CNIL (France) - SAN-2019-005: Difference between revisions

From GDPRhub
No edit summary
No edit summary
Line 58: Line 58:
===Facts===
===Facts===
The customer of a real estate company noticed that the service used by the company to collect personal data on its customer was unprotected. By modifying one or several characters in the URL address of its personal documents, the customer was able to access personal data of other customers.
The customer of a real estate company noticed that the service used by the company to collect personal data on its customer was unprotected. By modifying one or several characters in the URL address of its personal documents, the customer was able to access personal data of other customers.
After notifying the company in March 2018, the customer filed a complaint to the CNIL in August 2018. The DPA launched an investigation in September 2018.
After notifying the company in March 2018, the customer filed a complaint to the CNIL in August 2018. The DPA launched an investigation in September 2018.


===Dispute===
===Dispute===
Does making personal data publicly available on the web through an unprotected URL address constitute a breach of data confidentiality ?
Does making personal data publicly available on the web through an unprotected URL address constitute a breach of data confidentiality ?
Does retaining personal data of the applicant for a rental lease after the lease had been awarded violates article 5(1)(e) GDPR on storage limitation ?
Does retaining personal data of the applicant for a rental lease after the lease had been awarded violates article 5(1)(e) GDPR on storage limitation ?


===Holding===
===Holding===
During the investigation, the controllers were able to download 9,446 documents containing personal data of customers, using a script. They also found that the entire database of the company was accessible by default and that there were no technical or operational procedure to delete personal data of customers.
During the investigation, the controllers were able to download 9,446 documents containing personal data of customers, using a script. They also found that the entire database of the company was accessible by default and that there were no technical or operational procedure to delete personal data of customers.
The DPA held that the access made possible to personal data was proof of a faulty website design due to the absence of required authentication to access the data. According to the DPA this constitutes of on the most common vulnerabilities and has been sanctioned several times as a violation of article 32 GDPR.
The DPA held that the access made possible to personal data was proof of a faulty website design due to the absence of required authentication to access the data. According to the DPA this constitutes of on the most common vulnerabilities and has been sanctioned several times as a violation of article 32 GDPR.
Furthermore the DPA held that retaining the candidates file after the lease has been awarded violates the storage limitation principle of article 5(1)(e) GDPR as the purpose of the processing had been reached by awarding the lease to one of the candidates.
Furthermore the DPA held that retaining the candidates file after the lease has been awarded violates the storage limitation principle of article 5(1)(e) GDPR as the purpose of the processing had been reached by awarding the lease to one of the candidates.
The DPA sanctioned the company with a 400,000 EUR fine. It decided to make the sanction public due to the seriousness of the breach which involved particularly precise information on certain aspects of the candidates private life and the lack of diligence of the company in correcting the breach.
The DPA sanctioned the company with a 400,000 EUR fine. It decided to make the sanction public due to the seriousness of the breach which involved particularly precise information on certain aspects of the candidates private life and the lack of diligence of the company in correcting the breach.



Revision as of 12:41, 19 October 2020

CNIL - SAN-2019-005
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 32(1) GDPR
Article 32(2) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 28.05.2019
Published: 06.06.2019
Fine: 400,000 EUR
Parties: SERGIC SAS
National Case Number/Name: SAN-2019-005
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Roka

The french DPA holds that using an unprotected URL address to share documents containing personal data constitutes a violation of article 32 GDPR. Also, retaining personal data of an applicant for a rental lease after another applicant has been selected violates article 5(1)(e) GDPR.

English Summary

Facts

The customer of a real estate company noticed that the service used by the company to collect personal data on its customer was unprotected. By modifying one or several characters in the URL address of its personal documents, the customer was able to access personal data of other customers.

After notifying the company in March 2018, the customer filed a complaint to the CNIL in August 2018. The DPA launched an investigation in September 2018.

Dispute

Does making personal data publicly available on the web through an unprotected URL address constitute a breach of data confidentiality ?

Does retaining personal data of the applicant for a rental lease after the lease had been awarded violates article 5(1)(e) GDPR on storage limitation ?

Holding

During the investigation, the controllers were able to download 9,446 documents containing personal data of customers, using a script. They also found that the entire database of the company was accessible by default and that there were no technical or operational procedure to delete personal data of customers.

