Background information
- Date of final decision: 5 December 2024
- Cross-border case
- If cross-border, LSA: France
- and CSAs: all
- Legal Reference (s): Article 6 (Lawfulness of processing), Article 5 (Principles relating to processing of personal data), Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject), Article 14 (Information to be provided where personal data have not been obtained from the data subject), Article 15 (Right to access by the data subject)
- Decision: Administrative fine
- Key words: Transparency, Lawfulness of processing, Data retention, Right to be informed, Right of access
Summary of the Decision
Origin of the case
KASPR markets an extension for the Chrome browser that enables paying customers to obtain the professional contact details of people whose profiles they visit on the LinkedIn social network. To do this, the company builds a database of contact details from LinkedIn and other websites such as domain name registries. The contact details thus collected generally enable the company's customers to contact the target persons, for example for commercial prospecting, recruitment or identity verification. KASPR's database contains about 160 million contacts.
The French Supervisory Authority, CNIL received many complaints from people who had been canvassed by entities that obtained their contact details via the KASPR extension.
Key Findings
The CNIL found several breaches of the GDPR:
- Failure to comply with the obligation to have a legal basis (Article 6 of the GDPR)
- Failure to comply with the obligation to define and respect a data retention period proportionate to the purpose of the processing (Article 5-1-e of the GDPR)
- Failure to comply with the obligation to provide transparency and information to individuals (Articles 12 and 14 of the GDPR)
- Failure to respect the right of access of individuals (Article 15 of the GDPR)
Decision
The CNIL imposed a fine of 240 000 euros on KASPR for all these breaches, and ordered the company to:
- cease collecting the data of persons who chose to limit the visibility of their contact details, and delete the data collected in this way. If it is impossible to distinguish the data whose visibility has been limited, the company will have to inform the persons concerned, within 3 months, of the processing of their data and of the possibility of objecting to it, and to use their data solely for this purpose;
- stop the automatic renewal of the storage of personal data of target persons;
- inform the people whose data is collected in a language they understand;
- respond to requests for access from individuals, providing all available information on the sources of data collection.
The CNIL has set a six-month deadline for compliance, expiring on 18 June 2025.
For further information:
- National decision: Aspiration de données : sanction de 240 000 euros à l’encontre de la société KASPR (French), Data scraping: KASPR fined €240,000 (English)
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.