French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data

CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR.

CNIL also knocked the company for keeping users’ information for longer than it was needed for the purpose of processing the user’s real estate rental application. The company did not disclose that it would keep or use the information for another purpose, and did not properly archive the data after the purpose was finished. The fine assessed by CNIL came to nearly 1% of revenue. The maximum GDPR fine considered was 20 million euro or 4% of revenue.

Putting it Into Practice: This fine is a reminder for companies that operate in the EU to review their data protection assessments, as EU privacy regulators field and investigate complaints about data security vulnerabilities and continue to enforce GDPR.