First French GDPR fine levied

First French GDPR fine levied

house - french GDPR fineThe first French GDPR fine has been brought against a real estate company, costing the company €400,000.

The fine relates to user data which was available on the website by simply modifying the URL slightly, giving anyone access to rental applicant’s documents including IDs, tax returns, bank account details, and more.

After receiving the complaint in August 2018, the CNIL discovered that the company had been aware of the issue since March but didn’t resolve it until September – and, crucially, had not reported it.

As reported by JDSUPRA:

The CNIL identified two violations of the GDPR:

  1. The company failed to fulfil its obligation to preserve the security of the personal data of its website users, in breach of Article 32 of the GDPRThe company had not put in place a procedure to authenticate users of its website to ensure that the persons accessing the documents were the ones who had uploaded them, a basic measure. This failure was aggravated, on the one hand, by the nature of the data made available and, on the other hand, by the company’s particular lack of diligence in correcting it: the security issue was only resolved six months later and no emergency measures were taken to limit the impact of the issue in the meantime.
  2. The company kept the documents uploaded by candidates for an unlimited period of time. The documents uploaded by candidates who were not selected for the accommodations they had applied for were kept for a duration that was longer than necessary for the purpose of the processing. The CNIL noted that once the purpose for processing is achieved (e.g., managing the candidacies), the data must be deleted – or at least archived if it needs to be kept for compliance with legal obligations or for dispute management purposes in compliance.

Read the full article here:

The key lessons to learn from this first French GDPR fine are: firstly, to always be aware of all the data you hold on users, and delete it when it is no longer needed. Secondly, the need to report potential data breaches to the relevant body, and to implement emergency measures when a data protection issue is detected.

If you’re concerned about the data your own company holds, our Gap Analysis service involves identifying where all the data is to allow you to take measures to protect it. Get in contact with us today!

Google GDPR fine of £44m

Google GDPR fine of £44m

Google - Google GDPR fine

France’s data regulator, CNIL, has fined Google £44 million (50 million euros) for a lack of transparency over collecting data to personalise ads for users. This is a record fine resulting from complaints brought by two privacy rights groups, noyb and La Quadrature du Net. So what else do we know about this Google GDPR fine?

  • The official reason given by CNIL for the fine was a “lack of transparency, inadequate information and lack of valid consent regarding ads personalisation”. In short, people were “not sufficiently informed” about how their data was being collected.
  • The key thing here is that Google was not obtaining clear consent for the gathering of this data. “The relevant information is accessible after several steps only,” stated CNIL. “Users are not able to fully understand the extent of the processing operations carried out by Google.”
  • In addition to this, Google did not have a valid legal basis for gathering this data. In effect, not only was the process by which they were collecting users data insufficiently clear, they were also unjustified in doing so.
  • The first complaint was filed as soon as GDPR came into effect on 25 May 2018. Google’s preparations for the new data protection laws were clearly insufficient as they were found to be in breach of them.
  • Google is now considering its next steps after the decision from CNIL. However, it’s likely that any actions taken now will be too late – measures should have been taken before GDPR came into effect, not after.

This Google GDPR fine ought to be a big wake-up call to corporations that handle user data. As we’re reported, Facebook has suffered numerous data breaches both before and after GDPR was brought into force; what penalties it might suffer have yet to be seen.

For more information on the Google GDPR fine and its ramifications, see the full story by clicking here.

If you’d like to ensure that your business or organisation is GDPR compliant, contact Activa Consulting today. Our GDPR Gap Analysis will help you to prevent data breaches, and therefore avoid costly fines and penalties.