France: CNIL fine against SERGIC highlights “lack of adequate security”

The French data protection authority (‘CNIL’) announced, on 6 June 2019, that it had fined SERGIC SAS, a real estate company, €400,000 for data security and data retention failures under the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) after its investigation into SERGIC’s data processing practices. In particular, CNIL found that a security defect on SERGIC’s website allowed unauthorised third parties to access the personal data of rental candidates in violation of Article 32(1) of the GDPR as there was no prior authentication procedure in place to ensure the security of the data. CNIL noted that the fine was reduced from the €900,000 penalty initially recommended by the rapporteur.

Stéphanie Faber, Of Counsel and Head of Data Protection & Cybersecurity at Squire Patton Boggs, told DataGuidance by OneTrust, “This is the second public financial sanction by CNIL for a breach of the GDPR. The main issue was lack of adequate security. […] [Regarding the calculation of the fine, CNIL] took into consideration the sensitivity of the data that had not been properly secured, including, among other things, copies of IDs, social security numbers and tax returns, the fact that the organisation only started remedying the security fault six months after having become aware of it (and after an online investigation by CNIL), and the fact that it did not have an adequate data archiving and destruction policy. [CNIL], however, also took into account the relatively small size and financial strength of the company. As a result, the fine is relatively high for this type of organisation, but does not reach the maximum provided by GDPR, not even in terms of percentage of their annual turnover.”

When establishing their data retention policy, companies should also define archiving periods

CNIL discovered, as part of its investigation, that SERGIC had stored the documents of unsuccessful rental candidates beyond the necessary time to achieve the purpose for which the data was collected and processed, and had breached the data storage limitation obligation under Article 5(1)(e) of the GDPR. SERGIC argued that it had retained the data of unsuccessful housing applicants in order to avoid claims of discrimination, which could have been initiated up to six years after the rejection of the application. CNIL rejected this argument and found that such information should be put into an ‘intermediate archive’, separate from the rest of the data processed.

Claire François, Counsel at Hunton Andrews Kurth LLP told DataGuidance by OneTrust, “The decision confirms that there is no leniency towards companies which do not have basic security measures in place, such as a prior authentication procedure. The CNIL noted that the data breach could have been avoided if SERGIC had implemented such procedure. […] Companies can remain compliant with Article 5(1)(e) of the GDPR by keeping personal data in an active database for no longer than necessary for the purposes for which the data are processed. In accordance with Article 17 of the GDPR, the data must be erased after this period, unless one of the exceptions provided for in Article 17(3) of the GDPR applies. […] In that case, in CNIL’s view, the data must be archived on a ‘distinct support’, access to which is limited to those who still need to process the data by virtue of their role, such as the legal department. Alternatively, if the archived data are still kept in the active database, the data must be segregated from other data through a logical isolation, such as management of access rights and authorisations, to ensure that such data are inaccessible to the persons who no longer need to process them. […] When establishing their data retention policy, companies should also define archiving periods.”

RHIANNON GIBBS-HARRIS Junior Privacy Analyst