CNIL (France) - SAN-2022-022
| CNIL - Délibération SAN-2022-022 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR Article 17(1)(a) GDPR Article 32 GDPR Article 33 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 30.11.2022 |
| Published: | 08.12.2022 |
| Fine: | 300,000 |
| Parties: | Free |
| National Case Number/Name: | Délibération SAN-2022-022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNIL (in FR) |
| Initial Contributor: | n/a |
The French DPA fined a communications provider €300,000 for several GDPR violations. The controller did not respond to access- and erasure requests in time, had a lacking password policy and redistributed hardware boxes without deleting personal data of former subscribers.
English Summary
Facts
Between October 2018 and November 2019, the DPA received 41 complaints regarding the same controller, a French communications provider, after which the DPA started an investigation(3). The complaints were about access requests for information regarding the primary source (39) of personal data, (i.e. the first actor/to have collected the personal data) and the data broker from which the controller got the personal data. The data subjects stated that they never received an answer from the controller(30-31) According to the controller, the requests were not answered in time due to human errors, despite the fact that the controller had procedures in place. (33). However, specifically with regard to information regarding the source of the data, The controller held that it was not obliged to respond to these request if the controller then had to reveal information which is a matter of business secrecy (recital 63 and Article 15(4) GDPR). According to the controller, the identity of the data broker who supplied the data fell under this exception. (34)
In the erasure requests, the data subjects requested the deletion of their e-mail accounts (45). The DPA confirmed that data subject’s personal data was still present in the controller’s database after they submitted their requests. Also, these e-mail accounts still had the status of ‘active’ and data subjects were still able to access their e-mails. (47)
On 8 February 2019, the controller also notified the DPA of a personal data breach. (4) The controller had distributed 4137 repackaged hardware-boxes (75) to new customers. The main use of this box was to store television programmes, but could also be used to store personal photos and personal video’s (68). The DPA found that these boxes still contained the personal data of subscribers who had used this hardware previously. The controller did not wipe the data from the device. (64) The controller had accidently deleted a procedure from its security measures, intended to erase the data stored on these hardware boxes. Three years after the breach was reported, 322 boxes were still used by subscribers, without the controller knowing if these boxes contained data of previous subscribers. These boxes were deactivated on July 2022, more than three years after the breach was reported. (69)
Holding
The DPA determined that the controller violated the following GDPR articles.
Failure to respect the right of access (Articles 12 and 15 GDPR)
The DPA determined that the controller violated Articles 12 and 15 GDPR, after the DPA confirmed that the controller did not respond to the data subject’s access requests within one month or had provided incomplete answers regarding the source of personal data. The DPA also stated that the controller’s argument for not disclosing the source of the data because of business secrecy was not valid. The DPA specified that the data subject’s requests were requests for information according to Article 15(1) GDPR. The ‘Business secrecy’ exception only applied to Article 15(4) GDPR, where a data subject would request a copy of their data, which was not the case here. (36)
The DPA continued that any processing must comply with Article 5(1)(a) GDPR, and that personal data has to be processed in a transparent manner. The DPA stated that the data subject’s right of access constituted a fundamental guarantee of the transparency of data processing methods by the controller. When a data subject filed an access request, the controller had to communicate the specific source of the data. The controller is only exempt from this obligation when the controller does not possess this information (37). The fact that the controller had not answered, prevented the data subject to verify the lawfulness of the processing carried out and the lawfulness of the processing. The DPA considered that the right to have the identity of the source of the data is necessary to enable the data subject to give his consent and to exercise GDPR rights. (39) The DPA considered that the controller failed to comply with the obligations of Articles 12 and 15 GDPR because the controller did not deal with the access requests within the time limit set or provided incomplete answers. (40).
Failure to respect the right to erasure
The DPA also determined that the controller violated Articles 12 and 21 GDPR. The DPA stated that the erasure requests of the data subjects were clear. The data subjects had used a dedicated form provided by the controller. The personal data of the data subjects was still in the controller’s database after the erasure requests (43). Also, the controller only answered the erasure requests after approximately three years (46), which was in violation of Article 12(3) GDPR. The DPA also determined a violation of Article 17(1)(a) GDPR, because data subject's e-mail accounts were still active and the e-mails were still accessible several years after the requests were submitted.
Failure to ensure the security of personal data (Article 32 GDPR)
The DPA held that the controller violated Article 32 GDPR because of several reasons.
Password requirements: When a new user account was created on the controller’s website, the controller generated a random password of eight characters and could only contain one type of character, which was not strong enough according to the DPA.
Storing and transmitting passwords: All generated passwords were stored in plain text in the controller’s subscriber database until 23 January 2020. Besides that, the passwords were send by the controller by e-mail or post, in clear text, to the data subjects who created their account on the website. These passwords were of a permanent nature and without technical measure from the controller that these passwords had to be changed later. The DPA determined that use of a short or simple password without imposing specific categories of characters and without additional security measures may lead to successful attacks by unauthorised third parties (56). The controller’s passwords, looking at the volume and nature of personal data in the accounts, did not ensure the security of the personal data processed, nor did it prevent unauthorised third parties from having access to the personal data (59). The DPA also determined that the storage of passwords in clear text could lead to third parties collecting these passwords and access the user accounts(60). Also, the transmission of passwords in clear text by e-mail or postal mail could allow a third party intercepting transmissions to get unauthorized access to user account, because the passwords did not have a limited duration and were not required to be changed upon first use (61). Looking at the potential consequences for data subjects, the DPA stated that the measures to guarantee data security were insufficient, which resulted in a violation of Article 32 GDPR.
Hardware Boxes of former customers: The DPA found another factor contributing to the violation of Article 32 GDPR, because the controller put hardware-boxes in circulation with data of previous subscribers. The DPA stated that the controller had no procedure to monitor the actual completion of the test sequences before the distribution of the hardware. There was therefore also no procedure for the deletion of data from the boxes, which allowed unauthorised third parties to access personal data of former subscribers. These boxes were also only deactivated three years after the breach was reported. (69)
Failure to comply with the obligation to document a personal data breach (Article 33 GPDR)
The DPA also determined a violation of Article 33(5) GDPR. The documentation provided by the controller did not allow the DPA to assess of all the measures taken by the controller to resolve the data breach, which was a result from the distribution of the hardware boxes without their data being wiped.
The DPA fined the controller €300,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