The DPA held that the access made possible to personal data was proof of a faulty website design due to the absence of required authentication to access the data. According to the DPA this constitutes of on the most common vulnerabilities and has been sanctioned several times as a violation of article 32 GDPR.

Furthermore the DPA held that retaining the candidates file after the lease has been awarded violates the storage limitation principle of article 5(1)(e) GDPR as the purpose of the processing had been reached by awarding the lease to one of the candidates.

The DPA sanctioned the company with a 400,000 EUR fine. It decided to make the sanction public due to the seriousness of the breach which involved particularly precise information on certain aspects of the candidates private life and the lack of diligence of the company in correcting the breach.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted formation n° SAN - 2019-005 of May 28, 2019 pronouncing a pecuniary sanction against the company SERGIC

The Commission nationale de l'informatique et des libertés, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs. Sylvie LEMMET and Mrs. Christine MAUGÜE, members ;

Having regard to Convention No. 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data ;

Having regard to the amended law n° 78-17 of 6 January 1978 relating to data processing, data files and liberties, in particular articles 45 and following;

Having regard to the decree n° 2005-1309 of 20 October 2005 modified taken for the application of the law n° 78-17 of 6 January 1978 modified relating to data processing, files and liberties;

Having regard to deliberation n° 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Information Technology and Civil Liberties;

Having regard to Decision No. 2018-186C of 5 September 2018 of the President of the National Commission for Data Processing and Liberties to instruct the Secretary General to carry out or have carried out a verification mission ;

Having regard to the decision of the President of the National Commission on Data Processing and Liberties appointing a rapporteur before the restricted formation, dated February 1, 2019 ;

Having regard to the report of Mr. Éric PÉRÈS, commissioner-rapporteur, dated February 4, 2019;

Having regard to the written observations filed by the company SERGIC on March 4, 2019 ;

Having regard to the observations in response by the reporting commissioner dated March 15, 2019;

Having regard to the observations in response filed by the company SERGIC on April 2, 2019 as well as the oral observations made during the session of the restricted training ;

Having regard to the other documents of the file;

Were present, during the session of the restricted training of April 11, 2019:

    Mr. Éric PÉRÈS, Commissioner, heard in his report;

    As representatives of the company SERGIC: [...].

The company having had the last word ;

After deliberation, adopted the following decision:

    Facts and procedure

The company SERGIC (hereafter the company) is specialized in real estate development, purchase, sale, rental and property management. It employs 486 people and in 2017 had a turnover of approximately 43 million euros.

2 For the needs of its activity, the company publishes the website www.sergic.com (hereafter the website) which allows applicants for the rental of a property to download the supporting documents necessary for the constitution of their file.

3 On August 12, 2018, the National Commission for Information Technology and Civil Liberties (hereinafter CNIL or the Commission) received a complaint from a user of the site. The complainant indicated that a change in the character X in the URL address composed as follows: https://www.crm.sergic.com/documents/upload/eresa/X.pdf, where X represents a whole number, had allowed him to access the supporting documents that he himself had downloaded via the site but also to those downloaded by other candidates for rental. In his complaint, the complainant provided several examples of URLs from which he was able to access materials downloaded by third parties. He stated that he informed the company of these facts as early as March 2018.

4 In application of decision no. 2018-186C of September 5, 2018 of the Chairman of the Commission, an online control mission and then a control mission at the company's premises were carried out on September 7 and 13, 2018 respectively. The purpose of these missions was to verify the compliance with the law of January 6, 1978 as amended (hereafter the Data Protection Act) and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereafter RGPD or the Regulation) of the processing of personal data accessible from the sergic.com domain or relating to personal data collected from the latter.

5 During the online monitoring engagement, the delegation found that by entering one of the URLs provided by the complainant, it was possible to download a tax notice with a different name than the complainant's name. The delegation then proceeded to download 9,446 documents by means of a script, including copies of identity cards, Vitale cards, tax notices, death certificates, marriage certificates, certificates of affiliation to social security, certificates issued by the family allowance fund, disability pension certificates, divorce judgments, account statements, bank statements and rent receipts.

6 The Company was informed on September 7, by the delegation of authority, of the existence of a security flaw on its site and an e-mail containing the type of URL addresses concerned by this security flaw was sent to it.

