*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

French data protection regulator puts the boot into Spartoo


The French Data Protection Authority (the CNIL) has levied a fine of €250,000 on online shoe retailer, Spartoo, for various infringements of the GDPR.

The CNIL carried out an on-the-spot inspection of Spartoo to determine whether the company was complying with all the provisions of the GDPR. The investigation focused on the processing of personal data of Spartoo’s existing and prospective customers, and on the recording of telephone conversations between customers and Spartoo’s customer service. The investigation revealed several infringements of the GDPR, in particular:

Data Minimisation
Spartoo’s recording of telephone calls received by its customer service for employee training purposes to be excessive. The CNIL found that such recording was not justified, especially as the person in charge of employee training only listened to one call recording per week and per employee. The CNIL further found that, when orders were made by phone, the recording and storage of customers’ payment card details was not necessary for the purposes of the call recordings (i.e. employee training). Finally, the CNIL found that the collection of the customer’s health card to combat fraud was excessive.

Storage Limitation
Spartoo kept a particularly large number of customer personal data, (some customers had not logged into their accounts for more than 10 years). The company also kept the personal data of prospective customers who did not have any activity for more than three years. During the investigation, Spartoo announced that they would now keep customer and prospect personal data for a period of five years after the date of last contact with the company (e.g. such as opening a newsletter). However, the CNIL found this retention period disproportionate in relation to prospect data, and reminded Spartoo that a prospect’s mere opening of a marketing email does not justify the retention of their data since the email could have been opened unintentionally. In addition, the CNIL found that the storage of customers’ email addresses and passwords after the five years retention period did not comply with the GDPR’s storage limitation principle.

Information included in Spartoo’s customer privacy policy did not comply with the GDPR notice requirement. In particular, the privacy policy was not granular enough with respect to the legal basis for data processing. The policy referred to consent as the legal basis for all data processing activities, where in fact, some of these processing activities were based upon other legal bases.

The CNIL further found that employees did not receive proper notice that their telephone conversations with customers were being recorded.

Data Security
Spartoo was allowing weak passwords for online customer accounts that were only six characters in length and contained one character type. The CNIL found that the company should have required users to use more robust passwords.


The basis upon which this fine was imposed may be ones that can be commonly found at many organisations. This decision illustrates the potential perils of routinely recording telephone calls on the basis of ‘for training purposes’ the need to invest time and effort into privacy policies and that keeping personal data, especially that obtained from or for marketing purposes, for long periods is not a good idea.

If you’re worried about your organisation facing data protection fines then have a look out our DPaaS offering here. Our service can assist your organisation to remain compliant with data protection regulations.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group