Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL fines SlimPay €130,000 following data breach

The French data protection authority ('CNIL') published, on 30 December 2021, its decision No. 2021-020, as issued on 28 December 2021, to fine SlimPay SA €130,000 for violations of Articles 28(3), 32 and 34 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a data breach. 

Background to the decision

CNIL outlined that SlimPay, a payment institution which notably offers recurring payment solutions to its customers, had, in 2015, carried out an internal research project, during which it used the personal data contained in its databases. CNIL further outlined that when the research project ended in July 2016, the data remained stored on a server, which was not subject to appropriate security measures and which was freely accessible on the internet. According to CNIL, it was not until February 2020 that SlimPay became aware of the data breach, which affected approximately 12 million people.

Findings of CNIL

In particular, CNIL identified that SlimPay had failed to implement security measures to protect the personal data which was accessible online from November 2015 and February 2020 and which included civil status data (title, last name, first name), postal and electronic addresses, telephone numbers, and banking information (BIC / IBAN) of more than 12 million people, thus violating Article 32 of the GDPR. CNIL further outlined that SlimPay's argument that none of the affected data was used fraudulently was no defence to the finding of an Article 32 violation.

In addition, CNIL found that some of the contracts concluded by the company SlimPay with its service providers do not contain all the required clauses to ensure that such subcontractors undertake to process personal data in accordance with the GDPR and indeed that some of the contracts do not even contain any of the required clauses, in violation of Article 28(3) of the GDPR.

Lastly, CNIL highlighted that given the nature of the personal data (including in particular banking information), the volume of persons concerned (more than 12 million), the possibility of identifying the persons affected by the violation from the data accessible, and the possible consequences for the persons concerned (risks of phishing or identity theft), the risk associated with the breach should be considered high and, as such, SlimPay should therefore have informed all affected data subjects, which it had failed to do, in violation of Article 34 of the GDPR.


In view of the above, CNIL decided to impose a fine against SlimPay in the aforementioned amount, and, considering the seriousness of the breaches committed, their persistence, and the number of affected data subjects, also decided to publish its decision. 

You can read the press release here and the decision here, both only available in French.