7. 7. On September 13, 2018, during an inspection visit to the company's premises, the CNIL delegation noted that the URL addresses provided by the complainant in his referral still allowed access to the documents in question. The company informed the delegation that the supporting documents downloaded by applicants for rental are recorded in a dedicated directory. It was specified that the entire directory had been made accessible by the security flaw. The findings showed that this directory contained 290,870 files on the day of the audit. The company further indicated that the documents provided by the candidates were not purged and that they were not reused at a later date, as the documents of the candidates who had accessed the rental were moved to another directory in the database.

8 The company confirmed to the delegation that a report informing them that documents were freely accessible from the site without prior authentication had been received in March 2018. The company stated that following this report, it had carried out an initial phase of analysis of the security flaw, which led to an action plan to be implemented from June 2018. She also indicated that an initial action to stop displaying URL addresses as they appeared at the time of the breach had been deployed a few days before the September 13 audit. The company then explained that a measure definitively ending the security breach was to be put into production on September 17, 2018. The company was notified of the September 7 and 13 minutes on September 17.

9 For the purposes of examining these elements, the Chairman of the CNIL appointed Mr. Éric PÉRÈS on February 1, 2019 as rapporteur on the basis of Article 47 of the Law of January 6, 1978. By letter dated February 1, 2019, the President of the CNIL informed the Company of this appointment.

10 At the end of his investigation, the rapporteur had the company SERGIC notified on February 5, 2019, a report detailing the breaches relating to articles 5 and 32 of the RGPD that he considered constituted in this case.

11 This report proposed to the restricted formation of the CNIL to pronounce against the company SERGIC a pecuniary sanction of 900,000 euros which would be made public.

12 The report was also attached to a notice convening the meeting of the restricted formation of April 11, 2019. The company had a period of one month in which to submit its written observations. On February 11, 2019, the Company requested that the meeting be held in camera. This request was granted in a letter dated February 22, 2019, insofar as certain items included in the proceedings are protected by business secrecy, as provided for in Article L 151-1 of the French Commercial Code.

13 On March 4, 2019, the Company filed written comments on the report. The rapporteur replied to these observations on March 15, 2019. On April 2, 2019, the company filed new observations in response to those of the rapporteur.

14 All of the observations were reiterated orally by the company and the rapporteur during the restricted training session of April 11, 2019.

II - Reasons for the decision

    On the September 7, 2018 online request for the annulment of the findings

15 The company points out that during the online inspection of September 7, 2018, the agents of the CNIL proceeded to the extraction of files accessible from URL addresses composed as follows: https://www.crm.sergic.com/documents/upload/eresa/X.pdf whereas the provisions of Article 44 of the Data Protection Act only authorize the agents of the CNIL to consult data freely accessible or made accessible and that they do not, under any circumstances, make it possible to maintain in an automated data processing system in order to extract data by downloading them.

16 The Company therefore asks the restricted formation to declare null and void the observations contained in minutes no. 2018-186/1 of September 7, 2018.

The restricted panel reminds that under the terms of paragraph 3 of III of Article 44 of the French Data Protection Act, the Commission's employees may, in particular, from an online public communication service, consult data that is freely accessible or made accessible, including by imprudence, negligence or the actions of a third party, if necessary by accessing and remaining in automated data processing systems for the time necessary for the findings; they may transcribe the data by any appropriate processing into documents that can be directly used for the purposes of control.

18 By downloading the files from the above-mentioned URL addresses, the CNIL agents did indeed proceed to a retranscription of the data and not to an extraction, insofar as the files were not moved from the company's database but were simply copied. The restricted formation considers that by downloading the files made freely accessible by the security flaw, the CNIL agents acted in strict compliance with the provisions of the aforementioned article 44, which does not list exhaustively the forms that can take the transcriptions of the authorized agents.

19 Consequently, the request for nullity will be rejected.

2. On the use of elements resulting from the response of the company SERGIC ENTREPRISES

20 The company notes that in the report notified on February 5, 2019, the rapporteur indicated that he had taken into account information that had been transmitted by its subsidiary, SERGIC ENTREPRISES, a legal entity distinct from SERGIC, in the context of a sanction procedure previously opened against the latter. The company SERGIC claims that neither the report nor the rapporteur's reply clearly indicate which information provided by the company SERGIC ENTREPRISES was relied upon by the rapporteur in the context of the present proceedings. The company thus indicates that it does not know how the rapporteur has taken these elements into account in the elaboration of his proposal. It therefore asks the restricted formation to rule solely on the basis of the observations and documents it has provided and to exclude the information provided by the company SERGIC ENTREPRISES.

