CNIL (France) - SAN-2023-008

From GDPRhub
CNIL - SAN-2023-008
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Article 9 GDPR
Article 12 GDPR
Article 28 GDPR
Article 32 GDPR
Article 33 GDPR
Article 82 of Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Investigation
Outcome: Violation Found
Published: 08.06.2023
Fine: 150000 EUR
Parties: KG COM
National Case Number/Name: SAN-2023-008
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: LegiFrance (in FR)
Initial Contributor: Sainey Belle

The French DPA fined a controller €150,000 because it collected excessive data, including sensitive data, without prior and explicit consent, and did not sufficiently ensure the security of the data.

English Summary[edit | edit source]

Facts[edit | edit source]

On 1st October 2020, an article published on a French media website revealed the existence of a personal data breach concerning the data stored on KG COM's (controller) server. The controller operates several websites to offer its customers clairvoyance readings by chat or phone.

According to this article, the controller’s database was not subject to special security measures and it was freely accessible on the internet until 23rd July 2020. The data exposed included the identification data and contact data of prospective and actual customers (data subjects).

Following the publication of the article, the French DPA (CNIL) carried out three investigations into the controller’s practices.

Holding[edit | edit source]

During its investigations, the CNIL noticed several infringements:

1. Failure to comply with Article 5(1)(c) GDPR

The controller systematically recorded all phone calls between telephone operators and prospective customers, as well as between fortune-tellers and customers, with the aim of checking service quality, proving that a contract has been performed and protecting their interests in civil proceedings. The controller did not provide any justification for the practice of systematically recording all calls for these purposes.

For the purposes of quality control, the establishment of a randomised system of recording allows the person in charge of quality control monitoring to have the necessary elements to evaluate the quality of the services offered.

Furthermore, a controller who wishes to record telephone conversations for probatory purposes must demonstrate that they do not have other less intrusive means to prove that the contract concluded over the phone was concluded with the person concerned.

With regard to the complete and systematic recording of telephone calls in the perspective of complying with judicial orders, they do not have to organize, in advance, the collection of personal data with a view to responding to a judicial order which is only potential. Therefore, the recording of all telephone calls, in order to respond to a judicial order, is not justified.

In addition, the controller recorded calls made with prospective customers. During these telephone calls, they collected the bank data of prospects (credit card number, expiry date and cryptogram). The recording of data subjects' bank data in a phone call is intrinsically not useful for the controller in the context of purposes mentioned above.

2. Failure to comply with Article 5(1)(e) GDPR

Through an analysis of the controller’s policies, the CNIL determined that the retention period for personal data was set at three years from the end of the commercial relationship. Nevertheless, the controller retained the data of subjects who did not have "consultations" for over five years.

The CNIL held that the data necessary for the execution of contracts should be kept for the duration of the contractual relationship. At the end of the contract, they must be kept in an archive and for a reasonable period of time, if the controller has a legal obligation to do so (for example, to meet accounting or tax obligations) or if he wishes to retain evidence in the event of litigation. For this purpose, it will be necessary to provide for a dedicated archive database or a logical separation in the active database, after sorting the relevant data to be archived.

3. Failure to comply with Article 6 GDPR

In respect of card details, the retention of payment card data beyond the completion of a transaction for the purpose of combating payment card fraud does not fall within the scope of the contract. The same can be said for the retaining of details for the purpose of auto-completing the data when the data subject wants to re-use the services. The retaining of bank details requires that a prior free, specific, informed and unambiguous consent of persons is collected.

4. Failure to comply with Article 9 GDPR

During the "consultations", data subjects provide the controller with data concerning their health status and sexual orientation. At the end of the consultations, this information was recorded in the data subjects' files, which were retained by the controller. The simple desire to receive a clairvoyance service and the fact the information is delivered directly from the data subject does not constitute an explicit consent of the data subject for the storing of their sensitive data.

5. Failure to comply with Article 12 GDPR

Information is considered easily accessible, within the meaning of Article 12 GDPR, if it is provided to the data subject, without the need to actively search for it. When data subjects created a user account on the controller's website, they had to leave the registration process in order to return to the home page, scroll to the bottom, click on the controller’s general conditions of sale and actively search this document for information relating to the protection of personal data. Since several actions were necessary for the data subject to obtain information on data processing, this was not considered information that is easily accessible.

Furthermore, the "general conditions of sale" were not easily identifiable as a document with information on data processing.

6. Failure to comply with Article 28 GDPR

In two of the controller's contracts with subcontractors (Processors), there was an absence of signatures and mandatory terminology required pursuant to Article 28(3) GDPR. These circumstances did not ensure effective protection of personal data processed through contractual guarantees.

7. Failure to comply with Article 32 GDPR

Data subjects were allowed to implement passwords using only a single character. In addition, the controller’s access to their CRM system was based on a permissive rule: username and password had been created by only two employees, and without any special rule concerning the complexity of passwords. The mechanism used by the controller to encrypt bank data had also vulnerabilities.

Access to the controller’s website was at one point made using http protocols instead of the https protocols, which then exposed the data to the risk of computer attacks or leaks as http allows for the unencrypted reading of flows containing personal data, including bank data, between the data subjects browser and the server hosting the site.

8. Failure to comply with Article 33 GDPR

The controller was aware of the breach since 29th September 2020, when the journalists provided a sample of the impacted data, or no later than 30th September 2020 at the end of its internal investigations. Due to the severity of the breach, it was considered notifiable under Article 33(1) GDPR. However, no notification was made. However, in limiting the controller's responsibility, the CNIL held that the journalist's alert came after the server was closed (as of 10th July 2020) and that the processor did not keep the connection logs to the server concerned. This procedure meant the controller was not able to assess the incident and establish a personal data breach as defined in Article 4(12) GDPR.

9. Failure to comply with Article 7 GDPR

The cookie banner on the controller's website did not contain information on how to refuse trackers, the consequences of a refusal and the existence of the right to withdraw consent.

10. Fine imposed

A fine of €150,000 was imposed on the controller (€120,000 for GDPR violations and €50,000 for France’s Data Protection Act violations).

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.