At the end of April, the Conseil d’État (the French administrative supreme court) confirmed the CNIL’s (the French data protection control authority) ability to sanction violations of personal data security rules without necessarily resorting to a prior formal notice intended to leave the offender the possibility of correcting his behaviour (note: link to our news on the OPTICAL CENTER case).
In its decision of 28 May 2019, the supervisory authority confirmed its willingness to exercise this power.
The targeted company is SERGIC, a company specialising in the real estate sector that had been the subject of a complaint by a user, surprised that the simple modification of a number in the URL address of the company’s website allows it to access the files and supporting documents of candidates for rental.
An audit in September 2018 revealed a flagrant breach of data security in terms of the volume of data involved and the duration of the breach. CNIL agents were able to download more than 9,000 documents including “copies of identity cards, health cards, tax notices, death certificates, marriage certificates, social security affiliation certificates, certificates issued by the family allowance fund, disability pension certificates, divorce judgments, account statements, bank statements and rent receipts”.
In addition, despite a previous report, the lack of data protection persisted for a period of more than 6 months before measures were taken to put an end to it.
Finally, the violation is aggravated by the fact that, according to the company’s admission, the data of rental applicants are not deleted once their file has been closed and the application accepted or rejected.
In its decision of May 28, the CNIL therefore found a breach of Article 32(1) of the GDPR, concerning reasonable data protection measures. She insists on the duration of the breach, the large number and the sensitive and intimate nature of the data left unprotected.
In addition, the CNIL finds a violation of the provisions of Article 5-1-e) of the Regulation on the proportionality of data retention periods; for the supervisory authority, the company in question has aggravated its case by keeping well beyond the original purpose the data relating to candidates who did not access the lease, which should have been deleted as soon as their file was closed.
In view of the seriousness of these breaches and the company’s lack of diligence in their management, the CNIL sentences the company to pay a fine of 400,000 euros, and to publish the said sanction, without prior formal notice, and therefore without allowing SERGIC to correct the errors before deciding on the sanction.
On this subject, the CNIL points out in its decision that a formal notice is in no way made mandatory by the provisions of the 1978 Data Protection Act, which governs its action; this decision is thus to be placed in the continuity of the OPTICAL CENTER case.
The CNIL’s message is clear: no catching up for serious violations, the vigilance of data controllers is essential at the highest level.