CNIL (France) - SAN-2021-021: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL (France) |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2021-021 |ECLI=...")
 
No edit summary
Line 64: Line 64:
}}
}}


Mobile operator receives administrative fine of 300.000 Euro with regard to the breaches established in Articles 12, 15, 21, 25 and 32 of the GDPR.
The French DPA issued a fine of €300,000 against a mobile operator for failing to respect customers' right of access under [[Article 15 GDPR]] and right to object under [[Article 21 GDPR]].


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The CNIL has received many complaints concerning the difficulties encountered by individuals in having responses to their requests for access and to object to receiving commercial prospecting messages from the French mobile telephone operator FREE MOBILE.
The defendant, FREE MOBILE, is a French mobile telephone operator.
 
The CNIL opened an investigation into the company's processing activities after it received multiple complaints by individuals who had encountered excessive difficulties in obtaining responses to access requests they had filed with it, and had objected to receiving commercial prospecting messages from the defendant.


=== Holding ===
=== Holding ===
The CNIL retained four breaches of the GDPR against the company FREE MOBILE:
The CNIL found the company breached the GDPR by:
- a failure to respect the right of access of individuals regarding their personal data (Art. 12 and 15 of the GDPR), since the company did not respond to the requests made by the complainants within the time limits; Moreover, controller should also inform data subjects within one month when they will not provide any data (for example because data is no longer processed); Controllers also have to provide data that is held in archival databases.  
 
- a failure to respect the right to object of the persons concerned (Art. 12 and 21 of the GDPR), since the company did not take into account the requests of the complainants that no more commercial prospecting messages be sent to them;
# Failing to respect the right of access of individuals regarding their personal data ([[Article 12 GDPR|Article 12]] and [[Article 15 GDPR|15]] GDPR), since the company did not respond to the requests made by the complainants within the time limits. Moreover, controllers should also inform data subjects within one month when they will not provide any data (for example because data is no longer processed); they also have to provide data that is held in archival databases.
- a breach of the obligation to protect data by design (Art. 25 of the GDPR), as the company continued to send invoices to complainants for telephone lines whose subscription had been cancelled;
# Failing to respect the right to object of the persons concerned ([[Article 12 GDPR|Article 12]] and [[Article 21 GDPR|21]] GDPR), since the company did not take into account the requests of the complainants that no more commercial prospecting messages be sent to them;
- a breach of the obligation to ensure the security of personal data (Art. 32 of the GDPR), since the company transmitted by email, in clear text, the passwords of users when they subscribed to an offer with FREE MOBILE, without these passwords being temporary and the company requiring them to be changed.
# Failing to protect data by design ([[Article 25 GDPR]]), as the company continued to send invoices to complainants for telephone lines whose subscription had been cancelled;
# Failing to ensure the security of personal data ([[Article 32 GDPR]]), since the company transmitted by email, in clear text, the passwords of users when they subscribed to an offer with FREE MOBILE, without these passwords being temporary and the company requiring them to be changed.





Revision as of 09:08, 17 January 2022

CNIL (France) - SAN-2021-021
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 12 GDPR
Article 15 GDPR
Article 21 GDPR
Article 25 GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 28.12.2021
Published: 04.01.2022
Fine: 300000 EUR
Parties: n/a
National Case Number/Name: SAN-2021-021
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
French
Original Source: CNIL (in EN)
CNIL (in FR)
Initial Contributor: n/a

The French DPA issued a fine of €300,000 against a mobile operator for failing to respect customers' right of access under Article 15 GDPR and right to object under Article 21 GDPR.

English Summary

Facts

The defendant, FREE MOBILE, is a French mobile telephone operator.

The CNIL opened an investigation into the company's processing activities after it received multiple complaints by individuals who had encountered excessive difficulties in obtaining responses to access requests they had filed with it, and had objected to receiving commercial prospecting messages from the defendant.

Holding

The CNIL found the company breached the GDPR by:

  1. Failing to respect the right of access of individuals regarding their personal data (Article 12 and 15 GDPR), since the company did not respond to the requests made by the complainants within the time limits. Moreover, controllers should also inform data subjects within one month when they will not provide any data (for example because data is no longer processed); they also have to provide data that is held in archival databases.
  2. Failing to respect the right to object of the persons concerned (Article 12 and 21 GDPR), since the company did not take into account the requests of the complainants that no more commercial prospecting messages be sent to them;
  3. Failing to protect data by design (Article 25 GDPR), as the company continued to send invoices to complainants for telephone lines whose subscription had been cancelled;
  4. Failing to ensure the security of personal data (Article 32 GDPR), since the company transmitted by email, in clear text, the passwords of users when they subscribed to an offer with FREE MOBILE, without these passwords being temporary and the company requiring them to be changed.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Deliberation of the restricted formation n ° SAN-2021-021 of December 28, 2021 concerning the company FREE MOBILE

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs. Anne DEBET, Mrs. Christine MAUGÜÉ, Mr. Alain DRU and Mr. Bertrand du MARAIS , members ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58 / EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to the postal and electronic communications code;

Considering the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Considering the decree no 2019-536 of May 29, 2019 taken for the application of the law no 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Having regard to deliberation no 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Informatics and Freedoms;

Considering the decision n ° 2019-188C of September 26, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing operations implemented by these bodies or on behalf of the FREE and FREE MOBILE companies;

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated December 17, 2020;

Having regard to the report by Mr. François PELLEGRINI, commissioner rapporteur, notified to the company FREE MOBILE on August 2, 2021;

Considering the written observations paid by the company FREE MOBILE on September 13, 2021;

Having regard to the rapporteur's response to these observations notified to the company on October 4, 2021;

Having regard to the new written observations made by the FREE MOBILE company on October 22, 2021, as well as the oral observations made during the restricted training session;

Having regard to the other documents in the file;

The following were present during the restricted training session on November 4, 2021:

- Mr. François PELLEGRINI, commissioner, heard in his report;

As representatives of FREE MOBILE:

- […];

- […];

- […];

- […];

- […];

- […];

- […].

The FREE MOBILE company having spoken last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. The company FREE MOBILE (hereinafter "the company"), whose head office is located at 16 rue de la ville l´Evêque in Paris (75008), is a subsidiary of the ILIAD group. The company is a mobile telephone operator which markets mobile telephones and / or mobile plans. Created in 2007, it has around 600 employees.

