Punishment against Bouygues Telecom
The French data protection authority CNIL has been particularly active since the entry into force of the General Data Protection Regulation and has already imposed several sensitive fines on national and international companies.
On December 27, the agency imposed a € 250,000 fine on Bouygues Telecom for violating French data protection law.
With approximately 7,000 employees and over 17 million customers, the company is the third largest telecommunications provider in France. In 2017, the turnover was more than 5 billion euros, the profit was estimated at 260 million euros.
Contracts and related invoices can be viewed by customers through the company’s web portal. Bouygues Telecom found that by simply changing the web address (URL), visitors could access the contracts and bills of other customers. This fact constitutes a breach of privacy that has been reported by the company to the DPA. Already four days before the authority was informed by a private person on this circumstance.
Basically, the company has developed the customer portal properly and access to external data is prevented by the system. During the investigation, however, it was found that the website was taken off line approximately two years ago as part of a brand merger. As part of the work, the security module was disabled and did not turn on again when the page was reactivated. Therefore, the personal data of the customers were unprotected for about two years.
Decision of the Data Protection Authority
The French DPA imposed a fine of € 250,000 after the investigation was completed, noting in particular that the company had failed to take other measures to detect such an error. In between, safety tests did not bring the circumstance to light, since these were ineffective. Originally, the agency planned a penalty of € 500,000, -, but this was finally reduced due to the good cooperation of Bouygues Telecom.
It should be noted that the GDPR was not used. The data of the customers were unprotected until March 2018, but the General Data Protection Regulation did not come into force until May.
Type of Issue:
Number of involved data records:
2 176 236
Special category of data involved:
250 000 €