Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL fines NS Cards France €105,000 for data retention and cookie collection failures

On January 11, 2024, the French data protection authority (CNIL) published Decision No. SAN-2023—23, as issued on December 29, 2023, in which it imposed a fine of €105,000 on NS Cards France SAS for violation of the General Data Protection Regulation (GDPR) and Act No.78-17 of January 6, 1978, on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) (the Act), following an investigation.

Background to the decision

CNIL highlighted that NS Cards France, which allows users to make online payments, required users to create a user account to make online payments or receive winnings through coupons. When creating a user account, CNIL noted that personal information including name, date of birth, email address, phone number, email address, and bank details were collected, alongside personal identity documents.

Findings of CNIL

Following its investigation, CNIL found that the personal information provided was kept for 10 years from the date of the last transaction carried out on the account. Further, CNIL noted that no purge of NS Cards France database was carried out since the start of its activity in 2005, with 51,735 accounts retained without any purpose and no email provided to confirm the account. Accordingly, CNIL determined that NS Cards France violated Article 5(1)(e) of the GDPR, for keeping personal information in a form that allowed for the identification of the persons concerned for a period exceeding that necessary for the purposes they were processed.

CNIL also found that the information provided by NS Cards France in its confidentiality policy was incomplete, out of date following its last update in 2018, and only provided in English. Therefore, CNIL considered NS Cards France in violation of Articles 12 and 13 of the GDPR for the failure to provide data subjects with the information required under Article 13 of the GDPR, in a concise, transparent, understandable, and easily accessible manner.

In addition, CNIL outlined that NS Cards France maintained poor password security by allowing the use of six-character passwords made only of lower and upper case characters and with no access restriction in case of failure of authentication. Further, NS Cards France maintained 49,214 passwords in plaintext with their associated email address as an identifier also visible. Other passwords which were not kept in clear text, were stored in a format that was deemed obsolete. Consequently, CNIL determined that the password policy of NS Cards France was not sufficiently robust to guarantee the security of data processed, in violation of Article 32 of the GDPR.

Finally, CNIL outlined that the NS Cards France website deposited 13 cookies on user devices before any action was taken by the user on their arrival to the website www.neosurf.com including audience measurement cookies from Google Analytics, which should be subject to prior user consent. As a result, CNIL determined that NS Cards France had violated Article 82 of the Act, for the deposition of cookies on user devices without obtaining prior informed consent.

Outcomes

In light of the above violations, CNIL imposed a fine of €105,000 on NS Cards France.

You can read the press release here, and the decision here, both only available in French. You can also access the European Data Protection Board summary here

Feedback