2. For the year 2020, the company FREE MOBILE achieved a turnover of […] euros, for a net profit of […] euros. As of December 21, 2020, the company had approximately […] subscribers to mobile offers, […].

3. Between December 2018 and November 2019, the National Commission for Informatics and Freedoms (hereinafter "the CNIL" or "the Commission") received 19 complaints against the company FREE MOBILE. The complainants referred in particular to the difficulties encountered in exercising their rights of access or opposition to receive commercial prospecting messages.

4. For the purposes of investigating complaints, two on-site inspections at the premises of the FREE company and then of the FREE MOBILE company were carried out in application of the decision n ° 2019-188C of September 26, 2019 of the president of the CNIL. These missions were carried out on January 21 and 22, 2020, respectively. Pursuant to this same decision, a documentary check was also carried out with the companies FREE MOBILE and FREE on June 3, 2020.

5. The purpose of these missions was to verify compliance by the company FREE MOBILE with all the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter "the Regulation" or "the RGPD") and of the law n ° 78-17 of January 6, 1978 modified relating to data processing, files and freedoms (hereinafter "the law of January 6, 1978 modified" or the "Data Protection Act and Freedoms ").

6. During the first two checks, the CNIL delegation endeavored to verify the management, by the company FREE MOBILE, of the rights of individuals, and more particularly the way in which it had handled requests for the exercise of rights. people who have referred to the Complaints Commission. These checks were also intended to verify the security measures put in place by the company to protect the personal data it processes.

7. At the end of these checks, the minutes n ° 2019-188 / 1 and n ° 2019-188 / 2 were notified to the company FREE MOBILE by letter dated January 23, 2020. The company forwarded to the Commission services, by emails of 3 and 10 February 2020, the additional documents requested at the end of these control missions.

8. In view of the responses provided by the company, and in order to clarify certain findings previously made, a new documentary check was carried out by the CNIL on June 3, 2020, which resulted in the sending of a questionnaire. to the company FREE MOBILE.

9. The company sent the Commission services, by email of 29 June 2020, the additional documents and information requested during this check.

10. For the purposes of examining these elements, the President of the Commission appointed, on December 17, 2020, Mr. François PELLEGRINI as rapporteur on the basis of article 22 of the law of January 6, 1978 as amended and informed the company by letter of December 23, 2020.

11. At the end of his investigation, the rapporteur, on August 2, 2021, notified the company FREE MOBILE of a report detailing the breaches of the GDPR that he considered to be in the present case. The report notification letter told the company that it had a period of one month to communicate its written observations in accordance with the provisions of article 40 of Decree No. 2019-536 of May 29, 2019.

12. This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into line with the provisions of Articles 15, 16, 21, 25 and 32 of the GDPR, together with a fine for each day of delay. 'after a period of three months following the notification of the deliberation of the restricted formation, as well as an administrative fine. He also proposed that this decision be made public, but that it be no longer possible to identify the company by name after a period of two years from its publication.

13. On September 13, 2021, the company filed its observations in response to the sanction report.

14. On September 23, 2021, the rapporteur requested a deadline to respond to the observations made by the company FREE MOBILE. By letter of September 24, 2021, the chairman of the restricted formation informed the rapporteur that he had an additional six days to submit his observations. By letter dated the same day, the company was informed by the chairman of the restricted party that it also had an additional six days to file its observations.

15. By letter of October 4, 2021, the rapporteur's response to the company's observations was sent to him, accompanied by a notice to attend the restricted training session on November 4, 2021.

16. On October 22, 2021, the company FREE MOBILE produced new observations in response to those of the rapporteur.

17. The company and the rapporteur presented oral observations during the session of the restricted formation.

II. Reasons for the decision

A. On the processing responsibility of the FREE MOBILE company

18. Article 4, paragraph 7 of the GDPR provides that the controller is "the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of treatment ".

19. In his report, the rapporteur first underlines that the delegation was informed during the on-site inspection of January 21, 2020 that "the company FREE MOBILE is the mobile radio telecommunications operator of the ILIAD group and the company FREE is the fixed telecommunications operator of the ILIAD group "and that" each customer is attached to the company FREE and / or the company FREE MOBILE "depending on the offer to which he has subscribed. The rapporteur then notes that each of the FREE MOBILE and FREE companies "has its own information system in which [its] customers appear" and that the "prospect databases are also distributed by company", so that companies can access to their own databases. A common database is also used by each of the companies, on its own behalf, in order to carry out commercial prospecting. The rapporteur finally observes that the processing register sent to the CNIL delegation indicates that the FREE MOBILE company considers itself responsible in particular for processing relating to the management of contracts signed with it by its subscribers and processing related to prospecting operations. that are carried out with its customers and prospects on its behalf.

20. The restricted committee notes that these elements were not contested by the company FREE MOBILE. It considers that it follows from the foregoing that the FREE MOBILE company must be regarded as responsible for the processing of the personal data of its customers, implemented within the framework of the execution of mobile telephone subscription contracts, and of the people it contacts for commercial prospecting purposes, insofar as it determines the purposes and means of such processing.

B. On the company's grievances in connection with the procedure

21. The company considers that the rapporteur failed in his duty of diligence by sending it, more than eighteen months after the control operations and during the August holidays, the report proposing to the restricted committee to retain a sanction against him. The company argues, on the basis of an average that it indicates to have established from the decisions of the restricted committee rendered between 2018 and 2021 following an on-site check, that the average time for transmission of the procedure to the restricted formation is approximately thirteen months and, in this case, this period has been extended to eighteen months. The company also claims that it was not able to take cognizance, before receiving the report, of two complaints on which the rapporteur relied to hold against it a breach of its obligation to ensure security of processing. Finally, the company is surprised not to have been previously given formal notice to correct the breaches at the origin of the disputed facts, which would demonstrate the low seriousness of the breaches alleged by the rapporteur, in particular with regard to its procedures for security.

22. First, the restricted committee notes that the applicable texts do not provide for a limit to the time between the conduct of checks and the transmission of a report proposing a sanction. In addition, this procedure intervened during the health crisis, which resulted in an extension of the deadlines.

