CNIL (France) - SAN-2024-002: Difference between revisions

Revision as of 09:28, 28 February 2024

CNIL - SAN-2024-002 du 31 janvier 2024

Authority:	CNIL (France)
Jurisdiction:	France
Relevant Law:	Article 5(1)(e) GDPR Article 13 GDPR Article 28 GDPR Article 32 GDPR Article D.213-1, Consumer Code Article D.213-2, Consumer Code Article L. 34-5, Postal and Electronic Communications Code Article L.213-1, Consumer Code
Type:	Investigation
Outcome:	Violation Found
Started:	06.02.2023
Decided:	31.01.2024
Published:	13.02.2024
Fine:	100000 EUR
Parties:	De Particulier à Particulier - Editions Neressis
National Case Number/Name:	SAN-2024-002 du 31 janvier 2024
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	French
Original Source:	Légifrance (in FR)
Initial Contributor:	r_e_

The DPA imposed a €100,000 fine on real estate service provider, Société PAP, for having excessive retention periods, an incomplete privacy policy and for failing to ensure the security of user accounts.

English Summary

Facts

Société Particulier à Particulier - Editions Neressis ("controller") provides individuals with a set of publications and services allowing them to conclude real estate transactions without intermediaries. The CNIL conducted an online investigation of their website, www.pap.fr, to verify the methods of informing people about their rights as data subjects, and whether the procedure for creating a user account was sufficiently secure and confidential.

The on-site investigation focused on the verification of the retention periods applied to user account data, the legality of data processor agreements in place and the technical and organizational measures to ensure the security of the data collected through the website.

During its investigations, the CNIL found that the controller defined a systematic retention period of ten years from the acceptance of the order. The CNIL also discovered that the controller did not include the right to lodge a complaint with the DPA, the legal basis for each processing as well as the recipients and categories of recipients in their privacy policy.

The CNIL initiated a sanctioning procedure against the controller on 6 February 2023.

Holding

Firstly, regarding the retention periods, the CNIL considered that a retention period of ten years from the date of acceptance of the order was justified by its legal obligations resulting from French law, in particular Articles L.213-1, D.213-1 and D.213-2 Consumer Code, for contracts worth more than €120. Therefore, the CNIL considered that for contracts that were less than €120, the 10 year retention period was excessive and therefore breaches Article 5(1)(e) GDPR.

Additionally, while the CNIL agreed that a 5 year retention period commencing from the date of last connection to the user account was justified for the contentious and anti-fraud purposes provided by the data controller, more than 2 million user accounts of between 5 and 10 years old had been retained, as well as more than 700,000 accounts more than 10 years old. The retention of data beyond what was necessary for the announced purpose constituted a breach of Article 5(1)(e) GDPR.

Secondly, the CNIL indicated that the controller breached Article 13 GDPR by failing to include users right to lodge a complaint to the CNIL, together with inaccurate data retention period information, in the privacy policy. The CNIL noted that this information helps users to control the processing of their data, and thereby ensures fair and transparent processing.

Thirdly, the CNIL found that the controller had breached Article 28(3) GDPR where it had tried to retroactively amend one of its data processor agreements to include all requirements of this Article. The CNIL held that the retroactive nature of the amendment cannot cover the breach for the past. While the rapporteur had found two other data processing agreements to be in breach of Article 28(3) GDPR, the CNIL concluded that one did in fact contain all the required information, and that the other was incorrectly classified as a data processing agreement and therefore Article 28(3) GDPR did not apply.

Finally, the CNIL considered that the controller breached Article 32 GDPR in several ways. Firstly, users were not required to provide strong passwords when creating an account, accounts were not locked after a certain number of failed access attempts, and part of a reference code used in lieu of an account (if the user did not wish to create one) was made publicly available by forming part of the ad reference number. The CNIL found that the above measures, given the current state of the art, were not sufficient to guarantee the security and confidentiality of the data being processed. Secondly, the controller failed to intermediately archive inactive customer data (kept for 10 years) and inactive user account data (kept for 5 years). The CNIL found that the mixing of inactive data in an active database, which the controller explained was for daily anti-fraud checks, did not ensure adequate data security. A large number of employees could access the data, and some of the retained data was not needed for anti-fraud checks (such as advertising details and billing addresses).

