The declining cost of electronic data storage may have caused some company executives to conclude that retaining personal data forever is “cheap.”  Perhaps the CNIL’s  €1.75 million (USD $2,051,930) penalty for over-retention will lead to a different view.

The matter involved one of France’s largest insurers, SGAM AG2R LA MONDIALE, which was subject to an inspection by the French data protection authority (the CNIL), in 2019.  The CNIL’s inspection included the insurer’s compliance with Section 5-1(e) of GDPR, which reads:

Personal data shall be . . . (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

The audit also checked the insurer’s compliance with its disclosure obligations when consumers call its call centers, including notice of the consumer’s right to know the insurer’s retention period for personal data (GDPR Articles 13 and 14).

The insurer’s record retention policy aligned with the CNIL’s recommendations for insurers:  three years after the last contact by insurance “prospects,” and between 10-30 years for individuals who become customers, depending upon the nature of the insurance policy.  The inspection found that the insurer had retained “the personal data of 1917 prospects who had not had contact with the company for more than three years, including 1405 prospects who had not had contact with the company for more than five years.”  The insurer also retained data involving its millions of customers longer than the stated retention period.  In addition, the data retained was personal data that “related, in particular, to identity, personal, professional and banking details, personal and professional life, insurance, as well as, in the context of certain contracts, the health of individuals.”

If a consumer called the insurer, the script used by the call center did not inform the consumer that additional information regarding the insurer’s privacy policy, retention, and how to exercise rights was available at the insurer’s website or through a recording that the consumer could opt to hear.

In determining the amount of the fine, the CNIL considered:

  • “first of all, that the company has shown serious negligence in relation to the infringement of fundamental principles laid down by the GDPR, namely the principle of limiting the duration of data retention and the obligation to inform data subjects of the processing of their personal data”
  • “ that the failure to comply with the retention periods concerned a very large number of persons, in particular the company’s customers. Indeed, the retention on an active basis for periods longer than the legal authorized periods, which may exceed thirty years, concerned the personal data of more than two million customers collected during the conclusion of insurance contracts”
  • “customer data retained for excessive periods of time includes data of a sensitive nature, bank details and information relating to customers’ personal lives.”

The CNIL also took into account the insurer’s promptly amending both the call center scripts and its online privacy policy, and its commencement of record destruction procedures.  The CNIL also considered the company’s size and turnover (revenues).  In 2020, the insurer’s turnover amounted to €9.3 billion for a net result of €222 million.

After consideration, the CNIL concluded that the fine should be €1.75 million (USD $2,051,930), due to “the need to penalise breaches of the elementary principles of the GDPR, committed by a major player in social protection in France, concerning several million persons and relating to data of a sensitive or particular nature, such as bank details.”

Our take

This opinion is more evidence that data privacy regulators are focusing on over-retention, by itself, as a potentially serious violation of a data subject’s privacy rights.  Like the Berlin’s DPA’s fine against die Deutsche Wohnen SE, this is not a situation where the company either lost or misused the personal information.

Information governance needs to become a higher priority for Chief Privacy Officers who should be coordinating with the IT and the business to identify data that has no legal, regulatory or business value for disposition.  Untangling that data is not simple and a meaningful program should be implemented to avoid fines like the one issued here. It cannot happen over-night, but a policy and schedule that is not adhered to, will not protect an organization either as the CNIL fined the SGAM AG2R LA MONDIALE even though it had both.  Rather an organization needs to have an actual plan to dispose of data and show that it is making actual progress toward cleaning up old data.