23. Second, with regard to the two referrals n ° 19012802 and n ° 19019490 for which the company claims that it was not able to take cognizance of them before receiving the report, the restricted panel recalls that the applicable texts do not require a preliminary investigation of complaints before the transmission of a report proposing a sanction and do not prevent the rapporteur from bringing them to the attention of the data controller at the stage of his report, the complaints being on this occasion paid to the adversarial procedure. Finally, article 50 of the CNIL's internal regulations only requires that the subject of the complaint be "communicated to the processing manager involved […] so that the latter provides all the necessary explanations", which was done in this case through the sanction report.

24. Thirdly, with regard to the transmission of the report in August and the need for the company to respond to it during the summer vacation, the restricted committee observes that the company has benefited from a delay. approximately six weeks to produce its first observations, to take this period into account, bearing in mind that article 40 of decree n ° 2019-536 of May 29, 2019 only imposes a minimum period of one month.

25. Lastly, with regard to the complaint relating to the lack of prior formal notice, the restricted committee firstly notes that it emerges from the provisions of article 20 of the law "Informatique et Libertés" amended by law n ° 2018-493 of June 20, 2018 that the supervisory authority has a set of corrective measures, adapted according to the specific characteristics of each case, which can be combined with each other and be preceded or not by a notice. Corrective measures can be taken directly in all cases.

26. The restricted formation also notes that the Constitutional Council (Cons. Const., June 12, 2018, n ° 2018-765 DC) did not issue a reservation concerning the possibility for the president of the CNIL to engage a sanction procedure without prior formal notice. Finally, the restricted formation recalls that the Council of State ruled (CE, October 9, 2020, Société SERGIC, n ° 433311) that "it clearly follows [from the provisions of article 20 of the law of January 6, 1978 amended ], that the pronouncement of a sanction by the restricted formation of the CNIL is not subject to the prior intervention of a formal notice from the controller or his subcontractor by the president of the CNIL [… ] ".

27. Consequently, the restricted committee considers that the present procedure and the various actions carried out in this context have not infringed the rights of the defense of the company.

C. On the qualification of the facts with regard to the GDPR

1. On the breach of the obligation to respect the right of access of individuals to personal data concerning them

28. Article 12, paragraph 3, of the GDPR provides that "The controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22, as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. The controller informs the person concerned for this extension and the reasons for the postponement within one month of receipt of the request ". In addition, under paragraph 4 of this article "if the controller does not respond to the request made by the data subject, he shall inform the latter without delay and at the latest within a period of one month from the receipt of the request of the reasons for its inaction and the possibility of lodging a complaint with a supervisory authority and of lodging a judicial appeal ".

29. Article 15 (1) of the GDPR provides for the right of a person to obtain from the controller confirmation that personal data concerning him or her are or are not being processed and, when they are, the 'access to personal data concerning him and in particular "when the personal data are not collected from the data subject, any information available as to their source". Under paragraph 3 of the same article "the controller provides a copy of the personal data being processed".

30. The rapporteur is based on three referrals received by the CNIL, from Messrs […] (complaint n ° 19018344), […] (complaint n ° 19008608) and […] (complaint n ° 19016049), within the framework of which the complainants reported on the difficulties encountered in the exercise of their rights, to suggest to the restricted committee to consider that the company has violated its obligations under Article 15 of the GDPR.

31. In defense, the company argues that it cannot be accused of any breach of these three referrals. It indicates that these are isolated facts, on the basis of which the existence of a systemic problem cannot be inferred. It also points out the difference between the reduced number of complaints noted in the exercise of rights report (7) and the number of requests for exercise of rights processed by the company per year (around 600). It therefore considers that the alleged breaches are indicative of human error but not at all of a "problem with the very functioning of the procedure" of FREE MOBILE. Finally, the company indicates that the disputed referrals are contemporaneous with the date of entry into force of the GDPR and prior to the implementation of a new ticketing tool used by FREE MOBILE, since June 2019, which made it possible to provide improvements to the procedure for processing requests to exercise the right of FREE MOBILE. Therefore, it considers that these occasional dysfunctions have now been resolved.

32. First of all, with regard to referral n ° 19008608 of May 2019, Mr. […] applied to the CNIL, explaining that he had asked the company FREE MOBILE, via the e-mail address dedicated to "Computing and Freedoms" requests. , access to data concerning him which would be associated with his telephone number.

33. The rapporteur observes that it emerges from the information communicated by the company following the checks that, although the company does indicate that it has received the complainant's request, it has on the other hand "not found any trace of an answer given to the complainant. ". The rapporteur therefore considers that the company failed in its obligation to process the complainant's access request.

34. In defense, the company explains first of all that it could not meet this request since it no longer had the requested data. It specifies in this sense that Mr. […] having terminated his contract with the company FREE MOBILE four years before sending his request for access, it only had information relating to the existence of a contractual relationship. until March 4, 2015. Following the questioning of the rapporteur, who was surprised at the absence of personal data relating to the complainant which would be kept by the company in an intermediate archiving base in accordance with its legal or accounting obligations ( billing data, management of any litigation, etc.), in its second defense, the company indicates that it found thirteen invoices concerning the complainant after a search in its archiving database and sent, by email of October 14, 2021, a further response to the complainant providing them with these elements.

35. The restricted committee firstly recalls that it emerges from Article 12, paragraph 4, of the GDPR that when the controller no longer holds data on the person exercising his right of access (for example if the data have been deleted), he must nevertheless respond to the requester within a maximum of one month to indicate this. Thus, the restricted panel considers that the company should at the very least have informed the complainant that, according to it, it no longer had any information concerning him, apart from that relating to the existence of a contractual relationship until March 4, 2015.

36. The restricted committee then notes that the company had other data relating to the complainant, in this case the thirteen invoices kept by the company in its intermediate archiving database, which fall within the scope of the data to be communicated under the right of access. In this regard, the restricted committee recalls that the persons concerned must be able to be aware of the fact that data concerning them is kept and processed by the data controller, including several years after the termination of the contractual relationship, as is the case case in this case. Indeed, it emphasizes that only the communication of this data allows the data subjects to measure the nature and extent of the processing carried out by the company. In the present case, the restricted panel noted that it was not until the sending of the email of October 14, 2021 that the company provided an exhaustive response to the complainant's request for access, that is to say more than two years. after Mr. […] had exercised his rights, following the initiation of the sanction procedure and the receipt of the report in response to the observations of the company dated October 4, 2021.