For breaching Articles 5(1)(e), 13, 28 and 32 GDPR the CNIL imposed a €100,000 to the controller.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training no. SAN-2024-002 of January 31, 2024 concerning the company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Christine MAUGÜÉ, MM. Alain DRU and Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Having regard to Decree No. 2019-536 of May 29, 2019 as amended taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to decision No. 2021-193C of June 29, 2021 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing of personal data carried out implemented by the company or on its behalf;

Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated February 6, 2023;

Having regard to the report of Ms. Sophie LAMBREMON, commissioner rapporteur, notified to the company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS on July 20, 2023;

Having regard to the written observations submitted by the company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS on September 8, 2023;

Having regard to the observations in response from the rapporteur on October 6, 2023;

Considering the observations in response from the company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS on November 2, 2023;

Considering the other documents in the file;

Were present during the restricted training session on December 21, 2023:

- Ms Sophie LAMBREMON, commissioner, heard in her report;

As representatives of the company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS:

- […];

The company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

1. The company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS (hereinafter “the company”), whose head office is located at 45 rue du Cardinal Lemoine in Paris (75005), was registered in the trade and companies register on 14 November 1975. Its turnover amounted in 2021 to […] euros for a net result of […] euros and in 2022 to […] euros for a net result of […] euros.

2. The company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS provides individuals with a set of publications and services allowing them to conclude real estate transactions without an intermediary. The company publishes the website www.pap.fr which allows individuals to publish or consult real estate advertisements and to have access to various tools allowing the management of real estate projects (legal assistance, real estate coaching, credit and price calculations). per square meter, the evaluation of the price of goods for sale and notary fees).

3. Two control missions took place pursuant to decision no. 2022-041C of March 2, 2022 of the president of the CNIL in order to verify compliance by the company with all the provisions of Regulation (EU) 2016/ 679 of the European Parliament and of the Council of April 27, 2016 (hereinafter “the GDPR” or “the Regulation”) and Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms as amended (hereinafter “the Data Protection Act”). On March 8, 2022, the CNIL services carried out an online check using the website “www.pap.fr”. On April 7, 2022, the CNIL services carried out an on-site inspection at the company's premises located in Paris (75005).

4. The online monitoring of the website www.pap.fr was mainly intended to verify the methods of informing people and the procedure for creating a user account. The on-site inspection focused more specifically on the verification of the retention periods applied to user account data, the supervision by a legal act of the processing carried out by a subcontractor, the technical and organizational measures intended to ensure the security of the data. collected through the website as well as information from people prospecting for similar products and services.

5. By emails of April 10 and June 7, 2022, the company sent additional information to the Commission services.

6. In accordance with Article 56 of the GDPR, on January 17, 2023, the CNIL informed all European supervisory authorities of its competence to act as lead supervisory authority regarding cross-border processing implemented by the company, resulting from the fact that the sole establishment of the company is in France. After discussions between the CNIL and the European data protection authorities within the framework of the one-stop shop mechanism, it appears that the German, Austrian, Belgian, Danish, Spanish, Finnish, Greek, Irish, Italian, Dutch, Norwegian and Polish authorities , Portuguese and Swedish are concerned by the processing, user accounts having been created by persons residing in these States.

7. For the purposes of examining these elements, the President of the Commission, on February 6, 2023, appointed Ms. Sophie LAMBREMON as rapporteur on the basis of article 22 of the Data Protection Act.

8. On July 20, 2023, the rapporteur notified the company of a report detailing the breaches of articles 5-1-e), 12, 13, 28 and 32 of the GDPR as well as article L.34-5 of the Postal and Electronic Communications Code, which it considered constituted in this case.

9. On September 8, 2023, the company produced observations in response to the sanction report.

10. On October 6, 2023, the rapporteur responded to the company's observations.

11. On November 3, 2023, the company submitted further observations in response to the rapporteur's observations.

12. By letter dated November 9, 2023, the rapporteur informed the company that the investigation was closed, in application of article 40, III, of amended decree no. 2019-536 of May 29, 2019.

13. By letter of the same day, the company was informed that the file was included on the agenda for the restricted training of November 30, 2023.

14. By email of November 14, 2023, the company's counsel requested a postponement of the restricted training session.

15. By letter dated November 16, 2023, the company's board was informed of the postponement of the meeting to December 21, 2023.

16. The rapporteur and the company presented oral observations during the restricted training session.

II. Reasons for decision

A. On the European cooperation procedure

17. In application of Article 60 paragraph 3 of the GDPR, the draft decision adopted by the restricted committee was transmitted on December 29, 2023 to the European supervisory authorities concerned.

18. As of 26 January 2024, none of the supervisory authorities concerned had raised a relevant and reasoned objection to this draft decision, so that, pursuant to Article 60(6) of the GDPR , the latter are deemed to have approved it.

B. On the failure to comply with the obligation to limit the duration of data retention

19. Under the terms of article 5-1, e) of the GDPR, personal data must be "kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed.

