20
June
2019
The CNIL confirms its power to impose sanctions without formal notice: SERGIC sentenced to 400,000 euros for serious breach of their security obligation
At the end of April, the Conseil d’État (the French administrative supreme court) confirmed the CNIL’s (the French data protection control authority) ability to sanction violations of personal data security rules without necessarily resorting to a prior formal notice intended to leave the offender the possibility of correcting his behaviour (note: link to our news on the OPTICAL CENTER case).
In its decision of 28 May 2019, the supervisory authority confirmed its willingness to exercise this power.
The targeted company is SERGIC, a company specialising in the real estate sector that had been the subject of a complaint by a user, surprised that the simple modification of a number in the URL address of the company’s website allows it to access the files and supporting documents of candidates for rental.
An audit in September 2018 revealed a flagrant breach of data security in terms of the volume of data involved and the duration of the breach. CNIL agents were able to download more than 9,000 documents including “copies of identity cards, health cards, tax notices, death certificates, marriage certificates, social security affiliation certificates, certificates issued by the family allowance fund, disability pension certificates, divorce judgments, account statements, bank statements and rent receipts”.
In addition, despite a previous report, the lack of data protection persisted for a period of more than 6 months before measures were taken to put an end to it.
Finally, the violation is aggravated by the fact that, according to the company’s admission, the data of rental applicants are not deleted once their file has been closed and the application accepted or rejected.
In its decision of May 28, the CNIL therefore found a breach of Article 32(1) of the GDPR, concerning reasonable data protection measures. She insists on the duration of the breach, the large number and the sensitive and intimate nature of the data left unprotected.
In addition, the CNIL finds a violation of the provisions of Article 5-1-e) of the Regulation on the proportionality of data retention periods; for the supervisory authority, the company in question has aggravated its case by keeping well beyond the original purpose the data relating to candidates who did not access the lease, which should have been deleted as soon as their file was closed.
In view of the seriousness of these breaches and the company’s lack of diligence in their management, the CNIL sentences the company to pay a fine of 400,000 euros, and to publish the said sanction, without prior formal notice, and therefore without allowing SERGIC to correct the errors before deciding on the sanction.
On this subject, the CNIL points out in its decision that a formal notice is in no way made mandatory by the provisions of the 1978 Data Protection Act, which governs its action; this decision is thus to be placed in the continuity of the OPTICAL CENTER case.
The CNIL’s message is clear: no catching up for serious violations, the vigilance of data controllers is essential at the highest level.
Read the decision (in French)
14
June
2019
French Supervisory authority sanctions: no obligation of prior formal notice confirmed by the Administrative Supreme Court
In a decision of April 17 2019, the French supreme administrative authority refused to overturn the sanctions imposed by the CNIL (the French data protection authority) on the OPTICAL CENTER company on the grounds that they were not preceded by a formal notice allowing the company to correct the problems.
In 2017, a CNIL investigation initiated following several complaints about OPTICAL CENTER revealed that simply entering URLs in a browser allowed access to many invoices and purchase orders from the company’s customers because due to access not being restricted by connecting to a personal space.
The CNIL then took the decision to impose a fine of 250,000 euros for this serious security breach, which violated Article 34 of the French Data Protection Act [1], without any sort of formal notice allowing the company to correct the errors and even though the company had already taken the necessary measures to correct the problem.
This decision was referred to the Conseil d’Etat which, in its judgment of April 17 2019, confirmed the decision and reminded that the formal notice is not a mandatory step before imposing sanctions, and that Article 45 of the law of 6 January 1978 provides that “Where the breach found cannot be brought into conformity in the context of a formal notice, the restricted formation may pronounce, without prior notice and after a contradictory procedure, the sanctions provided for”.
The Conseil d’Etat concludes from this that the CNIL may overlook the formal notice stage when it is clearly unnecessary; either when the breach cannot be remedied or, as in the present case, when it has already been remedied.
However, the Conseil d’État reduced OPTICAL CENTER’s penalty, ruling that the CNIL, not taking into account the company’s promptness to react to its requests, imposed a disproportionate penalty; the latter will therefore be reduced to 200,000 euros.
Read the full decision here (in French)
[1] Loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés