Presentation
In understanding companies’ obligations under the GDPR and data protection, several recent decisions of the Council of State provide particularly interesting clarifications regarding the possible remedies in the event of a conviction.
Optical Center: The rapid response of the data controller was taken into account
The events date back to May 2018 when Optical Center was fined €250,000 by the CNIL (French Data Protection Authority).
The CNIL penalized the company for inadequate data security for customers placing online orders through its website.
The issue was the unrestricted access to more than 330,000 documents—invoices, contact information, health data, and national identification numbers (NIR)—that these documents contained.
Read our article on the decision in question.
GDPR and CNIL: possible legal remedies
The decision was appealed to the Council of State – details on possible appeals against a CNIL decision – arguing in particular that no customer had suffered harm and Optical Center had made no errors.
On April 17, 2019, the Council of State upheld the company’s conviction but reduced the fine, deeming it disproportionate given “the speed with which Optical Center implemented corrective measures to remedy the identified shortcomings.”
Based on Article 47 of the French Data Protection Act, the penalty was reduced to €200,000.
ADEF and GDPR: the ease of correction methods taken into account
On June 21, 2018, the Association for the Development of Hostels (ADEF) was fined €75,000, a fine that was made public, for serious breaches of security and confidentiality regarding the personal data of its website users.
The CNIL (French Data Protection Authority) found that “a modification of the URL path displayed in the browser allowed access to documents registered by other applicants: tax notices, passports, identity cards, residence permits, payslips, and CAF (French family allowance fund) payment certificates.”
Read our article on the case
An appeal was lodged because the measures taken by ADEF had been rejected due to the decision not ordering compliance. The sanction therefore appeared disproportionate and inappropriate.
On April 17, 2019, the Council of State upheld the CNIL’s decision, rejecting the sanctions.
The administrative authority validated the proportionality of the decision, considering that “given the nature and seriousness of the breach, which could have been prevented by simple security measures such as masking access paths to stored files or authenticating users of the processing system, the significant resources available to the association, and the timely implementation of corrective measures to remedy this breach, the CNIL’s restricted panel imposed a proportionate sanction on ADEF.”
