CNIL fines French real estate company for violating the GDPR

7. June 2019

The French Data Protection Authority “Commission Nationale de l’Informatique et des Libertés” (CNIL) issued a 400k euro fine for the French real estate company “Sergic” for violating the GDPR.
Sergic is specialized in real estate development, purchase, sale, rental and property management and has published the website www.sergic.com , which allows rental candidates to upload the necessary documents for preparing their file.

In August 2018, a Sergic user contacted the CNIL reporting that he had unencrypted access, from his personal space on the website, to other users’ uploaded files by slightly changing the URL. On September 7, 2018, an online check revealed that rental candidates’ uploaded documents were actually freely accessible for others without prior authentication. Among the documents were copies of identity cards, health cards, tax notices and divorce judgements. CNIL informed Sergic on the same day of this security incident and the violation of personal data. It became apparent that Sergic had been aware of this since March 2018 and, even though it had initiated IT developments to correct it, the final correction did not take place until September 17, 2018.

Based on the investigation, the responsible CNIL body found two violations of the GDPR. Firstly, Sergic had failed to fulfil its obligations according to Art. 32 GDPR, which obliges controllers to implement appropriate technical and organizational measures to ensure a secure level of protection of the personal data. This includes for example a procedure to ensure that personal documents cannot be accessed without prior authentication of the user. In addition, there is the time that the company took to correct the error.

Secondly, the CNIL found out that Sergic kept all the documents sent by candidates in active base, although they had not accessed rental accommodation for more than the time required to allocate housing. According to the GDPR, the controller has the obligation to delete data immediately if they are no longer necessary in relation to the purposes for which they were collected or otherwise processed and no other purpose justifies the storage of the data in an active database.

The CNIL imposed a fine of € 400.000 and decided to make its sanction public due to inter alia the seriousness of the breach, the lack of due diligence by the company and the fact that the documents revealed intimate aspects of people’s lives.

Category: Data breach · French DPA · GDPR
Tags: , ,