Administrative fine of €80,000 imposed by the French Data Protection Authority on CALOGA for violating articles 5, 6, and 7 of the GDPR

The National Center for the Protection of Personal Data (NCPDP), for informational and practical purposes, reports on the administrative fine of €80,000 imposed by the French Data Protection Authority (CNIL) on CALOGA for violations of article 5 (Principles relating to the processing of personal data), article 6 (Lawfulness of processing), and article 7 (Conditions for consent) of the General Data Protection Regulation (GDPR).

As part of its 2022 priority focus on the oversight of direct marketing practices, CNIL investigated the activities of actors in this ecosystem—particularly data intermediaries known as data brokers. CNIL thus carried out investigations into CALOGA, which obtained marketing data primarily from other data brokers, online game competition organizers, and product testing websites. CALOGA used these data to send email marketing messages to potential customers on behalf of its advertising clients. It also shared part of these data with its clients so they could conduct their own electronic marketing campaigns.

Following the investigations, CNIL identified several infringements, including:

• Failure to obtain valid consent from individuals to receive electronic commercial offers (article L.34-5 of the French Postal and Electronic Communications Code): the misleading nature of the consent forms used by data brokers made it impossible to obtain freely given and unambiguous consent, as required under the GDPR, which should have formed the legal basis for CALOGA’s marketing activities;

• Failure to allow for withdrawal of consent (article L.34-5 of the CPCE, as referenced in article 7 GDPR): in CALOGA’s system, potential clients could not unsubscribe from the company’s various databases with a single click. Therefore, withdrawing consent was not as easy as giving it;

• Failure to ensure a legal basis for data processing (article 6 GDPR): in its role as a data broker, the company shared databases with other partners, who then used them to send marketing emails on behalf of their own advertising clients;

• Failure to define and respect a proportional data retention period (article 5(1)(e) GDPR): every time a potential client opened one of the company’s emails—even by mistake—CALOGA extended the retention period for that individual’s data in its databases, potentially indefinitely.

In this context, CNIL imposed an administrative fine of €80,000, which was made public. The amount of the fine was determined based on the large number of individuals involved, the company’s longstanding position on the market, the financial gain obtained from the violations, and the company’s complete cessation of operations in 2024.

NCPDP, as the national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the legal framework on personal data protection and to ensure that data processing operations are conducted in accordance with the applicable law.