37. Under these conditions, the restricted committee considers that by not responding to the access request and by not responding to the requester within the prescribed time limits, the company has violated its obligations under Articles 12 and 15 of the GDPR.

38. It nevertheless notes that, in the context of the sanction procedure, the company has justified having provided a response to the complainant and, therefore, having taken measures to comply with the obligations of the GDPR.

39. Second, with regard to referral no.19016049 of September 2019, Mr. […] applied to the CNIL, explaining that he had asked the FREE MOBILE company to indicate to it whether it had any personal data concerning him. If so, the complainant wished to obtain a copy of his data and, more particularly, a copy of the recording of a call which would have been made by a person having usurped his identity as well as any document which would have been sent to that person. opportunity.

40. The rapporteur notes that it emerges from the findings made in the context of the control procedure that the company did not respond to the complainant, without being able to justify the reason. He also noted that this request was not qualified as a "Computing and Freedoms" request but as a "termination" request. The rapporteur therefore considers that the company failed in its obligation to inform the complainant whether personal data concerning him were included in the processing operations it implements and, where applicable, in its obligation to send him a copy. .

41. In defense, the company argues that this request was not addressed to the service dedicated to requests for the exercise of rights, so that a human error may have been committed in its classification as a request for termination and not as a request for a right of access. Next, the company explains that it could not provide a favorable response to the complainant as his request for access related to the personal data of a third party. Regarding the other data held by the company, relating to the complainant, it indicates that it responded by email of August 26, 2021, attaching a copy of the personal data concerning him which are stored in the database.

42. On the first point relating to the address to which the complainant sent his request, the restricted panel considers that if it is not disputed that the complainant did not send his request to the email or postal address which is identified by the company as being the dedicated channel for the transmission of requests for the exercise of rights, the fact remains that it belonged to the company, since this request has been received by the latter and that it was clear in its terms, to process it within the time limits provided for by the GDPR and to ensure that it is transmitted to the competent services. Indeed, if the implementation of organizational measures to facilitate the exercise of the rights of individuals complies with the requirements and the objective pursued by the GDPR, this cannot however exonerate the company from its obligation to respond to requests that are sent to it when they are not sent to it through the channel it will have dedicated for this purpose, a fortiori when, as is the case in this case, the content of the request is clear.

43. On the second point in connection with the company's argument that the request for access related to data from a third party, the restricted panel notes that the complainant's request is, primarily, a general request for right of access which aims, in the alternative, the communication of data relating to a telephone call. Therefore, if the restricted committee can hear the elements put forward by the company on the need to preserve the rights of third parties in connection with the part of the request relating to the telephone call, it considers on the other hand that the company would have in any event had to provide a response to the general request for the right of access made by the complainant, which was not the case before August 26, 2021, i.e. more than two years after his request and after the notification to the company on August 2, 2021 of the report proposing that the restricted party issue a sanction.

44. Under these conditions, the restricted committee considers that by not responding to the access request and by not responding to the requester within the prescribed time limits, the company has violated its obligations under Articles 12 and 15 of the GDPR.

45. It nevertheless notes that, within the framework of the sanction procedure, the company has justified having provided a response to the complainant and therefore having taken measures to comply with the obligations of the GDPR.

46. Thirdly, with regard to referral n ° 19018344 dated October 2019, Mr. […] seized the CNIL, explaining that he had asked the company FREE MOBILE for access to his data.

47. The rapporteur notes that the company has not provided a response to the complainant.

48. In defense, the company explained that it never received the complainant's request and therefore could not respond to it.

49. Insofar as it has not been established that the complainant regularly exercised his rights, the restricted panel considers that there is no reason to find a breach with regard to the obligation to respect the right to access regarding this complaint.

50. Lastly, with regard first of all to the argument according to which the facts alleged against the company are isolated in nature and therefore do not constitute a breach of the applicable provisions, the restricted panel considers that, if the complaints received by the CNIL do not in fact reveal the existence of a structural breach in terms of the right of access, the fact remains that the company has failed to comply with its obligations in processing gentlemen's requests […] and […], While these were clearly formulated. These facts constitute a breach of the obligations arising from articles 12 and 15 of the GDPR.

51. Next with regard to the argument according to which the breaches which are alleged against the company are contemporaneous with the date of entry into application of the GDPR, the restricted committee recalls that most of the obligations in question, relating to the rights of access, rectification of opposition and security, existed before the entry into application of the RGPD and that the law "Data processing and Freedoms" already made it possible to sanction them. The restricted committee therefore considers that the company cannot usefully plead a change in the legal framework to justify the lack of compliance on the day of the checks.

52. Finally, with regard to the improvements made by the company to its rights management procedure, while emphasizing the advisability of their adoption to improve the processing of requests, the restricted committee recalls that they have no impact on the existence failure to keep up to date with the checks, which lasted for many months, and which was only brought to an end after the initiation of the sanction procedure.

53. In view of the foregoing, the restricted committee considers that a breach of the obligations of articles 12 and 15 of the RGPD is constituted for the complaints lodged by Messrs […] and […], not important that it does not have not of a structural nature.

54. It nevertheless notes that, in the context of the sanction procedure, the company has justified having taken measures to comply with the obligations of the GDPR by providing a response to the complainants.

2. On the breach relating to the right of rectification in application of Article 16 of the GDPR

55. Article 16 of the GDPR provides for the right of a person to obtain from the controller "the rectification of personal data concerning him which is inaccurate".

56. The rapporteur is based on a referral received by the CNIL, from Mrs. […] (complaint n ° 19017852 made in October 2019) and in which the complainant mentioned difficulties encountered in the exercise of her right rectification, to suggest that the restricted party consider that the company has violated its obligations under Article 16 of the GDPR. She indicated that she had asked the company to correct her postal address appearing on the telephone bills, which had been made necessary following the renumbering of the road by the town hall.

57. The rapporteur observes that it emerges from the findings made during the control of 22 January 2020 that the complainant's request, made in September 2019, was not taken into account since the postal address subject of the request correction which appears on the invoice dated October 14, 2019 from the complainant is the same as that which appears on the invoice dated January 14, 2020. The rapporteur therefore considered that between October 14, 2019 and January 14, 2020, the The complainant's request for rectification was not taken into account by the company FREE MOBILE, ie several weeks after sending his request.