21. The restricted formation notes first of all that, in his report of February 4, 2019, the rapporteur clearly stated that a first sanction procedure had been initiated against the company SERGIC ENTREPRISES but that the investigations carried out in the framework of this procedure had revealed that SERGIC ENTREPRISES was not the controller to whom failures could be blamed. The restricted formation notes that the sanction procedure initiated against SERGIC ENTREPRISES was closed on January 31, 2019.

22 The restricted formation then notes that, in his response to the company's observations, the rapporteur indicated that the elements that he had taken into account in drawing up his report were the information relating to the fact that SERGIC had notified the data breach to the data subjects, the fact that the number of persons concerned by the data breach had been clarified and the fact that the documents transmitted by the candidates were kept for pre-litigation and litigation purposes.

23 It considers that the indications given by the rapporteur enabled the company to identify unambiguously the information in question and the developments in the report containing it.

24 Finally, the restricted formation emphasizes that all the information on which the rapporteur based his proposal for sanction, whatever the source, was brought to the attention of the company SERGIC in the context of the procedure and submitted to a contradictory debate. In doing so, the company was aware that this information was taken into account and was in a position to question the accuracy of the facts developed in the report and to contest their scope.

25 Consequently, the company's request not to take into consideration the elements resulting from the procedure followed against SERGIC ENTREPRISES should be rejected.

3. On the absence of prior formal notice

26 The company argues that the breaches of which it is accused could have been corrected by means of a formal notice. It therefore believes that the immediate initiation of a sanction procedure, without prior formal notice, deprived it of the possibility of complying.

27 The Panel notes that it follows from the very letter of the provisions of III of Article 45 of the Act of January 6, 1978 as amended, resulting from Act no. 2018-493 of June 20, 2018 aimed at bringing national legislative provisions into conformity with those of the RGPD, that the pronouncement of a sanction is not subject to the prior adoption of a formal notice. The decision to appoint a rapporteur and to refer the matter to the restricted panel is a power belonging to the President of the CNIL, who has the power to initiate proceedings and can therefore determine, depending on the circumstances of the case, the follow-up to be given to investigations by, for example, closing a file, issuing a formal notice or referring the matter to the restricted panel with a view to issuing one or more corrective measures.

4. On the failure to comply with the obligation to ensure the security and confidentiality of personal data

a. On the characterization of the breach

28 Article 32 (1) of the Regulation provides that: Having regard to the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing and the risks, varying in probability and seriousness, to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including :

    pseudonymization and encryption of personal data ;
    means to guarantee the constant confidentiality, integrity, availability and resilience of the processing systems and services;
    means to restore the availability of and access to personal data within appropriate time frames in the event of a physical or technical incident;
    a procedure for regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing. 

29 Article 32 (2) provides that: When assessing the appropriate level of security, particular account shall be taken of the risks represented by the processing, resulting in particular from the destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored or otherwise processed accidentally or unlawfully.

30. It is the responsibility of the restricted formation to determine whether SERGIC has failed in its obligation to ensure the security of the personal data processed and, in particular, whether the company has implemented means to guarantee their confidentiality, in order to prevent their access by unauthorized third parties, in accordance with the aforementioned article 32 (1) ii.

31 The restricted training notes first of all that the existence of a security flaw on the www.sergic.com website is not disputed by the company. It notes that this security flaw made possible the violation of personal data insofar as it allowed unauthorized third parties to access this data.

32.restricted training reminds that when a request to access a resource is addressed to a server, the latter must first ensure that the issuer of this request is authorized to access the requested information. In this case, both the complainant and the delegation of control were able to freely consult the documents transmitted to the company by a large number of applicants for rental, without any measure restricting this possibility.

This access to the documents kept by the company reflects a faulty design of the site, characterized in this case by the lack of implementation of a user authentication procedure. The data breach resulting from this security flaw could have been avoided if, for example, the company had implemented a means of authentication to ensure that the persons accessing the documents were indeed those who had downloaded them from the directory in question, and that only those persons could access them. The implementation of such a feature was an essential precautionary measure, which would have made it possible to guarantee the confidentiality of the personal data processed, in accordance with Article 32 (1) ii, and to significantly reduce the risk of this data breach occurring.

