The CNIL imposed a fine of €400,000 on a company specializing in the promotion, purchase, sale, rental and management of real estate, for not having adequately protected the data of users of its website and for having in place inappropriate data storage procedures.
The Company operates a website where users can create a case to request a rental and upload supporting documents. In August 2018, the CNIL received a complaint from a user who had been able to access, from his personal space on the site, documents saved by other users by slightly modifying the URL displayed in the browser. An online verification was carried out in September 2018 by the CNIL and revealed that the documents sent by the rental applicants were freely accessible, without prior authentication. These documents included copies of identity documents, social security cards, tax returns, certificates issued by the family allowance fund, divorce judgments, account statements and bank details.
The CNIL alerted the company to the existence of this security breach and the subsequent violation of personal data. A few days later, the CNIL carried out an inspection at the company’s premises and discovered that the company had been aware of the problem since March 2018 but that, although it had initiated IT corrective measures, it It wasn’t until September 17, 2018 that the issue was resolved.
Non-compliance with GDPR
The CNIL has identified two breaches of the GDPR:
- The company failed in its obligation to preserve the security of the personal data of users of its site, in violation of Article 32 of the GDPR
The company had not put in place a procedure for authenticating users of its website to ensure that the people accessing the documents were indeed those who had downloaded them, an elementary measure. This failure was aggravated, on the one hand, by the nature of the data made available and, on the other hand, by the lack of particular diligence of the company to correct them: the security problem was only solved six months later and no emergency measures have been taken to limit the impact of the problem in the meantime.
- The company kept the documents uploaded by the candidates for an unlimited period
The documents submitted by the unsuccessful candidates for the accommodation for which they had applied were kept for a period longer than that necessary for the purpose of the processing. The CNIL noted that once the purpose of the processing has been achieved (for examplemanagement of applications), the data must be deleted – or at least archived if they must be kept for compliance with legal obligations or for the purposes of managing compliance disputes.
Given, on the one hand, the seriousness of the breach, the company’s lack of diligence in remedying the breach and the fact that the accessible documents revealed very private aspects of people’s lives, and on the other apart from the importance of the company and its financial solidity, the CNIL decided to impose a fine of €400,000 on the company (https://www.legifrance.gouv.fr/affichCnil.do?oldAction =rechExpCnil&id=CNILTEXT000038552658&fastReqId=119744754&fastPos=1).
If the CNIL has so far been rather lenient with respect to GDPR compliance, only giving formal notices to comply with the legislation, this first significant fine should be considered as a warning for businesses.