CNIL (France) - SAN-2023-008

From GDPRhub
Revision as of 09:42, 27 June 2023 by Mg (talk | contribs)
CNIL - SAN-2023-008
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Article 9 GDPR
Article 12 GDPR
Article 28 GDPR
Article 32 GDPR
Article 33 GDPR
Article 82 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 08.06.2023
Fine: 150000 EUR
Parties: KG COM
National Case Number/Name: SAN-2023-008
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: LegiFrance (in FR)
Initial Contributor: Sainey Belle

A Controller was fined €150,000 because it collected excessive data, including sensitive data, without prior and explicit consent, and did not sufficiently ensure the security of the data.

English Summary

Facts

On 1st October 2020, an article published in a French media website, revealed the existence of a personal data breach concerning the data stored on KG COM's (Controller) server. According to this article, the Controller’s database was not subject to special security measures and it was freely accessible on the Internet until 23rd July 2020. The data exposed included the identification data and contact data of prospective and actual customers (data subjects).

The Controller operates several websites to offer its customers clairvoyance readings by chat or phone. Following the publication of the article, the French DPA (CNIL) carried out three investigations into the Controller’s practices.

Holding

During its investigations, the CNIL noticed several infringements, in particular concerning the systematic recording of phone calls, the collection of health data and information relating to sexual orientation, the retention of banking data without the consent of individuals, the obligation to notify a data breach or the rules relating to cookies.

1. Failure to comply with Article 5(1)(c) GDPR

The controller systematically recorded all phone calls between telephone operators and prospective customers, as well as between fortune-tellers and customers, with the aim of checking service quality, proving that a contract has been performed and protecting their interests in civil proceedings. The controller did not provide any justification for the practice of systematically recording all calls for these purposes. According to the CNIL, the controller cannot set up the processing of personal data without ensuring that it is necessary for its needs.

For the purposes of quality control, the establishment of a randomised system of recording allows the person in charge of quality control monitoring to have the necessary elements to evaluate the quality of the services offered.

Furthermore, a controller who wishes to record telephone conversations for probatory purposes must demonstrate that they do not have other less intrusive means to prove that the contract concluded over the phone was concluded with the person concerned. In this case, the existence of the contract concluded over the phone could be proven by less intrusive means.

With regard to the complete and systematic recording of telephone calls in the perspective of complying with judicial orders, they do not have to organize, in advance, the collection of personal data with a view to responding to a judicial order which is only potential. Therefore, the recording of all telephone calls, in order to respond to a judicial order, is not justified.

In addition, the controller recorded calls made with prospective customers. During these telephone calls, they collected the bank data of prospects (credit card number, expiry date and cryptogram). The Controller had not put in place any measures to interrupt the recording of telephone conversations when the data subjects were providing their bank details. The recording of data subjects' bank data is not useful for the Controller in the context of quality control, for probationary or security purposes. In addition, the recording of data was not relevant to the purposes provided by the Controller during the procedure: the booking of appointments with a clairvoyant, the simplification of the regulation of subsequent consultations, the payment of subscriptions and the fight against fraud.

2. Failure to comply with Article 5(1)(e) GDPR

Through a reading of the Controller’s policies, the CNIL determined that the retention period for data is set at three years from the end of the commercial relationship. Nevertheless, the Controller retained the data of subjects who have not had consultations for over five years.

CNIL held that the data necessary for the execution of contracts are kept for the duration of the contractual relationship. At the end of the contract, they must be kept in intermediate archiving and for a reasonable period of time, if the Controller has a legal obligation to do so (for example, to meet accounting or tax obligations) or if he wishes to constitute evidence in the event of litigation, and within the applicable limitation period. For this purpose, it will be necessary to provide for a dedicated archive database or a logical separation in the active database, after sorting the relevant data to be archived.

3. Failure to comply with Article 6 GDPR

In respect of card details, the retention of payment card data beyond the completion of a transaction for the purpose of combating payment card fraud is not part of the scope of the contract, neither is retaining details for the purpose of auto completing the data when the data subject wants to reuse the services. The retaining of bank details requires that the prior free, specific, informed and unambiguous consent of persons, pursuant to Article 6(1)(a) GDPR be collected.

4. Failure to comply with Article 9 GDPR

During consultations, data subjects provide the Controller with data concerning their health status and sexual orientation. At the end of the consultations, this information is recorded in the data subjects records, which are kept in the Controllers business tool. The simple desire to receive a clairvoyance service and the fact the information is delivered directly from the data subject, this does not constitute an explicit consent of the data subject to process the data.

5. Failure to comply with Article 12 GDPR

Information is considered easily accessible, within the meaning of Article 12 GDPR, if it is provided to the data subject, without the need to actively search for it. When data subjects are creating a use account on the Controllers website, they must leave the registration process in order to return to the home page, scroll to the bottom, click on the Controller’s general conditions of sale and actively search this document for information relating to the protection of personal data. Since a course of several actions are necessary for the data subject to obtain information on data processing, this not considered information that is easily accessible.

Furthermore, the general conditions of sale is not easily identifiable as a document with information on data processing as it also contains information on “conditions of sale”.

6. Failure to comply with Article 28 GDPR

In two of its contracts with subcontractors (Processors), there was an absence of signatures and mandatory terminology required pursuant to Article 28(3) GDPR such as the Processor shall only process data on the documented instructions of the Controller. These facts do not ensure effective protection of personal data processed through contractual guarantees.

7. Failure to comply with Article 32 GDPR

Data subjects were allowed to implement passwords using only a single character. In addition, the Controller’s access to their CRM system is based on a permissive rule, the username and password are created only two employees, and without any special rules concerning the complexity of passwords. The mechanism used by the Controller to encrypt bank data has vulnerabilities.

Access to the Controller’s website, was at one point, made using http protocol instead of the https protocol, which then exposed the data to the risk of computer attacks or leaks as it allows for the unencrypted reading of flows containing personal data, including bank data, between the data subjects browser and the server hosting the site.

8. Failure to comply with Article 33 GDPR

The Controller was aware of the breach since 29th September 2020, when the journalist provided a sample of the impacted data, or no later than 30th September 2020 at the end of its internal investigations. Due to the severity of the breach, it is considered notifiable under Article 33(1) GDPR. However, no notification was made. In the Controllers defence, they asserted that the journalist's alert came after the server was closed (as of 10th July 2020) and that the Processor, in charge of outsourcing, did not keep the connection logs to the server concerned. This procedure meant the Controller was not able to assess the incident and establish a personal data breach as defined in Article 4(12) GDPR.

9. Failure to comply with Article 82 GDPR

The cookie banner on the Controllers website did not contain information on how to refuse tracers, the consequences of a refusal and the existence of the right to withdraw consent.

A fine of €150,000 was imposed on the Controller (€120,000 for GDPR violations and €50,000 for France’s Data Protection Act violations).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.