34. The restricted training recalls that the exposure of personal data without prior access control is identified as one of the most widespread vulnerabilities and that it has already pronounced numerous public pecuniary sanctions for similar facts.

35 In view of these elements, the restricted formation considers that the company has not implemented the appropriate technical and organizational measures to guarantee the security of the personal data processed, in accordance with Article 32 of the Regulation.

b. On the scope of the breach

36 The company emphasizes that exploiting the vulnerability required special skills, as demonstrated by the use of a script by the delegation of control, and that it was only possible with knowledge of the URL https://www.crm.sergic.com/documents/upload/eresa/X.pdf . The company also points out that all of the documents contained in the directory could not have been downloaded by the delegated authority. It also points out that no user of the site has reported to it that his or her personal data has been misused.

37 The Company further emphasizes that each of the documents provided by the rental applicants is necessary for the constitution of the file, in particular to assess their solvency, and that it does not ask the applicants for any documents other than those referred to in Decree no. 2015-1437 of November 5, 2015 establishing the list of supporting documents that may be requested from the rental applicant and his deposit.

38 It further reminds that it has no control over the documents spontaneously uploaded by the candidates although they are not included in the aforementioned decree. Likewise, the company considers that it cannot be held responsible for the fact that some candidates download their Carte Vitale as proof of identity or that the registration number (NIR) appears on documents issued by social organizations that are transmitted by individuals.

39 Finally, the company explains that following the data breach, it planned to fix the vulnerability over several months, which resulted in the release of a patch on September 17, 2018 that will definitively end the vulnerability. The company specifies that these delays are explained by the strong demand for rentals during the summer period and by the difficulty of suspending its activities during this period.

40 Firstly, the restricted training observed that the exploitation of the vulnerability did not require any particular technical mastery of IT. Indeed, the simple modification of the value of X in the URL https://www.crm.sergic.com/documents/upload/eresa/X.pdf allowed anyone with knowledge of the above URL to download the documents in question, without the need to create an account on the site beforehand, and without requiring more complicated handling than the simple modification of the value X, which corresponds to a number. Moreover, the restricted training considers that the use of a script does not require advanced skills to exploit this vulnerability. The use of a script by the control delegation had the sole purpose of automating a manual process of changing the value of X at the end of the URL in question, in order to download one document after another more quickly.

41 Secondly, regarding the number of files concerned by the security flaw, the restricted formation observes that it is the CNIL delegation that has, on its own initiative, interrupted the execution of the script in order not to overload the server hosting the website. It then emerges from the information transmitted by the company to the delegation during the audit of September 13, 2018, and from the observations made, that all of the documents contained in the directory in question, i.e. 290,870 files, were made accessible by this security flaw. The files that, according to the company, could not be downloaded corresponded to numbers to which files were not attached as the company agreed at the hearing. The Panel notes that in its submissions, the Company further indicated that the number of persons involved was 29,440.

42 Third, the Panel believes that the breach of security is aggravated by the nature of the personal data made available. Indeed, as explained above, the documents transmitted by the candidates for rental are of a very diverse nature and included, in particular, marriage certificates, divorce judgments, employment contracts, documents relating to social benefits or tax notices. These documents contain both identification data, such as surname, first name and contact details, but also a large amount of information that can reveal some of the most intimate aspects of people's lives, such as divorce judgments.

The limited training does not question the need for SERGIC to have most of these documents. It nevertheless recalls that Article 32 of the Regulation requires the data controller to implement security measures appropriate to the risks induced by the processing for the rights and freedoms of individuals, risks resulting in particular from unauthorized access to personal data processed. Moreover, insofar as SERGIC processes documents containing very precise information on certain aspects of the private life of individuals, the need to implement proportionate security measures, allowing to guarantee their confidentiality, was all the more important. The restricted training recalls on this point that recital 83 of the Regulation provides that [...] These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.

