France: GDPR breach in consulting office
The French company UNIONTRAD COMPANY, which has its headquarters in Paris, offers translations in the fields of law and finance. Several employees complained about a surveillance system that constantly monitored them. In addition to this, the employees had not received any information about the purpose of the monitoring equipment. For this reason, the French data protection authority CNIL investigated the complaints.
In two investigations in October 2013 and June 2016, the company was notified each time of gross violations of data protection laws and asked to change its behavior. Employees may no longer be filmed permanently and must be informed about the purpose of the recordings. When questioned by CNIL, UNIONTRAD COMPANY stated that the cameras were necessary for security.
When the complaints did not stop, the agency conducted an on-site investigation. Even more DSGVO violations came to light: All employees shared a PC account and a mail account. As a result, everyone had access to all data, even though the company deals with legal matters, which could include personal data and which therefore require special protection. In addition, the permissible storage period of the data was exceeded.
After the transposition deadline, the CNIL carried out a new inspection. However, the company had not satisfactorily implemented the required measures. As UNIONTRAD COMPANY is only a small company with nine employees and had generated a net loss of € 110,884 in 2017, the initially considered penalty of € 750,000 was reduced to € 20,000.
Conclusion
The implementation of the GDPR must not be taken lightly by any company. Recommendations or requirements of the data protection authority should be implemented, otherwise there will be severe fines. In this case, the French authority refrained from imposing a heavy fine only because of the company’s massive losses.
With easyGDPR , you as a company can ensure that your company complies with the requirements of the GDPR . The program queries your current data protection standard and gives you detailed implementation recommendations based on this information. At the same time, the corresponding documentation is created, so in the event of a possible control, you can easily present the mandatory documentation
Entscheidungsdatum:
01.10.2018
Land:
France
Art des Verstoßes:
technical deficiency
Betroffene Datensätze:
unknown
Waren sensible Daten betroffen?:
Yes
verhängte Geldstrafe:
€ 20,000,-
Violation of GDPR Paragraph:
18. Right to restriction of processing
21. Right to object
25. Data protection by design and by default
31. Cooperation with the supervisory authority
5. Principles relating to personal data processing
6. Lawfulness of processing
Quelle:
Decision of the French data protection authority (French)