CNIL (France) - SAN-2022-022
| CNIL - Délibération SAN-2022-022 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 12(3) GDPR Article 15 GDPR Article 17(1)(a) GDPR Article 32 GDPR Article 33 GDPR |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | |
| Decided: | 30.11.2022 |
| Published: | 08.12.2022 |
| Fine: | 300,000 |
| Parties: | Free |
| National Case Number/Name: | Délibération SAN-2022-022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | CNIL (in FR) |
| Initial Contributor: | n/a |
The French DPA fined a communications provider €300,000 for several GDPR violations. The controller did not respond to access- and erasure requests in time, had a lacking password policy and redistributed hardware boxes without deleting personal data of former subscribers.
English Summary
Facts
Between October 2018 and November 2019, the DPA received 41 complaints regarding the same controller, a French communications provider, after which the DPA started an investigation based on 10 of these complaints. The most of these complaints concerned access requests for information regarding the primary source of personal data, (i.e. the first actor in the chain to have collected the personal data). The data subjects stated that they never received an answer from the controller. According to the controller, the requests were not answered in time due to human error, despite the fact that the controller had procedures in place. However, specifically with regard to information regarding the source of the data, The controller held that it was not obliged to reveal information that was deemed a 'business secret' (recital 63 and Article 15(4) GDPR), in this case, the identity of the data broker who supplied the data. The controller also stated that it had recently changed its internal procedure, and now asked it's data brokers to also provide the identity of the primary source of the data collection, which the controller could then pass on to the data subjects.
The data subjects had also requested the deletion of their e-mail accounts. However, the DPA confirmed that data subject’s personal data was still present in the controller’s database after they submitted their erasure requests. Also, these e-mail accounts still had the status of ‘active’ and data subjects were still able to access their e-mails.
On 8 February 2019, the controller also notified the DPA of a personal data breach. The controller had distributed 4137 repackaged hardware-boxes to new subscribers. The main use of this box was to store television programmes, but could also be used to store personal photos and personal video’s. The DPA found that these boxes still contained the personal data of subscribers who had used this hardware previously. The controller did not wipe the data from the device. The controller had accidently deleted a procedure from its security measures, intended to erase the data stored on these hardware boxes. Three years after the breach was reported, 322 boxes were still used by subscribers, without the controller knowing if these boxes contained data of previous subscribers. These boxes were remotely deactivated by the controller on July 2022, more than three years after the breach was reported.
Holding
The DPA determined that the controller violated the following GDPR provisions.
Failure to respect the right of access (Articles 12 and 15 GDPR)
The DPA determined that the controller violated Articles 12 and 15 GDPR, after the DPA confirmed that the controller did not respond to the data subject’s access requests within one month or had provided incomplete answers regarding the source of personal data. The DPA also stated that the controller’s argument for not disclosing the source of the data because of 'business secrecy' was not valid. The DPA specified that the data subject’s requests were requests for information according to Article 15(1) GDPR. The ‘Business secrecy’ exception only applied to Article 15(4) GDPR, where a data subject would request a copy of their data, which was not the case here.
The DPA continued that any processing must comply with Article 5(1)(a) GDPR, and that personal data has to be processed in a transparent manner. The DPA stated that the data subject’s right of access constituted a fundamental guarantee of the transparency of data processing methods by the controller. When the data subject filed an access request, the controller had to communicate the specific source of the data. The controller is only exempt from this obligation when the controller does not have this information. The fact that the controller had not provided the identity of the data broker, prevented the data subject to verify the lawfulness of the processing carried out. The right of access regarding the primary source of the data was limited by the controller.
The DPA considered that the controller failed to comply with the obligations of Articles 12 and 15 GDPR because the controller did not deal with the access requests within the time limit set or provided incomplete answers regarding the source of their data.
Failure to respect the right to erasure
The DPA also determined that the controller violated Articles 12 and 17 GDPR. The DPA stated that the erasure requests of the data subjects were clear. The data subjects had used a dedicated form provided by the controller. The personal data of the data subjects was still in the controller’s database after the erasure requests. Also, the controller only answered the erasure requests after approximately three years, which was in violation of Article 12(3) GDPR. The DPA also determined a violation of Article 17(1)(a) GDPR, because data subject's e-mail accounts were still active and the e-mails were still accessible several years after the requests were submitted.
Failure to ensure the security of personal data (Article 32 GDPR)
The DPA held that the controller violated Article 32 GDPR because of several reasons.
Password requirements: When a new user account was created on the controller’s website, the controller generated a random password of eight characters which could only contain one type of character. This generated password was not strong enough according to the DPA. The DPA determined that use of a short or simple password without imposing specific categories of characters and without additional security measures, such as blocking measures, may lead to successful attacks by unauthorised third parties, such a 'brute force attacks'.
Storing passwords in clear text: All generated passwords were stored in plain text in the controller’s subscriber database until 23 January 2020. The DPA stated that this allowed any person with access to the controller's customer database to collect the passwords of each subscriber, who could then access the user accounts of these data subjects.
Transmitting passwords in clear text: Besides that, the passwords were send by the controller by e-mail or postal mail, in clear text, to the data subjects who created their account on the website. These passwords were of a permanent nature and without a requirement from the controller that these passwords had to be changed later. The DPA stated that this transmission could allow a third parties intercepting transmissions to get unauthorized access to user account, as long as these passwords did not have a limited duration and were not required to be changed when first used.
Hardware Boxes of former customers: The controller also put hardware-boxes in circulation without wiping the data of previous subscribers. The DPA stated that technical and organisational measures implemented were also not sufficient here, since the controller had no 'alert procedure' to monitor the actual completion of test sequences before the distribution of the boxes to new subscribers. There was therefore also no procedure for checking the deletion of data from these boxes, which allowed unauthorised third parties, the new subscribers, to access personal data of former subscribers. These boxes were also only remotely deactivated by the controller three years after the breach was reported.
Failure to comply with the obligation to document a personal data breach (Article 33 GPDR)
The DPA also determined a violation of Article 33(5) GDPR. The documentation provided by the controller did not allow the DPA to assess of all the measures taken by the controller to resolve the data breach caused by the redistribution of the hardware-boxes.
Fine
After considering several factors, the DPA fined the controller €300,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