58. In defense, the company argues that faster processing of Madam's request […] was impossible in view of the imperatives of the fight against fraud. It specifies that when a person is both a customer of the companies FREE (because holder of a fixed line) and FREE MOBILE (because holder of a mobile line), as is the case of the complainant, he The postal address relating to the landline must first be changed with the company FREE. It specifies that this modification can only take place once the physical address of the installation of the telephone line has been modified in a tool called "SETIAR", which is administered by the company ORANGE SA The company specifies that this tool "makes it possible to ensure the perfect correspondence between a telephone number and the physical installation address of the telephone line, in order to avoid any error when carrying out an operation on this line". The company indicates that these various steps cannot be completed in a short time and that it has acted diligently to process this request. The company considers in any event to have responded to Madame's request [...] by sending her a letter on September 17, 2019, i.e. four days after receiving her request, telling her that she could change her address online, directly from their subscriber area.

59. The restricted committee noted that the need for Mrs. […] to modify her address herself in her subscriber area should have been better explained to her. During the meeting, however, the company clearly explained the need, in the context of the fight against fraud, to use the "SETIAR" tool.

60. In these conditions, the restricted committee takes note of the elements provided by the company in defense and considers that, with regard to this complaint, the elements of the debate do not allow to conclude that there is a breach committed by the company. company.

3. On the breach relating to the obligation to respect the opposition request of the persons concerned

61. Article 12, paragraph 3, of the GDPR provides that "The controller shall provide the data subject with information on the measures taken following a request made pursuant to Articles 15 to 22, as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. The controller informs the person concerned for this extension and the reasons for the postponement within one month of receipt of the request. , unless the person concerned requests otherwise ". Finally, under the terms of paragraph 4 of this article "if the controller does not respond to the request made by the data subject, he shall inform the latter without delay and at the latest within a period of one month from the receipt of the request of the reasons for its inaction and the possibility of lodging a complaint with a supervisory authority and of lodging a judicial appeal ".

62. Article 21 of the GDPR provides that "when personal data is processed for prospecting purposes, the data subject has the right to object at any time to the processing of personal data relating to such prospecting purposes, including profiling insofar as it is linked to such prospecting ".

63. The rapporteur is based on four referrals received by the CNIL, from Mrs. […] (complaint n ° 19008223) as well as from Messrs […] (complaint n ° 19016318) and […] (complaints n ° 17017795 and n ° 19018125) and in which the complainants reported their difficulties in exercising their rights, to suggest to the restricted panel to consider that the company has violated its obligations under Article 21 of the GDPR.

64. In defense, the company argues that it cannot be accused of any breach of these four referrals, as it has taken into account the complainants' requests in its databases. It then argues, in summary and as developed in point 31, that the alleged shortcomings, given the low number of complaints referred to in the report, are at most indicative of human errors and not of a problem with the functioning of the procedure for processing requests for the exercise of rights by the company, which would constitute a breach of the applicable provisions. It considers that the disputed referrals are contemporaneous with the date of entry into force of the GDPR and prior to the implementation of the new ticketing tool in June 2019, which made it possible to improve the processing of requests for the exercise of rights.

65. First, with regard to referral n ° 19008223 made in April 2019, Madam […] applied to the CNIL, explaining that during the years 2018 and 2019, she had been the subject of telephone canvassing by the company FREE MOBILE. During this period, the complainant expressed on two occasions, by letters dated September 27, 2018 and April 29, 2019, her opposition to the processing of her personal data for prospecting purposes.

66. The rapporteur notes that it emerges from the findings made by the control delegation that the complainant was the subject of two prospecting campaigns on 28 August 2018 and on 11 April 2019. The rapporteur therefore considers that the complainant was made the recipient of commercial prospecting nearly eight months after having, for the first time, expressed its opposition.

67. In defense, the company admits that a "human error" was committed, so that the complainant was the subject of a prospecting campaign in April 2019 when she had previously exercised her right of opposition . However, the company considers that no breach can be held against it insofar as it has "duly taken into account" the complainant's opposition formulated by letter of April 29, 2019, i.e. before the on-site inspections. which the CNIL carried out in January 2020.

68. On this last point, the restricted committee considers that the existence of a breach cannot be limited to the elements attesting to a non-conformity on the date of the findings made within the framework of an inspection carried out in application of the article 19 of the law "Informatique et Libertés", but can also be based on any element obtained by the services of the CNIL or the reporter, attesting to a non-conformity for facts giving rise to a complaint to the CNIL and a referral to the restricted committee, even if at the time of the control this non-compliance was brought to an end. In this case, the breach is based on evidence, and is therefore established.

69. Under these conditions, the restricted committee considers that by not taking into account the complainant's opposition to the processing of her personal data for prospecting purposes within the prescribed time limits, the company has failed to comply with its obligations arising from the Articles 12 and 21 of the GDPR.

70. It nevertheless notes that, in the context of the sanction procedure, the company has justified having taken into account the complainant's opposition request and therefore having taken measures to comply with the obligations of the GDPR.

71. Secondly, with regard to referral n ° 19016318 made in September 2019, from Mr. […], he explained that he had been the subject of commercial prospecting by SMS on offers marketed by the company FREE MOBILE until July 2019, and provided screenshots of the corresponding SMS in its complaint. The complainant indicates that he has repeatedly expressed his opposition to the processing of his personal data for commercial prospecting purposes, in particular in June 2018 to the Data Protection Officer (hereinafter "the DPO") of the ILIAD group.

72. The rapporteur observes that it emerges from the additional information communicated by the company following the checks that the company had "at the date of this communication, not found any trace of an answer given to the complainant" without being able to 'justify the reason. It therefore considers that the company did not take into account the complainant's opposition to receiving commercial prospecting since the latter continued to receive solicitations until July 2019, i.e. almost a year after having expressed his opposition.

73. In defense, the company indicates that it “promptly” took into account the complainant's request, as of July 25, 2018, after having received two emails from him on June 10 and July 8, 2018. The company attached a capture to this effect. screen showing the date of registration of the complainant in an "anti prospecting" database. With regard to the screenshots attached by the complainant, the company argues that they are "devoid of probative value since the recipient's number does not appear, so that it has not been established that the SMS captured by the complainant were actually received by him ". However, it does not dispute the failure to respond to the complainant's request for opposition. She indicates that the new ticketing tool put in place from June 2019 now makes it possible to ensure a systematic response to the people concerned.