20. The rapporteur noted that, during the on-site inspection, the company indicated that it had defined a different data retention policy depending on the type of user of the website www.pap.fr. Thus, concerning customer data (people using the site's paid services), the rapporteur noted that the company had defined a retention period of ten years from the date of acceptance of the order. It noted that the systematic and indiscriminate retention of all account data for ten years did not appear justified with regard to the legal obligation arising from the Consumer Code and that in the extraction of the database provided there appeared data relating to transactions of less than 120 euros whose retention did not appear justified. Concerning user data (people using the free services of the site), the rapporteur noted that if the company had defined a retention period of five years from the date of the last connection to the account, it emerged from the control on place that the company had retained 2,394,538 lines for more than five years and less than ten years and 737,563 lines for more than ten years.

21. In defense, concerning the data of customers using paid advertisements, the company, during the investigation, specified keeping the advertisement and the electronic address for ten years for the purposes of compliance with the legal obligations arising from the articles L.213-1, D.213-1 and D.213-2 of the consumer code, the fight against fraud and due to the specificities linked to the real estate activity. She detailed the two paying plans offered to customers: either a no-obligation contract for 59 euros per month which amounts to a single contract of indefinite duration, or a three-month contract taken out for 135 euros. For non-binding contracts, considering that it cannot determine the duration of the contract in advance, the company has specified that it will keep all data relating to these contracts for a period of ten years regardless of the final amount. It further considers that it is necessary to take into account the financial issues of advertisements and contracts for the sale of goods subsequently concluded for an amount well above 120 euros. She also indicated that the retention period for years of birth was reduced to twenty-five months and that of data relating to an inactive account to three years of inactivity.

22. Concerning the data relating to users, the company, during the investigation, specified that it would only keep the electronic address and the associated account for a period of five years for litigation and anti-fraud purposes and that it had deleted the data retained beyond this period of five years.

23. The restricted training recalls that it is the responsibility of the data controller to define and implement a data retention period not exceeding that necessary in view of the purpose for which they are processed.

24. With regard to the relevant durations, for illustrative purposes, the restricted training notes that in its framework relating to the processing of personal data implemented for the purposes of managing commercial activities, the CNIL specifies that the data necessary for the execution of a contract are retained during the contractual relationship and that compliance with a legal obligation incumbent on the organization may, in particular, justify a longer retention period. Failing this, the storage must be based on another legal basis provided for in Article 6 of the GDPR.

25. Under the terms of article L. 213-1 of the Consumer Code: "When the contract is concluded electronically and it concerns a sum equal to or greater than an amount fixed by decree, the professional contractor ensures the conservation of the writing which establishes it for a period determined by this same decree and guarantees access to it at any time to its co-contractor if the latter requests it. ".

26. Article D. 213-1 of the same code provides that "[t]he amount mentioned in article L. 213-1 is set at 120 euros" and article D. 213-2 provides that "[ The period mentioned in Article L. 213-1 is set at ten years from the conclusion of the contract when delivery of the goods or execution of the service is immediate. Otherwise, the period runs from from the conclusion of the contract until the date of delivery of the goods or performance of the service and for a period of ten years from this date.

27. In this case, the restricted training firstly notes, with regard to the retention of customer data, that the retention period of ten years from the date of acceptance of the order defined by the company is justified by its legal obligations resulting from the aforementioned consumer code for contracts of an amount greater than 120 euros. Thus, the restricted training considers that, for the three-month contracts offered by the company for an amount of 135 euros, the retention of data for a period of ten years is fully justified.

28. On the other hand, the restricted training notes that, for non-binding contracts of an amount of 59 euros per month, the company retains by default the data relating to these contracts as soon as they are concluded and even the total amount paid by the user would be less than 120 euros. However, in the event that a customer has only used the company's paid services for one or two months, that is to say for an amount less than 120 euros, the data retention period provided for by the code of consumption would not apply. The restricted panel notes that article D.213-1 of the Consumer Code expressly specifies “when the contract (…) concerns an equal or greater sum”. The only amount to be taken into consideration is therefore that of the contract concluded between the PAP company and the customer, especially since the PAP company is a third party to the contract for the sale of goods concluded between the selling customer and the buyer. Consequently, the restricted training considers that the retention of data of customers finding themselves in the situation which has just been described is not made obligatory by compliance with the consumer code, contrary to what the company indicates.

29. In any event, the restricted panel notes that it appears from an extraction of 100 lines corresponding to accounts of customers who placed orders more than five years ago that 69 of them concerned orders for an amount less than 120 euros. Therefore, the restricted panel considers that the company has kept account data not affected by Article D. 213-1 of the Consumer Code for excessive periods of time.

30. Next, the restricted training notes, with regard to the retention of user data, that the company has defined a period of five years which begins to run on the date of the last connection to the user account. The restricted panel considers that the explanations provided by the company during the investigation justify the retention period for litigation and anti-fraud purposes.

