Online clairvoyance reading: French SA fined KG COM EUR 150,000 chiaroveggenti e mancata notifica di data breach sui cookies per cambio server

estimated reading time: 2 min

Background information

• Date of decision: 8 June 2023
• Cross-border case or national case: Cross-border case
• LSA: France
• CSAs: Belgium, Luxembourg, Italy, Spain, Portugal, Bulgaria, Berlin and Ireland
• Legal references: Article 5 (1)(e)(Principles relating to processing of personal data), Article 6 (Lawfulness of processing),  Article 9 (Processing of special categories of personal data),  Article 32 (Security of processing), Article 33 (Notification of a personal data breach to the supervisory authority)
• Decision: Administrative fine
• Key words: Health records, Sensitive data, Data security, Data retention, Consent, Data Breach

Summary of the Decision

Origin of the case

KG COM operates several websites in order to offer its customers clairvoyance readings via an online chat or by phone. Following the publication of a press article in 2020 revealing the existence of a personal data breach involving the company, the Cnil carried out three investigation missions.

During its investigations, the Cnil identified several infringements, in particular concerning the systematic recording of telephone calls, the collection of health data and information relating to sexual orientation, the retention of banking data without the consent of the person, the obligation to notify a data breach or the rules relating to cookies.

Key Findings

The French SA has identified several infringements of the GDPR and a breach of the French Data Protection Act by KG COM:

• Failure to min imise the personal data collected and used (Article 5.1.c GDPR)

• Failure to have a legal basis for the use of banking data (Article 6 GDPR)

• Failure to obtain prior consent to the collection of special categories of data (Article 9 GDPR)

• Failure to ensure data security (Article 32 GDPR)

• Failure to notify the Cnil of data breaches (Article 33 GDPR)

• A breach of the obligations related to the use of Cookies (Article 82 of the Data Protection Act)

Decision

The French SA imposed two fines on KG COM:

• A fine of EUR 120,000 for failing to comply with the General Data Protection Regulation (GDPR). This fine was taken in cooperation with the European Cnil counterparts in the context of the one-stop shop, as KG COM has customers and prospects from several EU Member States.
• A fine of EUR 30,000 for non-compliance relating to use of Cookies (Article 82 of the Data Protection Act). In this case, the Cnil has the jurisdiction to act alone.

For further information:

• FR : Voyance en ligne : la société KG COM sanctionnée par une amende de 150 000 euros
• EN : Online clairvoyance: KG COM fined EUR 150,000