74. The restricted panel considers that even if the company indicates that it took into account "promptly" the complainant's request, this does not mean that it provided a response, since the latter received none and therefore did not receive any information as to whether his request had been taken into account, which is contrary to the provisions of Article 12 of the GDPR.

75. Then, if it is correct that the telephone number does not appear on the screenshots sent by the complainant, the restricted committee notes that it is frequent and understandable that people who file a complaint with the CNIL transmit screenshots of messages received to their phone, which logically does not allow the phone number of the recipient of the message to appear. It also observes that the requests appearing in the screenshots communicated by the complainant do refer to dates subsequent to the taking into account of the complainant's request for the right to object, confirmed by the DPO, since they mention offers valid between December 11, 2018 and July 11, 2019. Thus, the restricted committee notes that there is no element to justify doubting the good faith of the complainant. Finally, the restricted committee recalls that the right to object is attached to a person and not to a telephone number. The restricted committee therefore considers that these screenshots reveal that the complainant continued to receive solicitations almost a year after having expressed his opposition to the DPO of the ILIAD group in June 2018.

76. Finally, the restricted committee recalls that the improvements made by the ticketing tool have no impact on the existence and materiality of the breach, both with regard to the provisions resulting from Article 12 of the GDPR (lack of response from the company to the complainant) than its article 21 (Mr. […] having continued to receive commercial prospecting almost a year after having expressed his opposition to the use of his data for this purpose).

77. In these conditions, the restricted committee considers that by not taking into account the complainant's opposition to the processing of his personal data for prospecting purposes within the prescribed time limits, the company has failed to comply with its obligations arising from articles 12 and 21 of the GDPR.

78. It nevertheless notes that, in the context of the sanction procedure, the company has justified having taken measures to comply with the obligations arising from Articles 12 and 21 of the GDPR.

79. Lastly, with regard to referrals n ° 17017795, of September 2017 and n ° 19018125, of October 2019, from Mr. […], he explained that he was the subject of several resumption of prospecting by SMS and by mail from the company FREE MOBILE relating to the marketing of offers, in particular that relating to the "Free package with unlimited calls […]". He indicates that he has expressed by mail on several occasions, from March 2015, his opposition to the processing of his personal data for commercial prospecting purposes and yet continued to receive commercial solicitations until October 2019.

80. By email of 21 September 2018, the Commission services reminded the company of its obligations in terms of commercial prospecting and asked it to no longer process the complainant's data for this commercial purpose. By email of October 3, 2018, the DPO of the ILIAD group replied that he had taken the request into account and "deleted the contact details of Mr. […]".

81. The rapporteur observes that it emerges from the elements raised during the inspection that, despite the requests made by the complainant since 2015 and the assertion of the DPO of the ILIAD group in 2018 by which he confirms "having deleted the contact details of Mr. [... ] ", its opposition to the processing of its data for prospecting purposes was not taken into account until December 17, 2019, more than four years after the company received its first request.

82. In defense, the company indicates that it never received a request for opposition from the complainant, unlike the company FREE. It considers that an opposition request filed with the company FREE is not opposable to the company FREE MOBILE. However, it indicates that it took into account the wishes of the complainant when he "activated the anti-canvassing option on his subscriber area". It specifies that this opposition has been effective since December 17, 2019. The company then specifies that the email produced by the rapporteur, indicating that the DPO of the ILIAD group confirms "having deleted the contact details of Mr. […]", is a reconstruction of an email and not the original, which does not constitute admissible proof, and it also notes that the email was not sent to the right contacts and that it was not the responsibility of the FREE MOBILE company to take take into account the complainant's objection request.

83. Regarding first of all the failure to receive the complainant's opposition request by the company, the restricted panel notes that the DPO of the ILIAD group - who, by email of 3 October 2018, informed the CNIL "having removed the contact details of Mr. […]" - is the DPO in charge of requests relating to FREE subscribers and FREE MOBILE subscribers. The restricted committee considers that it was therefore incumbent on it to process this request as a whole or to pass it on, if necessary, to the competent services so that it is taken into account.

84. Consequently, the company's argument that it was the sole responsibility of the FREE company to take into account the complainant's request cannot be accepted. Indeed, the complainant's request was a general objection to receiving commercial prospecting by post and by electronic means (SMS and email) which concerned both the company FREE and the company FREE MOBILE. In his letter of March 5, 2015 addressed to the "Computing and Liberties" department of the company FREE, the complainant had taken care to specify his Free Mobile and Free box identifiers and to formulate his request as follows: "In accordance with the provisions of article 38 paragraph 2 of the law of January 6, 1978 amended, I ask you to delete my contact details from your advertising contact files, whether by post, telephone or computer. ".

85. Finally, regarding the inadmissibility of the email of 3 October 2018 confirming the receipt and consideration of the complainant's request by the DPO of the ILIAD group, the restricted panel observes that the latter does not appear in its original form in the business tool of the CNIL (business tool in which the elements related to the processing of a complaint are recorded). This email was recorded in the form of a "communication", which is a tab in the business tool allowing the agent in charge of the complaint not to record as such the email as an attachment to the file but to '' manually indicate that he has received an email from the company, by entering the date of receipt, selecting the sender of the message from a list of pre-defined choices and copying the content of the original message. The restricted committee considers, therefore, that the way in which this email has been reproduced corresponds to a procedure provided for in the CNIL business tool and that it can take it into account insofar as all the relevant elements appear therein, that is to say the date, the content of the text and the identity of its author, and that they clearly have a direct link with the subject of the complaint. Finally, the restricted committee notes that, while the company disputes the admissibility of this email, it does not however indicate that it never sent this message.

86. Therefore, the restricted panel considers that the company's arguments are not such as to call into question the fact that the complainant's opposition was only taken into account as of December 17, 2019, which corresponds according to the company to the date on which the complainant activated "the anti-canvassing option on his subscriber area", which took place more than a year after the indication by the DPO of the ILIAD group, on October 3 2018, the effective taking into account of this request, initially formulated on March 5, 2015.

87. Under these conditions, the restricted committee considers that by not taking into account the complainant's opposition to the processing of his personal data for prospecting purposes within the prescribed time limits, the company has violated its obligations arising from articles 12 and 21 of the GDPR.

