easyGDPR

We make implementing General Data Protection Regulation Easy

by

Penalty against real estate office

The French Data Protection Agency has ordered a real estate law firm to pay a fine of € 400,000.

Incident

The company SERGIC is a real estate firm with an annual turnover of approximately 43 million euros. Via its website it is possible to download documents for different buildings as well as to manage existing leases etc.

A private individual lodged a complaint with the French data protection authority CNIL. He had found that by simply changing the website URL access to documents from other customers is possible. Thus, all personal data on the website was unprotected. Among other things, the following data was affected:

  •     ID copies
  •     Social Security Cards incl. Social Security Number
  •     tax bills
  •     Notifications of family help
  •     divorce documents
  •     Bank account information

The Authority opened an investigation and found that the company had been aware of this fact for at least six months. Although a solution was worked on, this was completed only a few days after the initiation of the investigation.

In the course of the investigation, the authority also noted that personal data is stored indefinitely. Interested parties who have never entered into a contract with the company were nevertheless permanently stored in the database.

Decision of the authority

Originally, a fine of € 900,000 was set, which later reduced the authority due to the financial possibilities of the company. The justification stated that basic security measures were deliberately disregarded. After the company noticed the bugs, eliminating the bugs was not prioritized.

Furthermore, the unlimited storage of interested parties was a violation of the GDPR. According to the recommendation, the data should be deleted / anonymised no later than three months after the sale / rental of the property. If this is not recommended for legal reasons (for example, to have evidence in the case of a lawsuit), then the data must at least be moved to a separate database whose access is severely limited.

Source: Decision CNIL

Entscheidungsdatum:
28.05.2019

Land:
France

Art des Verstoßes:
technical deficiency

Betroffene Datensätze:
29440

Waren sensible Daten betroffen?:
No

verhängte Geldstrafe:
€ 400,000,-

Quelle:

Category iconUncategorized