CNIL (France) - SAN-2023-008: Difference between revisions

From GDPRhub
(Grammatical errors)
No edit summary
 
(9 intermediate revisions by 3 users not shown)
Line 44: Line 44:
|GDPR_Article_8=Article 33 GDPR
|GDPR_Article_8=Article 33 GDPR
|GDPR_Article_Link_8=Article 33 GDPR
|GDPR_Article_Link_8=Article 33 GDPR
|GDPR_Article_9=Article 82 GDPR
|GDPR_Article_9=
|GDPR_Article_Link_9=Article 82 GDPR
|GDPR_Article_Link_9=
|GDPR_Article_10=
|GDPR_Article_10=
|GDPR_Article_Link_10=
|GDPR_Article_Link_10=
Line 56: Line 56:
|EU_Law_Link_2=
|EU_Law_Link_2=


|National_Law_Name_1=
|National_Law_Name_1=Article 82 of Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
|National_Law_Link_1=
|National_Law_Link_1=https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978/2020-07-02
|National_Law_Name_2=
|National_Law_Name_2=
|National_Law_Link_2=
|National_Law_Link_2=
Line 77: Line 77:
}}
}}


A Controller was fined €150 000 because it collected excessive data, as well as sensitive data without prior and explicit consent, and did not sufficiently ensure the security of the data.
The French DPA fined a controller €150,000 because it collected excessive data, including sensitive data, without prior and explicit consent, and did not sufficiently ensure the security of the data.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 1st October 2020, an article published in a French media website, revealed the existence of a personal data breach concerning the data stored on KG COM's (Controller) server. According to this article, the Controller’s database was not subject to special security measures and it was freely accessible on the Internet until 23rd July 2020. The data exposed included the identification data and contact data of prospective and actual customers (data subjects).  
On 1st October 2020, an article published on a French media website revealed the existence of a personal data breach concerning the data stored on KG COM's (controller) server. The controller operates several websites to offer its customers clairvoyance readings by chat or phone.  


The Controller operates several websites to offer its customers clairvoyance readings by chat or phone. Following the publication of the article, the CNIL carried out three investigations into the Controller’s practices.
According to this article, the controller’s database was not subject to special security measures and it was freely accessible on the internet until 23rd July 2020. The data exposed included the identification data and contact data of prospective and actual customers (data subjects).  
 
Following the publication of the article, the French DPA (CNIL) carried out three investigations into the controller’s practices.


=== Holding ===
=== Holding ===
During its investigations, the CNIL noticed several infringements, in particular concerning the systematic recording of phone calls, the collection of health data and information relating to sexual orientation, the retention of banking data without the consent of individuals, the obligation to notify a data breach or the rules relating to cookies.
During its investigations, the CNIL noticed several infringements:
 
1. ''Failure to comply with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]''
 
The controller systematically recorded all phone calls between telephone operators and prospective customers, as well as between fortune-tellers and customers, with the aim of checking service quality, proving that a contract has been performed and protecting their interests in civil proceedings. The controller did not provide any justification for the practice of systematically recording all calls for these purposes. 
 
For the purposes of quality control, the establishment of a randomised system of recording allows the person in charge of quality control monitoring to have the necessary elements to evaluate the quality of the services offered.
 
Furthermore, a controller who wishes to record telephone conversations for probatory purposes must demonstrate that they do not have other less intrusive means to prove that the contract concluded over the phone was concluded with the person concerned.
 
With regard to the complete and systematic recording of telephone calls in the perspective of complying with judicial orders, they do not have to organize, in advance, the collection of personal data with a view to responding to a judicial order which is only potential. Therefore, the recording of all telephone calls, in order to respond to a judicial order, is not justified.
 
In addition, the controller recorded calls made with prospective customers. During these telephone calls, they collected the bank data of prospects (credit card number, expiry date and cryptogram). The recording of data subjects' bank data in a phone call is intrinsically not useful for the controller in the context of purposes mentioned above.
 
2. ''Failure to comply with [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]''
 
Through an analysis of the controller’s policies, the CNIL determined that the retention period for personal data was set at three years from the end of the commercial relationship. Nevertheless, the controller retained the data of subjects who did not have "consultations" for over five years.
 
