The French multinational retailer Carrefour has been fined €3m for multiple data protection failings.

Data protection agency CNIL has fined two companies of the Carrefour Group for breaches of GDPR in several areas, including the obligation to inform individuals, use of cookies, limiting the retention of data, the obligation to facilitate the exercise of rights and failure to respect rights.

Retail company Carrefour France was fined €2.25m, with banking subsidiary Carrefour Banque received a €800,000 penalty.

Following complaints, CNIL carried out checks on the companies between May and July 2019.

CNIL found that information provided to the users of the companies’ websites was not easily accessible or understandable and failed to include complete information about the duration of data retention. Information was “also insufficient with regard to data transfers outside the European Union and the legal basis for processing (files)”, CNIL said.

CNIL found that Carrefour had automatically placed cookies on users’ machines before they had given consent. It also said that Carrefour France did not respect the data retention periods it had set, keeping data of more than 28 million customers who had been inactive for five to 10 years. CNIL also criticised the companies’ four-year period for data retention as “excessive.

Carrefour also required proof of identity to exercise data rights, a measure criticsed by CNIL as “unjustified” and failed to process requests to exercise rights within time limits.

Carrefour France did not respond to several requests from people wishing to access thei data and did also on several occasions did not erase data when requested as required.

CNIL also discovered that Carrefour Banque indicated that no other information except name and email address would be communicated to “Carrefour loyalty” when a customer subscribes to its pass card credit scheme. In fact, other data was transmitted, including postal address, telephone number and the number of children in the household.

CNIL however, decided not to issue an injunction as Carrefour has made “significant efforts” to “bring all the breaches identified into compliance.”

Since the problems were uncovered, Carrefour has committed a large amount of resources to ensure compliance, CNIL said.

It has now modified the information and notices on its websites, changed the way it uses cookies, deleted old data, deployed significant human and organizational resources to respond to all requests received within a period of less than one month and “completely overhauled” its online subscription processes to accurately inform people of data transmissions, CNIL said.