French retail giant Carrefour and its banking arm have been fined over €3m ($3.7m) by the local data protection regulator for multiple breaches of the GDPR.

French regulator the Commission nationale de l’informatique et des libertés (CNIL) hit Carrefour France with a €2.25m fine and Carrefour Banque received an €800,000 penalty.

CNIL took into account the significant remedial action that had been taken by the firm to address its concerns.

However, the list of these concerns extended to nine key areas, according to compliance experts Cordery.

Information about data protection was too complicated and imprecise and hidden in lengthy documents alongside other information. Key info on data retention was also missing.

Cookie use was unlawful, the policy for dealing with data subject requests was too restrictive, Carrefour didn’t meet time limits for responding to data subject requests and it transferred data without being fully transparent.

CNIL claimed that a data retention period of four years for customer data after the last purchase was excessive. Plus, it felt there was also insufficient information on data transfers outside the EU and the legal basis for processing on the website.

“The data transfer element is especially interesting given the issues with the collapse of Privacy Shield and the increased focus on data transfer using Standard Contractual Clauses,” said Cordery.

“It seems that data protection regulators are also focussing on what organizations are saying on their websites about data transfers. Consider therefore reviewing your website to ensure that it meets GDPR transparency standards, especially to meet the required standard with information on data transfers.”

CNIL is one of Europe’s more active GDPR regulators. It was the first to issue a major fine following the introduction of the new legislation: hitting Google with a €50m ($60m) penalty for failing to notify users about how their data is used.