French data protection regulator puts the boot into Spartoo

spilled jar of coins

The French Data Protection Authority (the CNIL) has levied a fine of €250,000 on online shoe retailer, Spartoo, for various infringements of the GDPR.

The CNIL carried out an on-the-spot inspection of Spartoo to determine whether the company was complying with all the provisions of the GDPR. The investigation focused on the processing of personal data of Spartoo’s existing and prospective customers, and on the recording of telephone conversations between customers and Spartoo’s customer service. The investigation revealed several infringements of the GDPR, in particular:

Data Minimisation
Spartoo’s recording of telephone calls received by its customer service for employee training purposes to be excessive. The CNIL found that such recording was not justified, especially as the person in charge of employee training only listened to one call recording per week and per employee. The CNIL further found that, when orders were made by phone, the recording and storage of customers’ payment card details was not necessary for the purposes of the call recordings (i.e. employee training). Finally, the CNIL found that the collection of the customer’s health card to combat fraud was excessive.

Storage Limitation
Spartoo kept a particularly large number of customer personal data, (some customers had not logged into their accounts for more than 10 years). The company also kept the personal data of prospective customers who did not have any activity for more than three years. During the investigation, Spartoo announced that they would now keep customer and prospect personal data for a period of five years after the date of last contact with the company (e.g. such as opening a newsletter). However, the CNIL found this retention period disproportionate in relation to prospect data, and reminded Spartoo that a prospect’s mere opening of a marketing email does not justify the retention of their data since the email could have been opened unintentionally. In addition, the CNIL found that the storage of customers’ email addresses and passwords after the five years retention period did not comply with the GDPR’s storage limitation principle.

Information included in Spartoo’s customer privacy policy did not comply with the GDPR notice requirement. In particular, the privacy policy was not granular enough with respect to the legal basis for data processing. The policy referred to consent as the legal basis for all data processing activities, where in fact, some of these processing activities were based upon other legal bases.

The CNIL further found that employees did not receive proper notice that their telephone conversations with customers were being recorded.

Data Security
Spartoo was allowing weak passwords for online customer accounts that were only six characters in length and contained one character type. The CNIL found that the company should have required users to use more robust passwords.


The basis upon which this fine was imposed may be ones that can be commonly found at many organisations. This decision illustrates the potential perils of routinely recording telephone calls on the basis of ‘for training purposes’ the need to invest time and effort into privacy policies and that keeping personal data, especially that obtained from or for marketing purposes, for long periods is not a good idea.

If you’re worried about your organisation facing data protection fines then have a look out norm.‘s data protection offering. Our service can assist your organisation to remain compliant with data protection regulations.