Carrefour France Investigation by CNIL

€ 2250000 in fines


Carrefour France has been fined by CNIL for violating GDPR and French data protection laws, including excessive data retention, unclear data processes, inadequate response to requests, security breaches, and unlawful use of cookies. They also sent prospecting emails despite objections and did not provide unsubscribe links.

Our analysis

In 2019, the French Data Protection Authority (CNIL) investigated the online retail store, operated by Carrefour France, after receiving fifteen complaints related to the website between June 2018 and April 2019. The CNIL found several violations of the General Data Protection Regulation (GDPR), the French Data Protection Act (Loi Informatique & Libertés), and the French postal and electronic communications code, including the use of deceptive patterns. Some of the violations included Carrefour sending prospecting emails to data subjects who had objected, not providing a positive response to data deletion and access requests, not including an unsubscribe link in commercial emails, keeping data on loyalty program members for four years after their last contact with the company, keeping a copy of a data subject's ID card after their request was met, and systematically requesting an ID card for the exercise of a right by a data subject, violating Article 12 GDPR. The CNIL also investigated the information provided to data subjects, including the spread of mandatory information on data processing across several web pages, making the information part of the terms and conditions of the loyalty program, and referring data subjects to the privacy policy on the website without specifying the exact URL address. The use of vague wording was also a violation, such as "These treatments mainly include" and "for one or more of the following purposes for which your data may be used." 
The CNIL reminded Carrefour France that the appropriate data retention period should be determined based on the purpose of the processing and the specifics of the business sector of the data controller. For loyalty program members of a retail company, the CNIL recommends a maximum retention period of three years. The CNIL found that Carrefour violated Article 5(1)(e) GDPR by keeping a copy of a data subject's ID card for up to six years when dealing with data subjects' exercise of rights. The systematic request for an ID in order to exercise a right was also a violation, making the exercise of right harder than it should be, and Carrefour exceeded regularly the one-month delay to answer a request. Regarding the right to information, the CNIL found that the information provided to data subjects was not easily accessible and not clear, concise, and transparent as required by Articles 12 and 13 GDPR. The information was spread-out across several web pages and not organised nor prioritised, and several mandatory information were missing or incorrect.


In a joint effort with CNIL, Carrefour France has been sanctioned for the use of unprotected URL addresses that led to the public exposure of personal data. The violation of Article 32 GDPR resulted in a €800000 fine on Carrefour Banque, a sibling company of Carrefour France.


Carrefour France and CNIL

Case number


Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us