CNIL (France) - SAN-2023-008: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 77: | Line 77: | ||
}} | }} | ||
A Controller was fined €150 000 because it collected excessive data, including sensitive data, without prior and explicit consent, and did not sufficiently ensure the security of the data. | A Controller was fined €150,000 because it collected excessive data, including sensitive data, without prior and explicit consent, and did not sufficiently ensure the security of the data. | ||
== English Summary == | == English Summary == |
Revision as of 09:30, 27 June 2023
CNIL - SAN-2023-008 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1)(e) GDPR Article 5(1)(c) GDPR Article 6 GDPR Article 9 GDPR Article 12 GDPR Article 28 GDPR Article 32 GDPR Article 33 GDPR Article 82 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | |
Published: | 08.06.2023 |
Fine: | 150000 EUR |
Parties: | KG COM |
National Case Number/Name: | SAN-2023-008 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | French |
Original Source: | LegiFrance (in FR) |
Initial Contributor: | Sainey Belle |
A Controller was fined €150,000 because it collected excessive data, including sensitive data, without prior and explicit consent, and did not sufficiently ensure the security of the data.
English Summary
Facts
On 1st October 2020, an article published in a French media website, revealed the existence of a personal data breach concerning the data stored on KG COM's (Controller) server. According to this article, the Controller’s database was not subject to special security measures and it was freely accessible on the Internet until 23rd July 2020. The data exposed included the identification data and contact data of prospective and actual customers (data subjects).
The Controller operates several websites to offer its customers clairvoyance readings by chat or phone. Following the publication of the article, the French DPA (CNIL) carried out three investigations into the Controller’s practices.
Holding
During its investigations, the CNIL noticed several infringements, in particular concerning the systematic recording of phone calls, the collection of health data and information relating to sexual orientation, the retention of banking data without the consent of individuals, the obligation to notify a data breach or the rules relating to cookies.
1. Failure to comply with Article 5(1)(c) GDPR The company systematically recorded all phone calls between telephone operators and prospects, as well as between fortune-tellers and customers, with the aim of checking service quality, proving that a contract has been formed and responding to potential court orders. Although the company has now stopped phone-based clairvoyance readings, and therefore phone recordings, it has not provided any justification for the previous need to systematically record all calls for these purposes. Per CNIL, the controller cannot set up the processing of personal data without ensuring that it is necessary for its needs.
For the purposes of quality control, the establishment of a randomised system of recording only a few telephone conversations allows the person in charge of quality control monitoring to have the necessary elements to evaluate the quality of the services offered.
Furthermore, a Controller who wishes to record telephone conversations for probationary purposes must demonstrate that they do not have other less intrusive means to prove that the contract concluded over the phone has been concluded with the person concerned. In this case, the existence of the contract concluded over the phone can be proven by another less intrusive means. Per Article L.221-16 of the Consumer Code, when the professional contacts a consumer by telephone in order to conclude a contract for the sale of a good or the supply of a service, the latter is only committed by this offer after having signed and accepted it on a durable medium. As soon as proof of the subscription of a contract has been concluded, following a telephone canvassing, can be provided by the written confirmation of the offer, the recording of telephone conversations, made, for the purpose of proof of the formation of the contract, does not appear necessary.
With regard to the complete and systematic recording of telephone calls in the perspective of judicial orders, while it is necessary for Controllers to comply with any judicial orders they receive concerning the data they process for their own purposes, they do not have to organize, in advance, the collection of personal data with a view to responding to a potential judicial order. Therefore, the recording of telephone calls, in order to respond to a judicial order, is not justified.
In addition, the Controller recorded calls made with prospective customers. During these telephone calls, they collected the bank data of prospects (credit card number, expiry date and cryptogram). In advance of this, the Controller had not put in place any measures to interrupt the recording of telephone conversations when the data subjects were providing their bank details. The recording of data subjects' bank data is not useful for the Controller in the context of quality control, for probationary or security purposes. In addition, the recording of data was not relevant to the purposes provided by the Controller during the procedure: the booking of appointments with a clairvoyant, the simplification of the regulation of subsequent consultations, the payment of subscriptions and the fight against fraud.