The CNIL held that the data necessary for the execution of contracts should be kept for the duration of the contractual relationship. At the end of the contract, they must be kept in an archive and for a reasonable period of time, if the controller has a legal obligation to do so (for example, to meet accounting or tax obligations) or if he wishes to retain evidence in the event of litigation. For this purpose, it will be necessary to provide for a dedicated archive database or a logical separation in the active database, after sorting the relevant data to be archived.
 
3. ''Failure to comply with [[Article 6 GDPR]]''


1. Failure to comply with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]
In respect of card details, the retention of payment card data beyond the completion of a transaction for the purpose of combating payment card fraud does not fall within the scope of the contract. The same can be said for the retaining of details for the purpose of auto-completing the data when the data subject wants to re-use the services. The retaining of bank details requires that a prior free, specific, informed and unambiguous consent of persons is collected.
The company systematically recorded all phone calls between telephone operators and prospects, as well as between fortune-tellers and customers, with the aim of checking service quality, proving that a contract has been formed and responding to potential court orders. Although the company has now stopped phone-based clairvoyance readings, and therefore phone recordings, it has not provided any justification for the previous need to systematically record all calls for these purposes. Per CNIL, the controller cannot set up the processing of personal data without ensuring that it is necessary for its needs.  


For the purposes of quality control, the establishment of a randomised system of recording only a few telephone conversations allows the person in charge of quality control monitoring to have the necessary elements to evaluate the quality of the services offered.
4. ''Failure to comply with [[Article 9 GDPR]]''


Furthermore, a Controller who wishes to record telephone conversations for probationary purposes must demonstrate that they do not have other less intrusive means to prove that the contract concluded over the phone has been concluded with the person concerned. In this case, the existence of the contract concluded over the phone can be proven by another less intrusive means. Per Article L.221-16 of the Consumer Code, when the professional contacts a consumer by telephone in order to conclude a contract for the sale of a good or the supply of a service, the latter is only committed by this offer after having signed and accepted it on a durable medium. As soon as proof of the subscription of a contract has been concluded, following a telephone canvassing, can be provided by the written confirmation of the offer, the recording of telephone conversations, made, for the purpose of proof of the formation of the contract, does not appear necessary.
During the "consultations", data subjects provide the controller with data concerning their health status and sexual orientation. At the end of the consultations, this information was recorded in the data subjects' files, which were retained by the controller. The simple desire to receive a clairvoyance service and the fact the information is delivered directly from the data subject does not constitute an explicit consent of the data subject for the storing of their sensitive data.


With regard to the complete and systematic recording of telephone calls in the perspective of  judicial orders, while it is necessary for Controllers to comply with any judicial orders they receive concerning the data they process for their own purposes, they do not have to organize, in advance, the collection of personal data with a view to responding to a potential judicial order. Therefore, the recording of telephone calls, in order to respond to a judicial order, is not justified.
5. ''Failure to comply with [[Article 12 GDPR]]''


In addition, the Controller recorded calls made with prospective customers. During these telephone calls, they collected the bank data of prospects (credit card number, expiry date and cryptogram). In advance of this, the Controller had not put in place any measures to interrupt the recording of telephone conversations when the data subjects were providing their bank details. The recording of data subjects' bank data is not useful for the Controller in the context of quality control, for probationary or security purposes. In addition, the recording of data was not relevant to the purposes provided by the Controller during the procedure: the booking of appointments with a clairvoyant, the simplification of the regulation of subsequent consultations, the payment of subscriptions and the fight against fraud.
Information is considered easily accessible, within the meaning of [[Article 12 GDPR]], if it is provided to the data subject, without the need to actively search for it. When data subjects created a user account on the controller's website, they had to leave the registration process in order to return to the home page, scroll to the bottom, click on the controller’s general conditions of sale and actively search this document for information relating to the protection of personal data. Since several actions were necessary for the data subject to obtain information on data processing, this was not considered information that is easily accessible.


