On October 16, 2025, France's data protection authority (CNIL) imposed a fine of €250,000 on a call center company. This decision, published on the CNIL website, sends a strong signal to the entire telemarketing industry.
The Three Sanctioned Violations
CNIL identified three categories of GDPR violations:
1. Data Minimization Failure (Article 5-1-c GDPR)
The call center collected and stored information not necessary for its operations. In telephone prospecting, only data strictly essential for contact and follow-up should be processed.
Examples of commonly over-collected data:
- Detailed family composition information
- Precise income data not justified by the offer
- Complete interaction history with other providers
2. Retention Period Non-Compliance (Article 5-1-e GDPR)
Prospect data was kept beyond legal limits. According to CNIL guidelines, commercial prospecting data must be deleted within 3 years of the last contact with the prospect.
The sanctioned company retained certain data for over 5 years without legitimate justification or legal basis.
3. Data Security Breach (Article 32 GDPR)
Security vulnerabilities were identified in the call center's information system:
- Unrestricted access to prospect databases
- Lack of access logging and traceability
- Insufficient encryption of sensitive data
Why This Decision Affects All Call Centers
This decision is not isolated. It reflects CNIL's reinforced audit strategy targeting the telephone prospecting sector in 2025-2026.
Call centers are particularly exposed due to multiple risk factors:
- Massive volumes of personal data processed daily
- Multiple lead sources (purchases, partnerships, direct collection)
- High staff turnover, complicating GDPR training
- Frequent subcontracting with shared responsibilities
How to Avoid Similar Sanctions
To comply with GDPR requirements, call centers must implement rigorous data governance:
Data Collection Audit
Conduct a comprehensive audit of CRM fields and remove those not strictly necessary for operations.
Automatic Purge Policy
Implement automatic deletion mechanisms after 3 years of inactivity, with pre-expiration alerts for compliant re-engagement opportunities.
Access Security
Implement:
- Role-based access profiles limited to each operator's mission
- Strong authentication (2FA) for sensitive data access
- Consultation logs available for audits
Ongoing Training
Regularly train teams on GDPR obligations, including updates on new telemarketing regulations.
Is €250,000 Proportionate or Deterrent?
The fine amount serves as a warning signal for the industry. CNIL can impose penalties up to 4% of global turnover or €20 million.
For comparison, recent sanctions in the prospecting sector:
- €900,000 for SOMS (May 2025) – abusive commercial prospecting
- €80,000 for a data broker (May 2025) – consent failure
- €600,000 for a distance selling site (July 2025) – retention and prospecting
Key Takeaways for Call Centers
This decision confirms that CNIL is intensifying audits on teleprospecting actors. Call centers must prepare by:
- Precisely documenting their data processing activities
- Verifying lead supplier compliance
- Updating their processing activity register
- Regularly testing system security
The €250,000 fine is just a warning. Future decisions could be much heavier for repeat offenders or cases of serious negligence.
