CNIL fines HUBSIDE.STORE €525,000 over data regulation failures

The French authority said that the fine demonstrates the seriousness of the breach.

The technology and lifestyle store HUBSIDE.STORE has been fined €525,000 ($570,639) by the French National Commission on Informatics and Liberty (CNIL) for using customer data in prospecting campaigns without proper consent.

HUBSIDE.STORE, which promotes its electronic products via phone and SMS, was found using customer information from data brokers for commercial prospecting activities – without ensuring that the individuals had given their valid consent for the purposes.

The data, which contained user information from multiple European countries, was bought from data brokers and publishers of competition and product testing websites. CNIL thought these consent forms were misleading and made it impossible to obtain “free and unambiguous consent” from the users.

“The misleading appearance of the data collection forms used by data brokers responsible for collecting the data did not allow valid consent to be obtained from the individuals concerned,” the authority said.

CNIL also found that the forms that collected customers’ data hadn’t included HUBSIDE.STORE properly in the list of partners that individuals could be contacted by.

Breaching EU GDPR

Even though the company bought the information from data suppliers, CNIL says that it is the responsibility of the company that’s using the data to comply and ensure that the data has been collected in a fair manner with valid consent.

Failure to do so meant HUBSIDE.STORE was found to be breaching both provisions of Article L. 34-5 of the French Post and Electronic Communications Code with its SMS operations, and GPDR Article 6 by its phone activities.

The company also breached GDPR Article 14 for not informing individuals sufficiently when calling them. For those contacted by phone, investigations revealed that they did not have or receive all the necessary information on the collection and use of their personal data, which included:

  • the identity and contact details of the organization;
  • the purposes for using the data;
  • the retention periods;
  • the source of the data; and
  • their rights or even their possibility of lodging a complaint with the CNIL.

The €525,000 fine, about 2% of the company’s turnover, was set by CNIL to demonstrate the “seriousness of the breach and the responsibility assumed by the organisation using the data collected”.