2. Failure to comply with [[Article 5 GDPR#1e|Article 5(1)(e) GDPR]]
Furthermore, the "general conditions of sale" were not easily identifiable as a document with information on data processing.  
Through a reading of the Controller’s policies, the CNIL determined that the retention period for data is set at three years from the end of the commercial relationship. Nevertheless, the Controller retained the data of subjects who have not had consultations for over five years.


CNIL held that the data necessary for the execution of contracts are kept for the duration of the contractual relationship. At the end of the contract, they must be kept in intermediate archiving and for a reasonable period of time, if the Controller has a legal obligation to do so (for example, to meet accounting or tax obligations) or if he wishes to constitute evidence in the event of litigation, and within the applicable limitation period. For this purpose, it will be necessary to provide for a dedicated archive database or a logical separation in the active database, after sorting the relevant data to be archived.
6. ''Failure to comply with [[Article 28 GDPR]]''


3. Failure to comply with [[Article 6 GDPR|Article 6 GDPR]] In respect of card details, the retention of payment card data beyond the completion of a transaction for the purpose of combating payment card fraud is not part of the scope of the contract, neither is retaining details for the purpose of auto completing the data when the data subject wants to reuse the services. The retaining of bank details requires that the prior free, specific, informed and unambiguous consent of persons, pursuant to [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] be collected.
In two of the controller's contracts with subcontractors (Processors), there was an absence of signatures and mandatory terminology required pursuant to [[Article 28 GDPR#3|Article 28(3) GDPR]]. These circumstances did not ensure effective protection of personal data processed through contractual guarantees.


4. Failure to comply with [[Article 9 GDPR|Article 9 GDPR]]
7. ''Failure to comply with [[Article 32 GDPR]]''
During consultations, data subjects provide the Controller with data concerning their health status and sexual orientation. At the end of the consultations, this information is recorded in the data subjects records, which are kept in the Controllers business tool. The simple desire to receive a clairvoyance service and the fact the information is delivered directly from the data subject, this does not constitute an explicit consent of the data subject to process the data.


5. Failure to comply with [[Article 12 GDPR|Article 12 GDPR]]
Data subjects were allowed to implement passwords using only a single character. In addition, the controller’s access to their CRM system was based on a permissive rule: username and password had been created by only two employees, and without any special rule concerning the complexity of passwords. The mechanism used by the controller to encrypt bank data had also vulnerabilities.
Information is considered easily accessible, within the meaning of [[Article 12 GDPR|Article 12 GDPR]], if it is provided to the data subject, without the need to actively search for it. When data subjects are creating a use account on the Controllers website, they must leave the registration process in order to return to the home page, scroll to the bottom, click on the Controller’s general conditions of sale and actively search this document for information relating to the protection of personal data. Since a course of several actions are necessary for the data subject to obtain information on data processing, this not considered information that is easily accessible.


Furthermore, the general conditions of sale is not easily identifiable as a document with information on data processing as it also contains information on “conditions of sale”.  
Access to the controller’s website was at one point made using http protocols instead of the https protocols, which then exposed the data to the risk of computer attacks or leaks as http allows for the unencrypted reading of flows containing personal data, including bank data, between the data subjects browser and the server hosting the site.


6. Failure to comply with [[Article 28 GDPR|Article 28 GDPR]]
8. ''Failure to comply with [[Article 33 GDPR]]''
In two of its contracts with subcontractors (Processors), there was an absence of signatures and mandatory terminology required pursuant to [[Article 28 GDPR#3|Article 28(3) GDPR]] such as the Processor shall only process data on the documented instructions of the Controller. These facts do not ensure effective protection of personal data processed through contractual guarantees.


7. Failure to comply with [[Article 32 GDPR|Article 32 GDPR]]
The controller was aware of the breach since 29th September 2020, when the journalists provided a sample of the impacted data, or no later than 30th September 2020 at the end of its internal investigations. Due to the severity of the breach, it was considered notifiable under [[Article 33 GDPR#1|Article 33(1) GDPR]]. However, no notification was made. However, in limiting the controller's responsibility, the CNIL held that the journalist's alert came after the server was closed (as of 10th July 2020) and that the processor did not keep the connection logs to the server concerned. This procedure meant the controller was not able to assess the incident and establish a personal data breach as defined in [[Article 4 GDPR#12|Article 4(12) GDPR]].
Data subjects were allowed to implement passwords using only a single character. In addition, the Controller’s access to their CRM system is based on a permissive rule, the username and password are created only two employees, and without any special rules concerning the complexity of passwords. The mechanism used by the Controller to encrypt bank data has vulnerabilities.