31. Nevertheless, the restricted panel observes that it appears from the on-site inspection that the company had kept 2,394,538 lines corresponding to user accounts more than five years from the date of the last connection and less than ten years and 737,563 lines corresponding to user accounts more than ten years old from the date of the last connection.

32. The restricted panel notes that it follows from the above that when the retention period is reached, the personal data must be deleted. Therefore, it appears from the documents in the file that on the date of the on-site inspection, the company retained user account data beyond what was necessary in view of the announced purpose.

33. Consequently, the restricted panel considers that the above facts characterize a breach of article 5-1-e) of the GDPR. The restricted training notes that the company partially complied during the procedure with the application of an adequate retention period for user account data with regard to the different purposes pursued by deleting data relating to these accounts have been inactive for more than five years. This compliance cannot exempt the company from its responsibility for the past.

C. On the failure to comply with the obligation to inform individuals

34. Article 13 of the GDPR lists the information that must be provided to the data subject when personal data is collected directly from them. This information relates in particular to the identity of the data controller and his contact details, the purposes of the processing implemented, its legal basis, the recipients or categories of recipients of the data, the fact that the data controller intends to 'carry out a data transfer to a third country. The article also requires the data controller, when this appears necessary to guarantee "fair and transparent processing" of personal data in this case, to inform individuals about the duration of data retention, the existence of the various rights from which individuals benefit, the existence of the right to withdraw consent at any time and the right to lodge a complaint with a supervisory authority.

35. In her report, the rapporteur notes in essence that the information provided by the company on the website www.pap.fr, through its "personal data protection policy" page, was incomplete or imprecise, due to failure to specify the processing to which the legal bases relate, the recipients or categories of recipients of data, the right to lodge a complaint with the CNIL and the retention periods defined by the company. The rapporteur notes, however, that the company has, since the inspections, engaged in a process of compliance, without this calling into question the shortcomings in the past.

36. In defense, the company contests the breach. She only believes that she delivered the information imprecisely. It indicates that it has complied since the controls by modifying and supplementing its personal data protection policy. Regarding the legal bases applicable to the processing, the company cites an awkward presentation. With regard to the mention of recipients or categories of recipients, it considers that it was not required to provide the identity of all the recipients of data.

37. The restricted panel notes that it appears from the findings made during the controls that with regard to the website www.pap.fr, a personal data protection policy was accessible from the footer of the home page, a document to which the user account creation form also returned. However, it appears that although the legal bases were indicated, no explanation was provided regarding the processing to which they related.

38. In addition, the restricted panel notes, like the rapporteur, that the company indicated the name of only one of its subcontractors, the company […], which is in charge of payments made on the site . Apart from this scenario, no information was provided concerning the other recipients or categories of recipients of personal data. However, the restricted training notes that it appears from the controls that the company had at least two other subcontractors recipients of the personal data.

39. Also, the restricted panel considers that the company has not complied with the provisions of Article 13 (1) of the GDPR.

40. Next, the restricted training notes, on the one hand, that this personal data protection policy did not mention the right to lodge a complaint with the CNIL and, on the other hand, that the storage periods indicated were inaccurate.

41. However, the restricted panel considers that this information, in that it helps to ensure that users have control over the processing of their data, is important to guarantee fair and transparent processing.

42. The restricted panel considers that the absence of mention of the right to lodge a complaint with the CNIL and the imprecision of the information relating to the retention period of user data in the company's confidentiality policy, constitute a breach of Article 13 (2) of the GDPR.

43. Consequently, the restricted panel considers that the company has committed a breach of Article 13 of the GDPR. It specifies that the breach taken into account is the one which was crystallized at the time of the controls and notes that the company has brought itself into compliance.

D. On the failure linked to the obligation to regulate by a legal act the processing carried out on behalf of the data controller

44. Under Article 28(3) of the Regulation, processing carried out by a processor on behalf of a controller is governed by a contract or any other formalized legal act which defines the purpose and the duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects as well as the obligations and rights of the data controller. This contract also provides for the conditions under which the subcontractor undertakes to carry out processing operations on behalf of the controller.

45. The rapporteur noted that the contractual documents of the companies […], subcontractors of the company, did not contain all the information provided for by the aforementioned article.

46. In defense, the company contests the breach with regard to the contractual relationship with the company […]. In this regard, it specifies that the latter is governed by a contract which refers to a data processing agreement, which contains the information required by Article 28. Concerning the contract concluded with the company […], the company indicates that it has concluded an amendment to the contract containing the information provided for in Article 28. Finally, the company declares that it has terminated the contractual relationship with the company […].

47. The restricted panel notes that with regard to the company's contractual documents […], the company had provided the CNIL delegation with the only contract concluded on November 19, 2021. It subsequently paid in response to the sanction report the data processing agreement to which the contract refers. The restricted panel considers that these contractual documents, read as a whole, contain all the necessary information. The breach is therefore not constituted for this contractual relationship.

