In a decision dated December 5th, 2024, the French data protection authority (“CNIL”) ordered KASPR company (“KASPR”) to pay a €240,000 fine.
KASPR markets a paid extension for CHROME that enables its customers to obtain the professional contact details of people whose profiles they visit on LinkedIn social network. For this purpose, KASPR builds up a database of contact details from LinkedIn and other websites such as professional directories.
This allows KASPR’s customers to contact target persons to, for example, carry out commercial prospecting.
The CNIL notes that the data processing carried out by KASPR does not comply with the data protection principles, in particular, the obligation to have a legal basis, in compliance with Article 6 of the GDPR.
If, in accordance with the CNIL’s recommendations for re-users of data published on the internet [1], this processing can be based on the legitimate interest, this is not the case in this instance concerning the contact details of LinkedIn users who have limited the visibility of their profile. According to the CNIL, for these users, this exceeds what they could reasonably expect by registering on a professional social network.
Therefore, the processing of data from people who have limited the visibility of their LinkedIn profile must be considered unlawful for lack of a legal basis.
In addition, for data lawfully processed (for users who have not limited the visibility of their LinkedIn profile), the CNIL notes a disproportionate data retention period (5 years from each data update, which occurs, in particular, in the event of a change of position) due to the fact that people may change position during these five years.
The CNIL also noted shortcomings in the obligation to inform data subjects (information not provided at the start of processing and only in English) and in the response to requests to exercise the right of access.
In light of all these factors, the CNIL imposed a €240,000 fine on KASPR and ordered it to bring its data processing into compliance.