easyGDPR

We make implementing General Data Protection Regulation Easy

by

Penalty against real estate law firm

The French data protection authority has ordered a real estate law firm to pay a fine of €400,000.

Incident

SERGIC is a real estate law firm with an annual turnover of approximately 43 million euros. Via its website it is possible to download documents on various buildings as well as manage existing leases, etc.

A private individual turned to the French data protection authority CNIL with a complaint. The latter had discovered that by simply changing the website URL, it was possible to access documents from other customers. Thus, all personal data on the website was unprotected. Among other things, the following data were affected:

  • Copies of IDs
  • Social security cards incl. Social security number
  • Tax assessment notices
  • Family assistance notices
  • Divorce documents
  • Bank account data

The authority launched an investigation and found that the company concerned had known about this fact for at least six months. Although a solution was being worked on, it was not finalized until a few days after the investigation was initiated.

In the course of the investigation, the authority also found that personal data is stored indefinitely. Prospective customers who never entered into a contract with the company were nevertheless permanently stored in the database.

Decision of the authority

Originally, a fine of € 900,000 was set, which the authority later reduced due to the company’s financial capabilities. In the justification, it was stated that basic safety measures were deliberately disregarded. After the company noticed the errors, fixing them was not prioritized.

Furthermore, the unlimited storage of interested parties was a violation of the GDPR. According to the recommendation, the data should be deleted/anonymized no later than three months after the sale/rental of the property. If this is not advisable for legal reasons (for example, to have evidence in case of a lawsuit), then the data must at least be moved to a separate database whose access is severely restricted.

Entscheidungsdatum:
28.05.2019

Land:
France

Art des Verstoßes:
technical deficiency

Betroffene Datensätze:
29440

Waren sensible Daten betroffen?:
No

verhängte Geldstrafe:
€ 400,000,-

Quelle:
Notice from the French data protection authority CNIL (French)

Category iconUncategorized