Administrative fine of €240,000 imposed by French Data Protection Authority on KASPR for infringing of the legal provisions of GDPR

The National Center for Personal Data Protection (NCPDP), for information and enforcement purposes, informs about the administrative fine of 240 000 euros imposed by the French Data Protection Authority (CNIL) on KASPR for violation of Article 5 – Principles relating to processing of personal data, Article 6 – Lawfulness of processing, Article 12 – Transparent information, communication and modalities for the exercise of the rights of the data subject, Article 14 – Information to be provided where personal data have not been obtained from the data subject, Article 15 – Right of access by the data subject. 

KASPR markets an extension for the Chrome browser that enables paying customers to obtain the professional contact details of people whose profiles they visit on the LinkedIn social network. To do this, the company builds a database of contact details from LinkedIn and other websites such as domain name registries. The contact details thus collected generally enable the company’s customers to contact the target persons, for example for commercial prospecting, recruitment or identity verification. KASPR’s database contains about 160 million contacts.

The French Supervisory Authority, CNIL received many complaints from people who had been canvassed by entities that obtained their contact details via the KASPR extension.

The CNIL found several breaches of the GDPR:

• Failure to comply with the obligation to have a legal basis (Article 6 of the GDPR)

• Failure to comply with the obligation to define and respect a data retention period proportionate to the purpose of the processing (Article 5-1-e of the GDPR)

• Failure to comply with the obligation to provide transparency and information to individuals (Articles 12 and 14 of the GDPR)

In this context, CNIL imposed a fine of 240,000 euros on KASPR for all these breaches, and ordered the company to: cease collecting the data of persons who chose to limit the visibility of their contact details, and delete the data collected in this way. If it is impossible to distinguish the data whose visibility had been limited, the company will have to inform the persons concerned, within 3 months, of the processing of their data and of the possibility of objecting to it, and to use their data solely for this purpose; stop the automatic renewal of the storage of personal data of target persons; inform the people whose data is collected in a language they understand; respond to requests for access from individuals, providing all available information on the sources of data collection.

The NCPDP, as the national supervisory authority for the processing of personal data, emphasizes the responsibility of personal data controllers to comply with the provisions of the legal framework for the protection of personal data and to ensure that personal data processing operations comply with the legislation in force.