June 30, 2022

Volume XII, Number 181

Advertisement
Advertisement

June 30, 2022

Subscribe to Latest Legal News and Analysis

June 29, 2022

Subscribe to Latest Legal News and Analysis

June 28, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data

CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR.

CNIL also knocked the company for keeping users’ information for longer than it was needed for the purpose of processing the user’s real estate rental application. The company did not disclose that it would keep or use the information for another purpose, and did not properly archive the data after the purpose was finished. The fine assessed by CNIL came to nearly 1% of revenue. The maximum GDPR fine considered was 20 million euro or 4% of revenue.

Putting it Into Practice: This fine is a reminder for companies that operate in the EU to review their data protection assessments, as EU privacy regulators field and investigate complaints about data security vulnerabilities and continue to enforce GDPR.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 211
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Alyssa Sones, Sheppard Mullin Law Firm, Century City, Cybersecurity and Litigation Attorney
Associate

Alyssa M. Sones is an associate in the Business Trial Practice Group. She is the Lead Associate of Sheppard Mullin’s Retail, Fashion & Beauty Industry Team and serves as an Editor for its Retail Trend Spotter blog. Alyssa is also an active member of the firm’s Privacy and Cybersecurity Team and a Certified Information Privacy Professional (CIPP/US).

Areas of Practice

Alyssa excels at helping businesses resolve disputes with customers. She is dedicated to guiding clients through thorny state and...

424-288-5305
Advertisement
Advertisement
Advertisement