Penalty against real estate law firm
The French data protection authority has ordered a real estate law firm to pay a fine of €400,000.
Incident
SERGIC is a real estate law firm with an annual turnover of approximately 43 million euros. Via its website it is possible to download documents on various buildings as well as manage existing leases, etc.
A private individual turned to the French data protection authority CNIL with a complaint. The latter had discovered that by simply changing the website URL, it was possible to access documents from other customers. Thus, all personal data on the website was unprotected. Among other things, the following data were affected:
- Copies of IDs
- Social security cards incl. Social security number
- Tax assessment notices
- Family assistance notices
- Divorce documents
- Bank account data
The authority launched an investigation and found that the company concerned had known about this fact for at least six months. Although a solution was being worked on, it was not finalized until a few days after the investigation was initiated.
In the course of the investigation, the authority also found that personal data is stored indefinitely. Prospective customers who never entered into a contract with the company were nevertheless permanently stored in the database.
Decision of the authority
Originally, a fine of € 900,000 was set, which the authority later reduced due to the company’s financial capabilities. In the justification, it was stated that basic safety measures were deliberately disregarded. After the company noticed the errors, fixing them was not prioritized.
Furthermore, the unlimited storage of interested parties was a violation of the GDPR. According to the recommendation, the data should be deleted/anonymized no later than three months after the sale/rental of the property. If this is not advisable for legal reasons (for example, to have evidence in case of a lawsuit), then the data must at least be moved to a separate database whose access is severely restricted.
Entscheidungsdatum:
28.05.2019
Land:
France
Art des Verstoßes:
technical deficiency
Betroffene Datensätze:
29440
Waren sensible Daten betroffen?:
No
verhängte Geldstrafe:
€ 400,000,-
Violation of GDPR Paragraph:
32. Security of processing
5. Principles relating to personal data processing
Quelle:
Notice from the French data protection authority CNIL (French)