2. Failure to comply with Article 5(1)(e) GDPR Through a reading of the Controller’s policies, the CNIL determined that the retention period for data is set at three years from the end of the commercial relationship. Nevertheless, the Controller retained the data of subjects who have not had consultations for over five years.
CNIL held that the data necessary for the execution of contracts are kept for the duration of the contractual relationship. At the end of the contract, they must be kept in intermediate archiving and for a reasonable period of time, if the Controller has a legal obligation to do so (for example, to meet accounting or tax obligations) or if he wishes to constitute evidence in the event of litigation, and within the applicable limitation period. For this purpose, it will be necessary to provide for a dedicated archive database or a logical separation in the active database, after sorting the relevant data to be archived.
3. Failure to comply with Article 6 GDPR In respect of card details, the retention of payment card data beyond the completion of a transaction for the purpose of combating payment card fraud is not part of the scope of the contract, neither is retaining details for the purpose of auto completing the data when the data subject wants to reuse the services. The retaining of bank details requires that the prior free, specific, informed and unambiguous consent of persons, pursuant to Article 6(1)(a) GDPR be collected.
4. Failure to comply with Article 9 GDPR During consultations, data subjects provide the Controller with data concerning their health status and sexual orientation. At the end of the consultations, this information is recorded in the data subjects records, which are kept in the Controllers business tool. The simple desire to receive a clairvoyance service and the fact the information is delivered directly from the data subject, this does not constitute an explicit consent of the data subject to process the data.
5. Failure to comply with Article 12 GDPR Information is considered easily accessible, within the meaning of Article 12 GDPR, if it is provided to the data subject, without the need to actively search for it. When data subjects are creating a use account on the Controllers website, they must leave the registration process in order to return to the home page, scroll to the bottom, click on the Controller’s general conditions of sale and actively search this document for information relating to the protection of personal data. Since a course of several actions are necessary for the data subject to obtain information on data processing, this not considered information that is easily accessible.
Furthermore, the general conditions of sale is not easily identifiable as a document with information on data processing as it also contains information on “conditions of sale”.
6. Failure to comply with Article 28 GDPR In two of its contracts with subcontractors (Processors), there was an absence of signatures and mandatory terminology required pursuant to Article 28(3) GDPR such as the Processor shall only process data on the documented instructions of the Controller. These facts do not ensure effective protection of personal data processed through contractual guarantees.
7. Failure to comply with Article 32 GDPR Data subjects were allowed to implement passwords using only a single character. In addition, the Controller’s access to their CRM system is based on a permissive rule, the username and password are created only two employees, and without any special rules concerning the complexity of passwords. The mechanism used by the Controller to encrypt bank data has vulnerabilities.
Access to the Controller’s website, was at one point, made using http protocol instead of the https protocol, which then exposed the data to the risk of computer attacks or leaks as it allows for the unencrypted reading of flows containing personal data, including bank data, between the data subjects browser and the server hosting the site.
8. Failure to comply with Article 33 GDPR The Controller was aware of the breach since 29th September 2020, when the journalist provided a sample of the impacted data, or no later than 30th September 2020 at the end of its internal investigations. Due to the severity of the breach, it is considered notifiable under Article 33(1) GDPR. However, no notification was made. In the Controllers defence, they asserted that the journalist's alert came after the server was closed (as of 10th July 2020) and that the Processor, in charge of outsourcing, did not keep the connection logs to the server concerned. This procedure meant the Controller was not able to assess the incident and establish a personal data breach as defined in Article 4(12) GDPR.
9. Failure to comply with Article 82 GDPR The cookie banner on the Controllers website did not contain information on how to refuse tracers, the consequences of a refusal and the existence of the right to withdraw consent.
A fine of €150,000 was imposed on the Controller (€120,000 for GDPR violations and €50,000 for France’s Data Protection Act violations).
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.