48. Then with regard to the contract concluded with the company […], the restricted panel notes that the amendment produced by the company in response to the sanction report was concluded on September 7, 2023. The restricted panel notes that this amendment contains all the required information but considers that the breach has occurred in the past with regard to the date of signature of the said amendment. The restricted panel considers in fact that the retroactive nature of the amendment used by the company cannot cover the breach for the past to the extent that during the inspections the contract concluded did not contain the required information.

49. Finally, with regard to the contract concluded with the company […], the restricted panel considers that having regard to the documents produced, it has not been established that this company processed personal data on behalf of the company PAP and had the status of subcontractor within the meaning of the GDPR. Also the breach of article 28 is not characterized.

50. Ultimately, the restricted panel considers that the breach of Article 28, paragraph 3, of the GDPR is constituted for the past facts concerning the contract governing the relationship with the company […].

E. On breaches of the obligation to ensure data security

51. Under the terms of Article 32 of the GDPR, “1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks , the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security appropriate to the risk, including including, among other things, as needed:

a) pseudonymization and encryption of personal data;

(b) means to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;

c) means to restore the availability of and access to personal data within appropriate time frames in the event of a physical or technical incident;

d) a procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing".

1. On passwords and confidential references

52. The rapporteur notes that, on the one hand, during the online check, the delegation noted that when creating a user account on the company's website, passwords of a unique character ( a number or a letter) were accepted and that no access restrictions in the event of authentication failure were implemented. In addition, the rapporteur notes that, during the checks, each password was both stored in clear text and hashed with the Bcrypt hashing algorithm.

53. Furthermore, the rapporteur notes that, during the on-site inspection, the delegation was informed that when submitting an advertisement without having an account, the user was given a confidential reference consisting of ten characters in plain text. alphanumeric, the first seven of which were public since they corresponded to the characters of the reference of the advertisement placed on the site. This confidential reference could not be modified by the advertiser. This single reference allowed the user to directly access the ad and the associated space on the site after having entered it in the corresponding field. Furthermore, this confidential reference, which is similar to a password, was stored in plain text in the database.

54. In defense, the company does not contest the breaches in substance but declares that it has taken corrective action. First of all, it announces that it has adapted its password policy by requiring passwords of eight characters in length composed of at least one uppercase letter, one lowercase letter, one number and one special character. She recalls that passwords are now hashed with the Bcrypt algorithm and that passwords kept in plain text have been deleted. Then, the company specifies that it no longer communicates confidential references to users requiring the creation of an account on the site and that it has implemented the blocking of the owner space after ten unsuccessful connection attempts.

55. First of all, the restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller is required to ensure that the automated data processing that it implements is sufficiently secure. The sufficiency of the security measures is assessed, on the one hand, with regard to the characteristics of the processing and the risks it induces, and on the other hand, taking into account the state of knowledge and the cost of the measures.

56. The restricted training considers first of all that overly permissive password complexity rules, which authorize the use of insufficiently strong passwords, can lead to attacks by unauthorized third parties, such as attacks by “brute force” or “by dictionary”, which consist of successively and systematically testing numerous passwords and thus lead to a compromise of associated accounts and the personal data they contain.

57. It notes, in this regard, that the need for a strong password is recommended both by the National Information Systems Security Agency (ANSSI) and by the Commission in its deliberation no. 2017-012 of January 19, 2017 adopting a recommendation relating to passwords, requirement confirmed in its deliberation no. 2022-100 of July 21, 2022.

58. By way of illustration, the restricted panel recalls that the Commission considers in its deliberation no. 2017-012 of January 19, 2017 – which is certainly not of an imperative nature but which provides relevant insight into the measures it should be taken in terms of security – that, to ensure a sufficient level of security and confidentiality, in the event that authentication is based solely on an identifier and a password, the latter must be composed of at least twelve characters including uppercase, lowercase, numbers, and special characters.

59. Failing this, the Commission considers that authentication based on a password of a minimum length of eight characters, made up of three different categories of characters but accompanied by a complementary measure such as, for example, delaying access to the account after several failures (temporary suspension of access whose duration increases with each attempt), the establishment of a mechanism to protect against submissions automated and intensive attempts (e.g. “captcha”) and/or blocking of the account after several unsuccessful authentication attempts (maximum ten).

60. The restricted panel emphasizes that it has adopted financial sanctions where the characterization of a breach of Article 32 of the GDPR is the result of insufficient measures to guarantee the security of the data processed. Deliberations No. SAN-2019-006 of June 13, 2019, No. SAN-2019-007 of July 18, 2019 and No. SAN-2022-018 of September 8, 2022 particularly target the insufficient robustness of passwords.

