KG COM – €150,000 Fine (France, 2023)

The French DPA has imposed a fine of EUR 150,000 on the company KG COM. The company operates several websites and offers fortune-telling consultations to customers via chat or telephone. After the company suffered a data breach, the DPA conducted three investigations. During its investigation, the DPA found that the controller systematically recorded conversations with customers as well as potential customers without properly justifying why such extensive recording was necessary. In addition, the controller stored banking information of its customers for the purposes of conducting transactions and combating fraud, as well as to facilitate customers' purchase of further fortune-telling consultations. The DPA found that a legitimate interest of the controller could be affirmed for the storage of bank data for the purpose of fraud prevention, but not for the storage regarding further purchases. The DPA also found that the controller processed data on the health status as well as the sexual orientation of its customers without their explicit consent; implied consent through use of the consultations was not considered sufficient. In addition, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data. The controller did not, for example, provide sufficiently robust passwords for the user accounts, which exposed the data to the risk of computer attacks. Finally, the DPA found that the controller failed to report a data leak to the DPA.