French Data Protection Authority (CNIL) fines GROUPE CANAL+ 600,000 

On October 12, 2023, the French Data Protection Authority (known as “the CNIL”) imposed a fine of €600,000 on French media company GROUPE CANAL+ for violating various data protection and privacy obligations. 

The fine resulted from multiple complaints received by CNIL about difficulties individuals faced in exercising their rights with GROUPE CANAL+. The CNIL’s investigations led found that GROUPE CANAL+ had breached several provisions of the General Data Protection Regulation (GDPR) and the French Post and Electronic Communications Code (CPCE). 

The amount of the fine took into account the nature of the violations, the company’s cooperation, and the corrective measures taken during the procedure. 

The CNIL identified the following violations: 

  • Failure to obtain consent for commercial prospecting via electronic means, violating CPCE and GDPR provisions. 
  • Failure to provide clear information to subjects, particularly regarding data retention periods. 
  • Failure to uphold individuals’ rights to access and manage their data, as required by the GDPR. 
  • Lack of a proper contractual framework for data processing carried out by a third-party processor, as mandated by the GDPR. 
  • Inadequate security measures to protect personal data, particularly concerning the storage of employee passwords. 
  • Failure to notify CNIL of a data breach that made subscriber data accessible to other subscribers for a period of 5 hours. 

The CNIL’s decision underscores the importance of complying with data protection law and respecting individuals’ rights regarding their personal data. 

Sweden DPA (IMY) issues administrative fine against H&M for making it difficult to avoid marketing 

IMY’s intervention was prompted by six complaints from individuals in Poland, Italy, and the UK who continued to receive direct marketing from H&M despite their objections. The complaints were transferred to IMY as H&M’s headquarters are located in Sweden. 

IMY determined that H&M failed to stop processing the complainants’ personal data for direct marketing purposes promptly after they expressed their objections, as is required under the GDPR. 

H&M was found to lack adequate systems and processes to facilitate individuals’ rights to opt out of direct marketing, making it unnecessarily difficult for them to exercise this right. 

Consequently, the IMY imposed an administrative fine of SEK 350,000 (approximately EUR 30,000) on H&M, emphasising the need for companies to respect individuals’ preferences regarding direct marketing and to have effective systems in place to uphold these rights. 

Consumers have a right to engage with retailers without fear of their data being mishandled. H&M’s fine demonstrates the importance of global companies implementing robust processes to ensure compliance with data protection law. 

Croatian DPA issues €5.4 million fine against debt collection agency EOS Matrix for significant GDPR violations

The Croatian Personal Data Protection Agency (DPA) has fined EOS Matrix d.o.o., a debt collection agency, HRK 41,213,715 (approximately EUR 5,470,000) for significant GDPR violations. 

The action followed an anonymous petition received in March 2023 alleging that EOS Matrix was engaged in the unlawful processing of personal data about 181,641 individuals. 

The data involved 181,641 individuals, including personal details such as name, surname, date of birth, and personal identification number, who had outstanding debts with credit institutions, which were purchased by EOS Matrix based on a cession contract. The database also included 294 minors. 

The personal detail included the names, birthdates, and personal identification numbers of people who had outstanding debts with credit institutions, which were purchased by EOS Matrix based on a cession contract. The database also included personal data about 294 minors. 

The Croatian DPA found that EOS Matrix: 

  • Failed to implement appropriate technical measures to protect personal data, in violation of Article 32 of the GDPR. 
  • Processed personal data of individuals who were neither debtors nor legal representatives of inheritors in debtor-creditor relations without a legal basis, violating Article 6(1) of the GDPR.  
  • Processed special category data (health data) of individuals in its database without a legal basis, contravening Articles 6 and 9 of the GDPR. 
  • Failed to properly inform data subjects about the processing of their health data, violating Articles 12 and 13 of the GDPR. 
  • Processed data relating to 49,850 data subjects by recording telephone conversations from May 2018 to January 2019 without a legal basis, violating Articles 6(1) and 5(2) of the GDPR. 

The substantial fine underscores the importance of upholding data protection and privacy standards, particularly in sensitive areas such as debt collection. 

As a B Corp Data Protection Office, HewardMills is dedicated to assisting clients to address internal data privacy concerns and business practices. If you have any concerns on your organisation’s data protection, or any other global data privacy issues, we can support your team. 

If you would like to discuss this topic or anything else data protection and privacy-related, please contact us at