61. The restricted panel notes that in this case, on the one hand, the passwords of users of the website www.pap.fr had to be, at the time of the checks, composed of a unique character and devoid of additional security measures. It appears from the company's observations that the required passwords are now 8 characters long, composed of at least one uppercase letter, one lowercase letter, one number and one special character without any access restriction being provided. On the other hand, confidential references - comparable to passwords within the meaning of the definition of deliberation no. 2022-100 of July 21, 2022 according to which the term password designates any knowledge factor, namely any set of revocable information, known only to the person concerned and allowing or contributing to the authentication of the latter - consisted of ten alphanumeric characters of which the first seven were public, in that they corresponded to the reference of the announcement on the site, with only the last three private characters. In addition, these references were transmitted in plain text and could not be modified by the user so that they constituted a lasting means of authentication.

62. The restricted panel considers that such constructions do not ensure the security of the data and prevent unauthorized third parties from having access to it.

63. Concerning the passwords required when creating an account, she recalls, as the rapporteur pointed out, that the company was processing data associated with nearly five million user accounts on the day of the on-site inspection. such as last name, first name, email address. Thus, these passwords, associated with their identifiers, allow access to all the personal data contained in their www.pap.fr accounts. They were not robust enough, given the personal data involved and the state of the art.

64. Concerning the confidential reference, the restricted panel considers that the use of this single reference consisting of ten alphanumeric characters did not meet the criterion of sufficient complexity. Indeed, it appears that a first part of this reference, the first seven alphanumeric characters corresponding to the reference of the ad, must be considered a public identifier. As for the second part of the reference, composed of the last three alphanumeric characters, which is similar to a password, does not meet the robustness criteria as described above.

65. In addition, as the rapporteur pointed out, this confidential reference allows access to the personal data present in the owner space associated with the person who published the advertisement, to modify them and also modify the advertisement . Furthermore, access to this space allows access to the exchanges between the owner and the people interested in the advertisement during which a lot of personal information can be transmitted (family, professional, financial situations).

66. Also, authentication based on the use, on the one hand, of a password, in the past short and lacking additional security measures, currently still insufficiently robust in the absence of additional security measures and , on the other hand, a non-modifiable confidential reference, transmitted in plain text and without sufficient complexity, can lead to attacks by unauthorized third parties and thus to a compromise of user accounts and of the "owner space" and of numerous personal data they contain.

67. Consequently, the restricted panel considers that the password and confidential reference policy deployed was and remains insufficiently robust to guarantee the security of the data processed, which disregards Article 32 of the GDPR.

68. Secondly, the restricted training recalls that storing passwords securely constitutes a basic precaution in terms of the protection of personal data. As early as 2013, ANSSI alerted and recalled good practices regarding the conservation of passwords by indicating that they must "be stored in a form transformed by a one-way cryptographic function (hash function) and slow to calculate such as PBKDF2" and that "the transformation of passwords must involve a random salt to prevent an attack by precalculated tables" (ANSSI, "News Bulletin CERTA-2013-ACT-046", November 15, 2013, https ://www.cert.ssi.gouv.fr/actualite/CERTA-2013-ACT-046/).

69. Likewise, in its deliberation no. 2017-012 of January 19, 2017, the CNIL already indicated that it "recommends [that the password] be transformed by means of a non-reversible and secure cryptographic function (this that is to say using a public algorithm deemed strong whose software implementation is free of known vulnerabilities), integrating the use of a salt or a key". Indeed, non-robust hash functions present known vulnerabilities which do not guarantee the integrity and confidentiality of passwords in the event of a brute force attack after compromise of the servers which host them.

70. In the present case, the restricted panel notes that the conservation in plain text, on the one hand, of user passwords, associated with their identifiers and their email address, and, on the other hand, of confidential references , associated with a personal space, does not guarantee their security. This method of conservation implies that any person with access to the company's customer database – whether an administrator of the company's information systems or an attacker in the event of compromise – can consult them, collect them, modify or sell them.

71. Under these conditions, the restricted panel considers that the storage methods for passwords and confidential references did not make it possible, at the time of the findings, to guarantee the security and confidentiality of the personal data of user account holders. which ignores article 32 of the GDPR.

72. Consequently, the restricted panel considers that the aforementioned facts, not contested by the company, constitute breaches of the obligations of Article 32 of the GDPR. It notes that since the controls, the company has partially remedied the shortcomings observed by implementing a password policy with an adequate level of security and by encrypting all passwords.

2. On the conservation of data in an active database

73. The rapporteur notes that during the inspections, the delegation was informed that all data relating to inactive customers was kept for ten years and that relating to inactive user accounts for five years on an active basis without Intermediate archiving intervention.