Access to the Controller’s website, was at one point, made using http protocol instead of the https protocol, which then exposed the data to the risk of computer attacks or leaks as it allows for the unencrypted reading of flows containing personal data, including bank data, between the data subjects browser and the server hosting the site.
9. ''Failure to comply with [[Article 7 GDPR]]''


8. Failure to comply with [[Article 33 GDPR|Article 33 GDPR]]
The cookie banner on the controller's website did not contain information on how to refuse trackers, the consequences of a refusal and the existence of the right to withdraw consent.
The Controller was aware of the breach since 29th September 2020, when the journalist provided a sample of the impacted data, or no later than 30th September 2020 at the end of its internal investigations. Due to the severity of the breach, it is considered notifiable under [[Article 33 GDPR#1|Article 33(1) GDPR]]. However, no notification was made. In the Controllers defence, they asserted that the journalist's alert came after the server was closed (as of 10th July 2020) and that the Processor, in charge of outsourcing, did not keep the connection logs to the server concerned. This procedure meant the Controller was not able to assess the incident and establish a personal data breach as defined in [[Article 4 GDPR#12|Article 4(12) GDPR]].


9. Failure to comply with [[Article 82 GDPR|Article 82 GDPR]]
10. ''Fine imposed''
The cookie banner on the Controllers website did not contain information on how to refuse tracers, the consequences of a refusal and the existence of the right to withdraw consent.


A fine of €150,000 was imposed on the Controller (€120,000 for GDPR violations and €50,000 for France’s Data Protection Act violations).
A fine of €150,000 was imposed on the controller (€120,000 for GDPR violations and €50,000 for France’s Data Protection Act violations).


== Comment ==
== Comment ==

Latest revision as of 16:37, 8 January 2024

CNIL - SAN-2023-008
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(e) GDPR
Article 5(1)(c) GDPR
Article 6 GDPR
Article 9 GDPR
Article 12 GDPR
Article 28 GDPR
Article 32 GDPR
Article 33 GDPR
Article 82 of Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Investigation
Outcome: Violation Found
Started:
Decided:
Published: 08.06.2023
Fine: 150000 EUR
Parties: KG COM
National Case Number/Name: SAN-2023-008
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): French
Original Source: LegiFrance (in FR)
Initial Contributor: Sainey Belle

The French DPA fined a controller €150,000 because it collected excessive data, including sensitive data, without prior and explicit consent, and did not sufficiently ensure the security of the data.

English Summary

Facts

On 1st October 2020, an article published on a French media website revealed the existence of a personal data breach concerning the data stored on KG COM's (controller) server. The controller operates several websites to offer its customers clairvoyance readings by chat or phone.

According to this article, the controller’s database was not subject to special security measures and it was freely accessible on the internet until 23rd July 2020. The data exposed included the identification data and contact data of prospective and actual customers (data subjects).

Following the publication of the article, the French DPA (CNIL) carried out three investigations into the controller’s practices.

Holding

During its investigations, the CNIL noticed several infringements:

1. Failure to comply with Article 5(1)(c) GDPR

The controller systematically recorded all phone calls between telephone operators and prospective customers, as well as between fortune-tellers and customers, with the aim of checking service quality, proving that a contract has been performed and protecting their interests in civil proceedings. The controller did not provide any justification for the practice of systematically recording all calls for these purposes.

For the purposes of quality control, the establishment of a randomised system of recording allows the person in charge of quality control monitoring to have the necessary elements to evaluate the quality of the services offered.

Furthermore, a controller who wishes to record telephone conversations for probatory purposes must demonstrate that they do not have other less intrusive means to prove that the contract concluded over the phone was concluded with the person concerned.

