Since the GDPR came into force, data protection and the associated breaches of data protection have been a much-noticed topic. We would like to present to you today a case that had already caused a stir before the GDPR, and on June 7, 2018, Optical-Center, a French company, was fined € 250 000.
Optical-Center is a company that manufactures optical glasses for customers. In 2017, the French data protection authority CNIL (Commission Nationale de l’Informatique et des Libertés) was informed that the company’s website was not adequately secured. By simply changing the website address (URL), unauthorised persons were able to access customers’ personal data. This made it possible not only to retrieve names, addresses and telephone numbers, but also medical data provided by customers when ordering glasses (e.g. dioptres to ensure that the glasses are manufactured with the correct visual acuity).
The Company has been advised by the Data Protection Authority of this serious breach of privacy. The company responded immediately by hiring its service provider to fill this gap.
Access to external data records must be prevented by technical measures. The system would therefore have had to check whether the user has the authorization to check the requested data records at all and would then have had to deny access if necessary. However, Optical-Center’s website lacked this verification. This is not a small error, but a fundamental architectural flaw in the software used, and the data protection authority recognized it and imposed a fine of €250,000, the highest fine in its history. Nevertheless, the data protectors did not make full use of the punishment available, as the maximum penalty is three million euros. Although the sentence was not imposed until June 7, 2018, the GDPR did not apply in this case. Since the data protection violation took place in 2017, the then Data Protection Act took effect. The rules and penalties of the GDPR only apply to infringements from 25 May 2018.
The case shows that even before the GDPR, serious data protection violations could result in severe fines. The GDPR has further increased the scope of penalties and it can be assumed that the penalties imposed will increase. Data protection and data security have become the focus of attention with the Basic Data Protection Regulation, so any breach of data protection due to inadequate protective measures will be subject to higher penalties in the future.Particular attention should be paid to Article 24 (Responsibility of the controller) and Article 83 (General conditions for the imposition of financial penalties) of the GDPR.