Legal development

French Data Protection Authority fined two online clairvoyance companies

spiral background

    On September 26, the French Data Protection Authority (the CNIL) found Cosmospace and Telemaque, two companies who provide remote clairvoyance services, in breach of the GDPR.

    In particular, the CNIL found Cosmospace in breach of Article 5(1)(c) GDPR (obligation to minimise personal data collection and processing), as it systematically recorded all calls made between clairvoyants, customers and switchboard operators. The CNIL did not accept Cosmospace argument that such recordings were justified to monitor the service quality. This purpose could only justify uncomplete and unsystematic recordings.

    Both companies infringed Article 5(1)(e) GDPR (obligation to retain data for a period limited to the intended purpose), as they retained their customers' data for six years from the end of the contractual relationship, for commercial prospection purposes. The CNIL recalled that for such purpose, the recommended retention period was limited to three years.

    Telemaque and Cosmospace also failed to comply with Article 9 GDPR (obligation to obtain prior consent from individuals to process special categories of data). During online consultations, customers were asked to reveal sensitive data, like religious beliefs, state of health or sexual orientation. For such sensitive data, Telemaque and Cosmospace should have obtained the prior and explicit consent of their customer. Even if customers spontaneously provided their sensitive information in exchange for clairvoyance services, the CNIL ruled it could not be considered explicit consent.

    Both companies were also found in breach of Article L.34-5 of the French Postal and Electronic Communications Code (obligation to obtain consent to receive commercial prospecting by electronic means), as they shared a common database containing information of their customers. Data subjects did not consent to such a process of their personal data, as they were not informed that the database was shared between the two companies.

    As a result, the CNIL fined Telemaque 150,000 euros and Cosmospace 250,000 euros.


    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.