France: National Commission for Information Technology and Civil Liberties issued sanction decision against CALOGA for unlawful data processing and use of invalid consent for email prospecting (Deliberation SAN-2025-002)

On 15 May 2025, the National Commission for Information Technology and Civil Liberties (CNIL) issued a sanction decision (Deliberation SAN-2025-002) against the company CALOGA for violations of data protection law. The CNIL found that CALOGA failed to obtain valid consent for electronic marketing, in breach of Article L. 34-5 of the French Postal and Electronic Communications Code (CPCE), by relying on misleading consent forms provided by third-party data collectors. The company also unlawfully transferred prospect data to commercial partners for marketing without a valid legal basis, violating Article 6 of the General Data Protection Regulation (GDPR), as the partners were considered independent controllers requiring separate consent. Additionally, CALOGA retained personal data of inactive users for four years and reset retention periods based on email opens, violating the storage limitation principle under Article 5(1)(e) GDPR. No violation was found under Article 32 GDPR concerning data security. The CNIL imposed an administrative fine of EUR 80'000, reduced in light of CALOGA’s financial difficulties and declared cessation of business activity.