With regard to the complete and systematic recording of telephone calls in the perspective of complying with judicial orders, they do not have to organize, in advance, the collection of personal data with a view to responding to a judicial order which is only potential. Therefore, the recording of all telephone calls, in order to respond to a judicial order, is not justified.

In addition, the controller recorded calls made with prospective customers. During these telephone calls, they collected the bank data of prospects (credit card number, expiry date and cryptogram). The recording of data subjects' bank data in a phone call is intrinsically not useful for the controller in the context of purposes mentioned above.

2. Failure to comply with Article 5(1)(e) GDPR

Through an analysis of the controller’s policies, the CNIL determined that the retention period for personal data was set at three years from the end of the commercial relationship. Nevertheless, the controller retained the data of subjects who did not have "consultations" for over five years.

The CNIL held that the data necessary for the execution of contracts should be kept for the duration of the contractual relationship. At the end of the contract, they must be kept in an archive and for a reasonable period of time, if the controller has a legal obligation to do so (for example, to meet accounting or tax obligations) or if he wishes to retain evidence in the event of litigation. For this purpose, it will be necessary to provide for a dedicated archive database or a logical separation in the active database, after sorting the relevant data to be archived.

3. Failure to comply with Article 6 GDPR

In respect of card details, the retention of payment card data beyond the completion of a transaction for the purpose of combating payment card fraud does not fall within the scope of the contract. The same can be said for the retaining of details for the purpose of auto-completing the data when the data subject wants to re-use the services. The retaining of bank details requires that a prior free, specific, informed and unambiguous consent of persons is collected.

4. Failure to comply with Article 9 GDPR

During the "consultations", data subjects provide the controller with data concerning their health status and sexual orientation. At the end of the consultations, this information was recorded in the data subjects' files, which were retained by the controller. The simple desire to receive a clairvoyance service and the fact the information is delivered directly from the data subject does not constitute an explicit consent of the data subject for the storing of their sensitive data.

5. Failure to comply with Article 12 GDPR

Information is considered easily accessible, within the meaning of Article 12 GDPR, if it is provided to the data subject, without the need to actively search for it. When data subjects created a user account on the controller's website, they had to leave the registration process in order to return to the home page, scroll to the bottom, click on the controller’s general conditions of sale and actively search this document for information relating to the protection of personal data. Since several actions were necessary for the data subject to obtain information on data processing, this was not considered information that is easily accessible.

Furthermore, the "general conditions of sale" were not easily identifiable as a document with information on data processing.

6. Failure to comply with Article 28 GDPR

In two of the controller's contracts with subcontractors (Processors), there was an absence of signatures and mandatory terminology required pursuant to Article 28(3) GDPR. These circumstances did not ensure effective protection of personal data processed through contractual guarantees.

7. Failure to comply with Article 32 GDPR

Data subjects were allowed to implement passwords using only a single character. In addition, the controller’s access to their CRM system was based on a permissive rule: username and password had been created by only two employees, and without any special rule concerning the complexity of passwords. The mechanism used by the controller to encrypt bank data had also vulnerabilities.

Access to the controller’s website was at one point made using http protocols instead of the https protocols, which then exposed the data to the risk of computer attacks or leaks as http allows for the unencrypted reading of flows containing personal data, including bank data, between the data subjects browser and the server hosting the site.

8. Failure to comply with Article 33 GDPR

The controller was aware of the breach since 29th September 2020, when the journalists provided a sample of the impacted data, or no later than 30th September 2020 at the end of its internal investigations. Due to the severity of the breach, it was considered notifiable under Article 33(1) GDPR. However, no notification was made. However, in limiting the controller's responsibility, the CNIL held that the journalist's alert came after the server was closed (as of 10th July 2020) and that the processor did not keep the connection logs to the server concerned. This procedure meant the controller was not able to assess the incident and establish a personal data breach as defined in Article 4(12) GDPR.

9. Failure to comply with Article 7 GDPR

The cookie banner on the controller's website did not contain information on how to refuse trackers, the consequences of a refusal and the existence of the right to withdraw consent.

10. Fine imposed

A fine of €150,000 was imposed on the controller (€120,000 for GDPR violations and €50,000 for France’s Data Protection Act violations).

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.