French data protection supervisory authority imposes fine on pay-TV provider – reason: several GDPR violations

Prior to the evaluation by the CNIL, the French data protection supervisory authority had received several complaints from individuals. They accused GROUP CANAL+ – a publisher of channels and provider of pay-TV services in France – of difficulties in enforcing their rights.

The infringements related to a wide variety of GDPR requirements, including the

  • Failure to comply with the obligation to obtain the consent of individuals to receive commercial prospecting by electronic means (art. L. 34-5 of the French Postal and Communications Code (CPCE) and art. 7 GDPR)
  • Failure to provide information (art. 13 and 14 GDPR) and to safeguard the exercise of rights (art. 12 and 15 GDPR)
  • Lack of a contractual framework for processing by a processor (art. 28(3) GDPR)
  • Failure to ensure the security of personal data (art. 32 GDPR)
  • Failure to comply with the obligation to notify the CNIL of a data breach (art. 33 GDPR) 

On 12 October 2023 CNIL imposed a fine of EUR 600,000.