French data protection authority CNIL on June 6 levied a €400,000 (U.S. $453,000) fine on Sergic, a French real estate services provider, for failing to adequately protect the data of users of its Website and for implementing inappropriate procedures for storing data in violation of the EU’s General Data Protection Regulation. 

Sergic operates a Website where users can create a file to apply for a rental and upload supporting documents. In August 2018, the CNIL received a complaint from a user of the site who was able to access, from his personal space on the Website, documents saved by other users by slightly modifying the URL displayed in the browser.

In September 2018, the CNIL conducted an online check, which found that documents sent by the applicants for rentals were freely accessible without prior authentication. These documents included copies of identity cards, vital cards, tax notices, certificates issued by the family allowance fund, divorce decrees, and account statements and bank account details, the CNIL said.

The CNIL said it alerted Sergic to the existence of this lack of security and subsequent violation of personal data. A few days later, the CNIL said it carried out an on-site inspection at Sergic and discovered the company had been aware of the issue since March 2018 but did not resolve it until September 2018.

GDPR violations

Based on these findings, the CNIL found two breaches of the GDPR. First, the CNIL found that Sergic failed in its obligation to preserve the security of the personal data of the users of its Website in violation of Article 32 of the GDPR.

The company had not put in place a procedure to authenticate users of its Website to ensure that the persons accessing the documents were the ones who had uploaded them, a basic measure. This failure was further aggravated by the nature of the data made available and by the company’s lack of diligence in correcting it. Specifically, the company did not resolve the security issue until six months later and did not take any emergency measures to limit the impact of the issue in the meantime, the CNIL said.

Secondly, Sergic kept all the documents that were uploaded by candidates for a duration that was longer than necessary for the purposes of the processing. The CNIL noted that, once the purpose for processing is achieved—for example, the management of the applications—the data must be deleted or, at least, archived in a separate database if it needs to be retained for compliance with legal obligations or for dispute management purposes. Here, again, the duration of this archiving must be limited to what is strictly necessary, the CNIL said.

In imposing the €400,000 fine on Sergic, the CNIL said it took into consideration the seriousness of the breach, the lack of diligence by the company in addressing this vulnerability, and the fact that the accessible documents revealed private aspects of the applicants’ lives. It also took into consideration the size of the company and its financial strength.