Presentation
“[I am] symbolically informing you that all the slackers who used to slack off under the old regime are going to have to whip themselves if they don’t want me to do it myself. [The GDPR] symbolizes the end of the line and the shirking of the lazybones, and above all, the advent of order and discipline. In other words, the fun and games are over.”
Attributed to King Léodagan in the Kaamelott series, this quote perfectly summarizes the CNIL’s position regarding the application of the GDPR, which has been in effect for over a year now. Through its recent public sanctions, the CNIL seems to be sending a strong message: GDPR compliance is no longer subject to deadlines or leniency. This was particularly true for certain professional groups especially affected by the highly sensitive data they hold.
These examples reveal common shortcomings and errors in data protection practices by companies, which data protection officers frequently bring to their attention. More information on recurring GDPR breaches sanctioned by the CNIL is available.
SERGIC Group: CNIL sanction for lack of responsiveness
In May 2019, SERGIC was fined €400,000 for failing to adequately protect user data on its website and for implementing inappropriate data retention practices.
Like other companies also sanctioned by the CNIL (French Data Protection Authority) in recent years, the group’s website allowed any internet user, through a simple modification of the personal account URL, to access documents uploaded by other users, including identity documents, tax assessments, family allowance certificates, divorce decrees, bank statements, and bank account details.
During an audit in early September 2018, the CNIL (French Data Protection Authority) discovered that the group had been aware of the vulnerability since March 2018. Its investigators found serious breaches of the GDPR and other legal obligations by the SERGIC group – including the failure to implement a reliable authentication procedure, exacerbated by the nature of the accessible documents and the considerable six-month delay in its correction, as well as the indefinite retention of transmitted documents.
In addition to the financial penalty, the public nature of the sanction is a second blow for the group, undoubtedly even more damaging to its image with its clients.
Active Assurance & GDPR: Sensitive data accessible
On July 18, 2019, the CNIL (French Data Protection Authority) issued a publicly announced fine of €180,000 against the brokerage firm Active Assurances, accusing it of “breaching customer data security.”
Active Assurances, which designs and distributes car insurance policies to individuals, offers a personal account on its website, www.activeassurances.fr. A slight modification to the URL allows access to other accounts.
The CNIL, having reported the breach in June 2018, discovered that it was possible to access various documents, such as copies of driver’s licenses, vehicle registration documents, bank statements, and documents revealing whether a person had had their license suspended or committed a hit-and-run.
The inadequate measures proposed by Active Assurances in response resulted in a penalty due to several factors: mandatory passwords corresponding to clients’ dates of birth, usernames and passwords transmitted in plain text via email, etc. This failure to secure personal data, and the sheer volume of data involved, led to the penalty being imposed and subsequently publicized.
Data protection: means of action and recourse against CNIL sanctions
Long overlooked or unknown, CNIL sanctions are subject to several appeal procedures depending on the type of decision issued. As the CNIL has the status of an independent administrative authority, appeals against its decisions are brought directly before the Council of State, which has full jurisdiction – the court of first and last instance. The procedures for this appeal are strict: the deadline for filing an appeal is two months from the date of notification or publication of the decision.
More information on appeal procedures for CNIL sanctions
