The National Center for Personal Data Protection (NCPDP), for information and application purposes, communicates about the fine in the amount of 40 million euros applied by the French Supervisory Authority (CNIL) to CRITEO for the infringement of the legal provisions stipulated in GDPR.
CRITEO specialises in “behavioral retargeting”, which consists of tracking the navigation of Internet users in order to display personalised advertisements. To this end, the company collects the browsing data of Internet users thanks to the CRITEO tracker (cookie) which is placed on their terminals when they visit certain CRITEO partner websites. Then, it participates in real time bidding and displays personalised advertising if it has won the bid.
Following complaints lodged by the organizations Privacy International and None of Your Business, the CNIL carried out several investigations into CRITEO.
The French SA found five breaches of the GDPR:
· Failure to demonstrate that the person has given consent (Article 7.1 GDPR)
· Failure to comply with the obligation of information and transparency (Articles 12 and 13 GDPR)
· Failure to respect the right of access (Article 15.1 GDPR)
· Failure to comply with the right to withdraw consent and erasure of data (Articles 7.3 and 17.1 GDPR)
· Failure to provide for an agreement between joint controllers (Article 26 GDPR)
In this context, the CNIL imposed a fine of 40 million euros on CRITEO. Pursuant to the one-stop shop set up by the GDPR, this decision was submitted to all the other 26 European supervisory authorities, since they were all concerned by this cross-border case and they all approved it.
The NCPDP, as national supervisory authority for personal data processing, emphasizes the responsibility of personal data controllers to comply with the provisions of legal framework on personal data protection and to ensure that personal data processing operations are in accordance with the legislation in force.