74. In defense, the company contests the existence of the breach. First, it argues that this conservation in an active database of the data of customers and users who have become inactive is justified by the purpose of combating fraud which requires daily checks. Then, it specifies that only people with an interest in processing data due to their functions can access personal data, namely customer service advisors, employees of IT departments and members of management. In this regard, she adds that these employees are subject to a confidentiality clause and a confidentiality commitment and that each of them has a personal password.

75. The restricted training recalls that to ensure data security, it is necessary for this data to be sorted when it is no longer necessary for the purpose for which it was collected. Therefore, they must be deleted or be subject to intermediate archiving, consisting in particular of physical or logical separation.

76. In the present case, the restricted panel notes that it appears from the explanations provided by the company that if the purpose of combating fraud can justify the retention of data, the terms of conservation of data in active database as defined by the company does not ensure data security. On the one hand, the restricted training highlights the large number of categories of employees having access to the database to the extent that both customer service advisors, employees of the IT departments and members of management are authorized to access the database. On the other hand, it notes the absence of sorting carried out between the data retained while it appears that the conservation of data such as those of the advertisement and the billing address is not necessary for the objective pursued in the fight against fraud. The company indeed confirmed during the session that the data used to identify fraudsters was the email address.

77. Consequently, the restricted panel considers that the breach has been established.

F. On the breach of the obligation to provide information and the right to object to commercial prospecting by email for similar products or services

78. Article L. 34-5 of the Postal and Electronic Communications Code (CPCE) provides that “Direct prospecting by means of an automated electronic communications system […], a fax machine or electronic mail using the contact details of a natural person […] who has not previously expressed their consent to receive direct marketing by this means.

Direct marketing constitutes the sending of any message intended to promote, directly or indirectly, goods, services or the image of a person selling goods or providing services. For the purposes of this article, calls and messages intended to encourage the user or subscriber to call a premium rate number or send a premium rate text message also fall under direct prospecting.

However, direct prospecting by email is authorized if the recipient's contact details have been collected from him, in compliance with the provisions of Law No. 78-17 of January 6, 1978 relating to data processing, files and freedoms. , on the occasion of a sale or provision of services, if the direct prospecting concerns similar products or services provided by the same natural or legal person, and if the recipient is offered, in an express and unambiguous manner ambiguity, the possibility of objecting, free of charge, apart from those linked to the transmission of the refusal, and in a simple manner, to the use of one's contact details at the time they are collected and each time a prospecting email is addressed to him in case he has not immediately refused such exploitation.

79. These provisions transpose into French law the rules governing the use of automated call and communication systems without human intervention (automatic callers), fax machines or electronic mail sending systems for direct prospecting purposes. laid down by Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 on the processing of personal data and the protection of privacy in the electronic communications sector (known as the "ePrivacy" directive), such as amended by Directive 2009/136/EC of November 25, 2009.

80. The rapporteur notes that when a user subscribes to an alert concerning real estate, he or she is likely to receive emails for similar goods or services from the company, without having been informed or having had the opportunity to object, when creating the alert.

81. In defense, the company contests the breach by asserting that the disputed emails do not constitute commercial prospecting since they do not aim to promote goods or services. In addition, it highlights the low volume of this type of messages and specifies that users have the possibility of unsubscribing via an unsubscribe link present in each new communication.

82. The restricted training recalls that within the meaning of article L.34-5 of the CPCE, on the one hand, direct commercial prospecting is defined as "any message aimed at the direct or indirect promotion of goods, services or 'image of a person selling goods or providing services'. On the other hand, similar products and services, offered during a sale or provision of services, must be understood as promoting goods or services from the same natural or legal person without the necessity that the promotion leads to a financial transaction with the person.

83. The restricted training considers that emails sent by the company to users such as those containing information concerning an announcement or anonymous surveys on real estate news arise directly from the subscription to the alert relating to real estate and are not intended to promote other goods or services offered by the company. Also, these emails do not constitute commercial prospecting within the meaning of article L.34-5 of the CPCE.

84. Under these conditions, the restricted panel considers that the breach of article L.34-5 of the CPCE is not constituted.

III. On corrective measures and their publicity

85. Under the terms of III of article 20 of the law of January 6, 1978 as amended:

"When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Liberties may also , if necessary after having sent him the warning provided for in I of this article or, where applicable in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncement, after adversarial procedure, one or more of the following measures: […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of of a company, 2% of the total global annual turnover of the previous financial year, whichever is higher. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 from April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

86. Article 83 of the GDPR provides that “Each supervisory authority shall ensure that the administrative fines imposed […] are, in each case, effective, proportionate and dissuasive”, before specifying the elements to be taken into account for decide whether to impose an administrative fine and to decide the amount of this fine.

