ‘Spartoo’ 250,000 Euros for breaching european data protection laws. While the General Data Protection Regulation (GDPR) only applies to organizations that do business with customers or potential customers in the EU, many GDPR obligations are replicated in data protection laws around the world (such as the California Consumer Privacy Act (CCPA)). 

Here I look at lessons that all organizations can learn from this decision, suggesting how your data and data protection practices, policies and procedures might be improved. I look at each of the breaches identified by CNIL in turn. 

Breach of the principle of data minimization (see article 5-1c of the GDPR)

This is the principle that an organization should not be gathering more personal data from its customers or potential customers than is necessary.

In this case, CNIL identified the full and permanent recording of customer service calls as unnecessary. It was revealed that only one phone call of one employee was audited per week. 

Take home message: Organizations cannot simply ‘hoover up’ data passively. Organizations need to have an intentionally designed data collection process in place that does not gather more personal data than is necessary to carry out its business.

A breach of the obligation to limit the retention period for data (article 5-1e of the GDPR)

CNIL found that Spartoo had inadequate processes in place to get rid of personal data after a certain period of time had elapsed. It held that retaining customer emails and passwords after five years was not GDPR-compliant. 

Take-home message: Organizations need to ensure that their systems automatically flag when data has been kept for a certain period of time (for example more than two years) without being used, and schedule that data for deletion. 

A breach of the obligation to inform (article 13 of the GDPR)

The privacy policy on the company’s website indicated that consent was the basis for personal data processing, when a range of other bases (such as the legitimate interests of the company) were the actual reasons for processing.  In addition, CNIL found that when taking phone calls, customers were not given sufficient information about what their information would be used for. 

Take-home message: Your company privacy policy is not a museum piece – it cannot sit statically on your website to indicate how you initially thought personal data would be processed. It needs to be updated to reflect the actual grounds used by an organization to process personal data. In addition, company training programs must ensure that all employees are trained to fully inform customers of how personal data will be processed. 

A breach of the obligation to secure data (article 32)

Security flaws identified by CNIL included: 

-The retention of unencrypted scans of customer bank cards for more than six months; 

-Allowing customers to have passwords that were unduly weak. 

Take home message: Organizations need to ensure that the data protection, privacy and information security policies and processes are lined up, especially when it comes to sensitive financial data.


Whether or not your organization operates in the EU, or somewhere else with similar regulations (like California), the recommendations in this decision represent good data protection practices. By minimizing data, retaining it only as long as necessary, informing customers and implementing robust cyber security, you ensure that you are implementing a robust data governance framework

The post Spartoo Sanction: Time to Adjust Your Data Protection Practices? appeared first on Lumix.