Penalty against real estate office
The French Data Protection Agency has ordered a real estate law firm to pay a fine of € 400,000.
The company SERGIC is a real estate firm with an annual turnover of approximately 43 million euros. Via its website it is possible to download documents for different buildings as well as to manage existing leases etc.
A private individual lodged a complaint with the French data protection authority CNIL. He had found that by simply changing the website URL access to documents from other customers is possible. Thus, all personal data on the website was unprotected. Among other things, the following data was affected:
- ID copies
- Social Security Cards incl. Social Security Number
- tax bills
- Notifications of family help
- divorce documents
- Bank account information
The Authority opened an investigation and found that the company had been aware of this fact for at least six months. Although a solution was worked on, this was completed only a few days after the initiation of the investigation.
In the course of the investigation, the authority also noted that personal data is stored indefinitely. Interested parties who have never entered into a contract with the company were nevertheless permanently stored in the database.
Decision of the authority
Originally, a fine of € 900,000 was set, which later reduced the authority due to the financial possibilities of the company. The justification stated that basic security measures were deliberately disregarded. After the company noticed the bugs, eliminating the bugs was not prioritized.
Furthermore, the unlimited storage of interested parties was a violation of the GDPR. According to the recommendation, the data should be deleted / anonymised no later than three months after the sale / rental of the property. If this is not recommended for legal reasons (for example, to have evidence in the case of a lawsuit), then the data must at least be moved to a separate database whose access is severely limited.
Source: Decision CNIL
Type of Issue:
Number of involved data records:
Special category of data involved:
Violation of GDPR Paragraph:
32. Security of processing
5. Principles relating to personal data processing