The French data protection authority ('CNIL') announced, on 8 December 2022, that it had issued, on 30 November 2022, its decision No. SAN-2022-022, in which it imposed a fine of €300,000 against Free SAS, an internet service provider, for violations of Articles 12, 15, 17, 32, and 33 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following audits conducted by CNIL.

Background to the case

In particular, CNIL noted that it had issued, on 28 December 2021, a decision against Free Mobile SAS, a subsidiary of Free, in which it imposed a fine of €300,000 for failures to respect data subject rights and to ensure the security of user data.

Findings of CNIL

During the course of its investigation, CNIL determined that Free had not sufficiently facilitated data subject rights, specifically the right of access and right to erasure, and that it had further failed to implement appropriate data security measures, considering that Free utilised insufficiently robust passwords and allowed the storage and transmission of plain text passwords.

Outcomes

Ultimately, CNIL imposed the aforementioned fine and ordered Free to comply with the provisions on facilitating right of access requests and to demonstrate the same to CNIL within three months from the data of notification of the decision, with an additional €500 penalty for each day beyond the same date.

You can read the press release here and the decision here, both only available in French.