44 Finally, the restricted training notes that the existence of the vulnerability on www.sergic.com was brought to the Company's attention as early as March 8, 2018 and was not resolved until September 2018. The users' personal data was therefore accessible for at least six months even though the company SERGIC was aware of it. While the restricted training admits that the correction of the vulnerability could require analysis and technical development phases, it considers that emergency measures not aimed at correcting the vulnerability but at reducing the extent of the data breach were technically simple to implement and could have been rapidly deployed. For example, the files contained in the directory made accessible by the vulnerability could have been moved to a temporary directory or a URL filtering death could have been implemented to prevent access to the documents. Furthermore, it appears that the company, aware of the increase in its activities from May onwards, due to the high demand for rentals, chose to give priority to the stability of its information system during this period over the correction of the vulnerability of the personal data it contained. Consequently, insofar as the security flaw was brought to its attention as early as March 8, 2018, and insofar as the company knew that a peak in activity would occur as of May, it was incumbent upon it to anticipate this difficulty and to take all necessary measures as soon as it became aware of this vulnerability.

5. On the failure to comply with the obligation to retain data for a proportionate period of time

45 Section 5-1-e) of the Regulation provides that :

1. Personal data must be :

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods insofar as they will be processed exclusively for archival purposes in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 89(1), provided that the appropriate technical and organisational measures required by this Regulation are implemented in order to safeguard the rights and freedoms of the data subject (limitation of storage) .

46 The rapporteur criticises SERGIC for keeping the documents transmitted by the applicants who did not access the rental for longer than the time necessary to achieve the purpose for which the personal data were collected and processed - namely the rental of a property - without this retention being subject to appropriate guarantees.

47 In defence, the company first of all points out that such persons may file a complaint with the Defender of Rights alleging discrimination and, in this respect, the Defender of Rights may require the company to forward the entire file submitted by the applicant. The company specifies that since the limitation period applicable to acts of discrimination is six years, the documents are kept for this period. It adds that the delegation of control has not noted the presence in the directory affected by the vulnerability of documents prior to 2012. The company emphasizes in its filings that no document in the file proves the absence of intermediate archiving of data and management of access authorizations to documents.

48 The restricted training reminds that the retention period of personal data must be determined according to the purpose of the processing. When this purpose is achieved, the data must either be deleted or be subject to intermediate archiving when their retention is necessary for compliance with legal obligations or for pre-litigation or litigation purposes. These data must then be placed in intermediate archiving, for a period not exceeding that necessary for the purposes for which they are kept, in accordance with the provisions in force. Thus, after sorting the relevant data to be archived, the data controller must provide, for this purpose, a dedicated archive database or a logical separation in the active database. This logical separation is ensured by the implementation of technical and organizational measures to ensure that only persons with an interest in processing the data because of their functions, such as persons in the legal department, have access to it. Beyond these retention periods for data in intermediate archives, personal data must be deleted.

49 In this case, the restricted training reminds that the collection by the company SERGIC of the personal data of the candidates has as a purpose the allocation of housing. As soon as this purpose is achieved, the personal data of candidates who have not accessed the rental can no longer be kept for more than three months, within the active database and beyond be the subject of a logical separation or even an intermediate archive.

50 However, the restricted training notes that the company indicated to the CNIL delegation during the control mission of September 13, 2018 that the documents transmitted by the candidates who did not have access to the lease, i.e. those for which the continuation of the processing was no longer justified, were not deleted and that no purge was implemented in the database. It also notes that, in its defense observations, the company produced a document from which it appears that its policy on the retention of customer and prospect data was not formalized until November 2018. Finally, during the meeting of April 11, 2019, the company indicated that the implementation of an archiving solution for the documents in question was in progress.

51 It appears from these various elements that the company SERGIC kept on an active basis the personal data of the candidates who did not access the rental for a period exceeding in significant proportions that necessary to achieve the purpose of the processing, namely the allocation of housing, without any intermediate archiving solution having been implemented.

52 With regard to all of these elements, the Restricted Training considers that a failure to comply with the obligation to retain data, as provided for in Article 5 of the Regulation, is characterized.