88. It nevertheless notes that the company has justified having taken measures to comply with the obligations arising from Articles 12 and 21 of the GDPR.

89. In view of the foregoing, the restricted committee considers that a breach of the obligations of Articles 12 and 21 of the GDPR has been established for the complaints lodged by Madam […], Gentlemen […] and […].

4. On the breach of the obligation to protect personal data from the design stage

90. Under the terms of article 25 of the GDPR "1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, whose degree of probability and severity varies, which the processing presents for the rights and freedoms of natural persons, the controller implements, both when determining the means of processing and at the time of processing itself , appropriate technical and organizational measures, such as pseudonymisation, which are intended to implement the principles relating to data protection, for example data minimization, in an effective manner and to provide the processing with the necessary guarantees in order to respond the requirements of this Regulation and to protect the rights of the data subject […] ".

91. The rapporteur is based on two referrals to the CNIL in November 2019, from Messrs […] (complaint n ° 19019626) and […] (complaint n ° 19020342) and in which the complainants stated that '' they did not manage to stop the sending, by the company FREE MOBILE, of invoices on which the mention of a terminated mobile line appeared, in order to suggest to the restricted party to consider that the company had disregarded its obligations resulting from the Article 25 of the GDPR.

92. In defense, the company explains first of all that it sends invoices at zero euros to customers after the termination of their subscription because they benefit from a so-called "multi-line" subscription. The company specifies that this service allows a subscriber to attach to a main mobile line, one or more secondary lines, which has the effect of grouping the invoices of the different lines on the main account associated with the main line, and to proceed to a single direct debit corresponding to the sum of the associated lump sums. The company thus argues that "the processing of the telephone number corresponding to the terminated main [mobile] line is necessary, since it pursues purposes aimed at allowing FREE MOBILE to continue the proper performance of their contract by identifying the debtor of the multiple lines subscribed by its subscribers and to improve for the subscribers, the readability of the invoicing of their subscriptions and of the debits made on their account ". Then, the company nevertheless specifies that it has initiated an overhaul of its invoicing procedure so that the invoices of the multiline accounts associated with a terminated main mobile line now include the mention of an identifier allowing the subscriber and the FREE MOBILE company to namely, for billing purposes, who is the sole debtor of the lines, without continuing to mention the terminated primary line on the invoice.

93. The restricted training notes that it follows from Article 25 of the above-mentioned GDPR that data controllers must implement appropriate technical and organizational measures in order to effectively comply with the principles relating to data protection.

94. The restricted committee considers that if the information that a person has held a terminated mobile line can actually be kept for the purposes of executing the contract and for accounting purposes, or even for the management of litigation, On the other hand, it is not necessary to continue to process this information within the framework of the issuance of current invoices, and to display it on the latter, whereas the use of an identifier allowing the debtor to be identified different mobile lines (main and secondary) can be used instead. The company should have planned, from the design stage, organizational and technical measures to no longer process this data in this context following a request for termination of a main line by the person concerned.

95. Under these conditions, the restricted committee considers that the aforementioned facts constitute a breach of article 25 of the RGPD since the company has not implemented the organizational and technical measures allowing to proceed with the erasure of the data. of a personal nature that were no longer needed for billing purposes.

96. It nevertheless notes that, in the context of the sanction procedure, the company has justified having carried out an overhaul of its invoicing procedure, so that the invoices now only include the mention of active lines, without mention of canceled lines. The restricted formation therefore considers that the company has complied with the obligations arising from Article 25 of the GDPR.

5. The breach relating to the obligation to ensure the security of personal data

97. Article 32 of the GDPR provides that: "Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, including the degree of probability and severity varies, for the rights and freedoms of natural persons, the controller and the processor implement the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk (…) "and , in particular, "the means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services" and a "procedure to regularly test, analyze and evaluate the effectiveness of technical and organizational measures to ensure the security of the processing ".

98. In the first place, the rapporteur relies on two referrals from Mesdames […] (complaint n ° 19012802 of July 2019) and […] (complaint n ° 19019490 of October 2019) and in the context of which the complainants made status of the absence of systematic user authentication to access a FREE MOBILE user account (for the user with a telephone equipped with a FREE MOBILE SIM card or for a person benefiting from the connection sharing of a user with a telephone equipped with a FREE MOBILE SIM card), to offer the restricted training the opportunity to consider that the company has violated its obligations under article 32 of the GDPR.

99. In defense, the company argues that the CNIL's checks did not cover these complaints and that access to a subscriber's mobile space from another device via connection sharing is not possible.

100. In view of the information provided by the company, the restricted committee considers that there is no reason to find a breach of Article 32 of the GDPR for these facts.

101. Secondly, the rapporteur observes that it emerges from the findings made within the framework of the control procedure that the company sends by email, in clear, the passwords of the users when they subscribe to an offer with the FREE MOBILE company.

102. In defense, the company first asserts that, as data controller, it is free to choose the security measures to be put in place and that the guides and recommendations issued by the CNIL or the National Agency of the security of information systems (ANSSI) are not mandatory and do not have the force of law. Therefore, the company considers that no breach can be accepted in the absence of a "serious breach of the security obligation, materialized by the occurrence of a breach of personal data", which does not is not the case in the present case according to her.

103. The company goes on to argue that at the time of the control operations, subscribers were encouraged to change their passwords in their subscriber area and made aware of the importance of keeping these passwords confidential. It further indicates that the initial password assigned by the FREE MOBILE company has a high level of robustness. Finally, it specifies that the subscriber area only allows access to "basic" information and not to sensitive information.

104. First of all, the restricted training recalls that, in application of article 32 of the RGPD, to ensure the protection of personal data, it is the responsibility of the data controller to take "appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk ". The restricted committee considers that in this case, the methods of transmission of passwords implemented by the company are not suitable with regard to the risk that the data subject would pose to the capture of their username and password. goes through a third party. Indeed, the transmission, in clear, of a password which is neither temporary nor of single use and whose renewal is not imposed, makes it easily and immediately usable by a third who would have an improper access. to the message that contains it. This third party could thus access all the personal data present in the FREE MOBILE user account of the person concerned (in particular the last name, first name, mobile line number, postal address, e-mail address, bank identity statement, line number. mobile). He could also access his voicemail, download his invoices and the statement of his consumption, modify the password, the e-mail address or the account options. Just because the password itself is strong and people are encouraged to change their password is not enough to offset these risks, which can lead to identity theft and phishing attempts, among other things. Therefore, taking into account these risks for the protection of personal data and the privacy of individuals leads the limited training to consider that the measures deployed to guarantee data security in this case are insufficient.