A. On the imposition of an administrative fine and its amount

1. On the imposition of an administrative fine

87. In defense, the company considers that the proposed administrative fine is disproportionate in relation to the alleged breaches and its conduct since it implemented several corrective measures before the end of the investigation, in particular, the modification of its confidentiality policy in order to deliver the required information, the use of subcontractors framed by a legal act containing all the information provided for, the establishment of a policy and password storage presenting a level of security adequate. In addition, it emphasizes having fully cooperated with the services of the CNIL. She adds that she did not derive any financial benefit from the alleged breaches. It argues that its turnover is stagnating and that the real estate sector, particularly competitive, is in crisis. Finally, it considers that the fine of 250,000 euros proposed by the rapporteur is equivalent to […]% of its 2023 turnover and is, therefore, excessive.

88. The restricted committee recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation, the scope or the purpose of the processing concerned, the number of data subjects affected, the measures taken by the controller to mitigate the damage suffered by the data subjects, the fact that the violation was committed through negligence, the degree of cooperation with the processing authority control and, in some cases, the level of harm suffered by people.

89. The restricted training first notes that the failings alleged against the company infringe fundamental principles provided for by the GDPR and concern many people.

90. With regard to the breach of the principle of limiting the retention period of personal data, the company was negligent, on the one hand, by not adequately defining a retention period relating to personal data. customers having concluded a contract of less than 120 euros and, on the other hand, by not applying the retention period that it had defined for data relating to users on the day of the checks. The restricted training notes that this breach concerns a significant number of people, the company counting 2,394,538 users whose last connection to their account was between five and ten years ago on the date of the checks.

91. Regarding the failure to comply with the obligation to inform the persons concerned and to provide transparency, the restricted panel notes that the company failed to fulfill the requirement to provide complete and transparent information to the persons concerned, which constitutes an essential prerequisite for any processing of personal data.

92. Concerning the failure to comply with the obligation to regulate by a formalized legal act the processing carried out on behalf of the data controller, the restricted panel notes that the company lacked rigor by not ensuring that it subscribed to a document contractual document containing the information required in Article 28 of the GDPR, thus depriving the persons concerned of benefiting from full protection of their personal data.

93. With regard to the failure to comply with the obligation to ensure the security of personal data, the restricted training highlights the number of failures observed to comply with basic security obligations, namely the use of a password and a insufficiently robust confidential reference for customer or user accounts, the unencrypted transmission of the confidential reference, the unencrypted storage of passwords and confidential references as well as the conservation of data in an active database. The restricted panel considers that the accumulation of these security flaws did not allow people to benefit from the full protection provided by the GDPR regarding the use of their data.

94. Finally, while taking into account that the company has implemented measures following notification of the sanction report, the restricted panel notes that these actions do not exempt the company from its liability for the breaches constituted for the past.

95. Consequently, the restricted panel considers that it is appropriate to impose an administrative fine for breaches of Articles 5-1-e), 13, 28 and 32 of the GDPR.

2. On the amount of the administrative fine

96. The restricted training first notes that breaches of Articles 5-1-e) and 13 of the GDPR constitute breaches of key principles of the GDPR likely to be subject, under Article 83 of the GDPR, to an administrative fine of up to 20,000,000 euros or up to 4% of annual turnover, whichever is higher.

97. The restricted panel notes that the company achieved, in 2022, a turnover of approximately […] euros for a net result of […].

98. Therefore, with regard to the responsibility of the company, its financial capacities and the relevant criteria of article 83 of the Regulation, the restricted panel considers that an administrative fine of a total amount of one hundred thousand (100,000 ) euros for breaches of articles 5-1-e), 13, 28 and 32 of the GDPR appears justified.

B. On advertising

99. The restricted panel considers that the publicity of this decision is justified in view of the seriousness of the breaches in question and the number of people concerned. It also considers that publicizing the sanction will notably make it possible to inform all those affected by the breaches.

100. Finally, the measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• pronounce against the company DE PARTICULIER A PARTICULIER – EDITIONS NERESSIS an administrative fine in the amount of one hundred thousand (100,000) euros for breaches of articles 5-1-e), 13, 28 and 32 of the regulations ( EU) No. 2016/679 of April 27, 2016 relating to data protection;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication.

President

Alexandre LINDEN

This decision may be the subject of an appeal before the Council of State within two months of its notification.

@@ Line 75: / Line 75: @@
 }}
-The French DPA imposed a €100,000 fine on real estate service provider Société PAP for having excessive retention periods, an incomplete privacy policy and for failing to ensure the security of user accounts.
+The DPA imposed a €100,000 fine on real estate service provider, Société PAP, for having excessive retention periods, an incomplete privacy policy and for failing to ensure the security of user accounts.
 == English Summary ==