III. on sanctions and publicity

53. Article 45-III 7° of the law of January 6, 1978 provides: Where the data controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 referred to above or from the present law, the President of the Commission Nationale de l'Informatique et des Libertés may also, where appropriate after having sent him the warning provided for in I of the present article or, where appropriate in addition to a formal notice provided for in II, refer the matter to the restricted formation of the Commission with a view to the pronouncement, after an adversarial procedure, of one or more of the following measures: An administrative fine not exceeding EUR 10 million or, in the case of an undertaking, 2% of its total annual worldwide turnover in the preceding financial year, whichever is the higher, with the exception of cases where the treatment is implemented by the State. In the cases referred to in Article 83(5) and (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, these ceilings are increased to 20 million euros and 4% of said revenue, respectively. In determining the amount of the fine, the restricted formation shall take into account the criteria specified in the same Article 83. Article 83 of the GDMP provides thatEach enforcement authority shall ensure that administrative fines imposed under this Article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. Depending on the specific features of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken, in each individual case, of the following elements : a) the nature, seriousness and duration of the breach, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered by them; b) whether the breach was committed intentionally or through negligence; c) any measures taken by the controller or processor to mitigate the damage suffered by the data subjects; (d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32; (e) any relevant breach previously committed by the controller or processor (i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and (k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach.

54 The Company considers that an administrative fine of 900,000 euros is disproportionate in light of the criteria set forth in Article 83 of the Regulations, its financial capacity and the sanctions previously imposed by the restricted formation. It then points out that neither the RGPD nor the French Data Protection Act provides for rules regarding the maximum amount of the fine that may be imposed by the supervisory authority when the breaches retained are punished, for one, by a fine of up to 10 million euros or 2% of annual worldwide turnover and, for the other, by a fine of up to 20 million euros or 4% of annual worldwide turnover.

55 Firstly, the Panel believes that in the present case, the aforementioned breaches justify the imposition of an administrative fine against the Company for the following reasons.

56 On the one hand, it recalls that, in view of the risks represented by personal data breaches, the European legislator intended to reinforce the obligations of data controllers with regard to the security of processing. Thus, according to recital 83 of the GDR, in order to guarantee security and prevent any processing carried out in breach of this Regulation, it is important that the controller or processor assess the risks inherent to the processing and implement measures to mitigate them, such as encryption. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of knowledge and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risks, account should be taken of the risks posed by the processing of personal data, such as the destruction, loss or alteration, unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed, whether accidental or unlawful, that could lead to physical, material or moral damage. However, the restricted training observes that the security flaw that made possible the violation of data has its origin in a faulty design of its site by the company SERGIC. The implementation of an authentication procedure on the site was an elementary measure to be taken, which would have avoided the violation of personal data.

57 On the other hand, La formation restreinte notes that SERGIC did not take due diligence in correcting the vulnerability, whereas in the presence of a data breach, the RGPD imposes a rapid reaction. Recital 85 thus provides that a personal data breach may, if not dealt with in a timely and appropriate manner, cause physical, material or moral harm to the individuals concerned [...]. Even though no natural person has to date reported having suffered damage as a result of the data breach, the company's lack of promptness in correcting the vulnerability, for a period of at least six months, has had the effect of prolonging the risk of such damage occurring.

58. Next, the seriousness of the breaches must also be assessed with regard to the categories of data concerned. In this respect, the restricted training recalls that the data processed by the company in the context of managing the files of prospective tenants contain particularly precise information on certain aspects of their private life. Once it receives this type of data, the company must pay particular attention to the preservation of its confidentiality and to the methods of storage; however, it has not provided for an intermediate database and has kept this data for a clearly excessive length of time.

59 The restricted panel also recalls that § 3 of Article 83 of the Regulation provides that in the event of multiple violations, the total amount of the fine may not exceed the amount set for the most serious violation. In this case, insofar as the company is accused of a breach of Article 5 of the Regulation, which may be subject to a fine of up to 20 million euros or 4% of annual worldwide turnover, it is this maximum amount that should be taken into consideration.

60 In light of all of these elements, the restricted formation, taking into account the criteria set forth in article 83 of the GDR and the company's financial situation, believes that an administrative fine of 400,000 euros is justified and proportionate, as well as an additional penalty for advertising for the same reasons.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides :

    to reject the request for nullity raised by the company SERGIC;

    to reject the request of the company SERGIC not to take into consideration the elements resulting from the procedure followed against the company SERGIC ENTREPRISES ;

    to pronounce an administrative fine of 400,000 (four hundred thousand) euros against the company SERGIC;

    to make public, on the site of the CNIL and on the site of Légifrance, its deliberations which will be anonymized at the end of a period of two years from its publication.

The President

Alexandre LINDEN

This decision may be appealed before the Council of State within two months of its notification.