105. Next, the restricted committee specifies that while deliberation n ° 2017-012 of January 19, 2017, the purpose of which is to provide recommendations relating to passwords, the CNIL guide relating to the security of personal data and the ANSSI technical note relating to the passwords cited in the rapporteur's writings are certainly not mandatory, they nevertheless set out the elementary security precautions corresponding to the state of the art. Therefore, the restricted committee recalls that it retains a breach of the obligations arising from Article 32 of the GDPR and not of the non-compliance with the recommendations, which moreover constitute relevant insight to assess the risks and the state of the art in terms of personal data security.

106. In addition to these recommendations, the restricted committee emphasizes that it has, on several occasions, adopted financial penalties where the characterization of a breach of article 32 of the GDPR is the result of insufficient measures to guarantee the security of the data processed. , and not only the result of the existence of a personal data breach. The deliberations n ° SAN-2019-006 of June 13, 2019 and n ° SAN-2019-007 of July 18, 2019 aim in particular at the insufficient robustness of the passwords as well as their transmission to the customers of the company by email, in clear ( readable in the body of the message), after the account has been created.

107. Under these conditions, having regard to the risks incurred by the persons mentioned above, the restricted committee considers that the aforementioned facts constitute a breach of article 32 of the GDPR as soon as the company transmits by email, in clear, the passwords of users when they subscribe to an offer from FREE MOBILE.

108. It nevertheless notes that, as part of the sanction procedure, the company attests to the mandatory implementation of the renewal of users' passwords when they first log on. The password requested by the company complies with the recommendations of the CNIL contained in its 2017 recommendation on passwords. In addition, the restricted party notes that the company undertakes to no longer transmit the passwords of new subscribers in clear by email but, from the end of March 2022, that the latter create their own password. pass, which must comply with the recommendations of the CNIL in this area.

III. On corrective measures and their publicity

109. Under the terms of III of article 20 of the amended law of 6 January 1978:

"When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also , if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, refer the matter to the restricted committee for the pronouncement, after contradictory procedure, one or more of the following measures: […]

2 ° An injunction to bring the processing into line with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to meet the requests presented by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a fine the amount of which may not exceed € 100,000 per day of delay from the date set by the restricted group; […] 7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the turnover. total worldwide annual business for the previous fiscal year, whichever is greater. Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83. "

110. Article 83 of the GDPR provides that "Each supervisory authority shall ensure that the administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive ", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of this fine.

111. First, on the principle of the imposition of a fine, the company maintains that such a measure is not justified. Indeed, with regard to breaches relating to the exercise of rights of access and opposition, the company considers that the complaints underlying these breaches are of an isolated nature and, in any event, it responded to access requests and took into account the complainants' opposition requests. Regarding the breach of the obligation to protect data by design, the company considers that the processing of the telephone number corresponding to the terminated primary mobile line is necessary for the purposes of the proper performance of the mobile telephone service. Regarding the breach relating to data security, the company considers that in the absence of a personal data breach, the unencrypted transmission of user passwords is not a "serious breach of the safety obligation ".

112. The restricted committee recalls that it must take into account, for the imposition of an administrative fine, the criteria specified in article 83 of the GDPR, such as the nature, gravity and duration of the violation, the measures taken by the controller to mitigate the damage suffered by the data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the breach.

113. The restricted committee considers first that the company has shown certain negligence with regard to fundamental principles of the GDPR since four breaches have been made, relating in particular to the rights of individuals and to elementary measures related to the security of personal data. The restricted panel adds that several breaches have given rise to complaints. It also emphasizes, with regard to the breach relating to data security, that the transmission by email, in clear, of the passwords of the users when they subscribe to an offer with the company FREE MOBILE, can present a risk. for the privacy of the persons concerned.

114. The restricted committee then notes that the FREE MOBILE company is a particularly important player in the telecommunications sector since, in December 2020, it had approximately […] subscribers to mobile telephony offers, […]. The restricted group also observes that the company, in its capacity as a mobile telephone operator, is at the heart of the routing of the daily personal data flows of many people and must therefore show particular rigor in the management of the security of the personal data concerned.

115. Finally, the restricted committee notes that the compliance measures put in place following the notification of the sanction report do not exonerate the company from its liability for the breaches noted.

116. Consequently, the restricted committee considers that an administrative fine should be imposed with regard to the breaches established in Articles 12, 15, 21, 25 and 32 of the GDPR.

117. Second, with regard to the amount of the fine, the restricted panel recalls that administrative fines must be both dissuasive and proportionate. In this case, the restricted panel noted that the complaints which gave rise to breaches appear extremely isolated and few in number - their number, seven, must be compared to the number of subscribers, […] - so that these breaches can in no way be regarded as having a systemic character. The restricted training also takes into account the activity of the company and its financial situation.

118. Therefore, in view of these elements, the restricted committee considers that the imposition of a fine of 300,000 euros appears justified.

119. Thirdly, an injunction to bring the processing into line with the provisions of Articles 12, 15, 21, 25 and 32 of the GDPR was proposed by the rapporteur when the report was notified.

120. The company maintains that the actions it has taken in relation to all the breaches identified must lead to the rapporteur's proposal for an injunction not being followed up.

121. As indicated above, the restricted committee notes that the company has taken measures to bring its processing into line with the provisions of articles 12, 15, 21, 25 and 32 of the GDPR. It therefore considers that there is no longer any need to issue an injunction.

122. Lastly, with regard to the publicity of the sanction, the company maintains that such a measure would be disproportionate in view of the breaches identified and the low number of complaints referred to. It also considers that this additional publicity penalty would irreversibly damage its reputation.

123. The restricted committee considers that the publication of the sanction is justified in view of the number of breaches noted, their persistence, and the number of people concerned.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• pronounce on FREE MOBILE an administrative fine in the amount of 300,000 (three hundred thousand) euros for breaches of Articles 12, 15, 21, 25 and 32 of the GDPR;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name after the expiration of a period of two years from its publication.

President

Alexandre linden

This decision may be appealed against to the Council of State within two months of its notification.