Free – €300,000 Fine (France, 2022)

Between October 2018 and November 2019, the DPA received 41 complaints regarding FREE, a French communications provider (controller), after which the DPA started an investigation based on 10 of these complaints. Some of these complaints concerned access requests for information regarding the data broker from which the controller got personal data. The controller did not respond to these requests in time or provided incomplete answers. According to the controller, the requests were not answered in time due to human error. However, specifically with regard to information regarding the source of the data, the controller stated that it was not obliged to reveal information that was deemed a 'business secret' according to recital 63 and Article 15(4) GDPR (in this case, the identity of the data broker who supplied the data). The controller also stated that it had recently changed its internal procedure, and now asked its data brokers to also provide the identity of the primary source of the data collection, which the controller could then provide to the data subjects. The data subjects also requested the deletion of their e-mail accounts. However, the DPA confirmed that data subject’s personal data was still present in the controller’s database after they had submitted their erasure requests. Also, these e-mail accounts still had the status of ‘active’ and data subjects were still able to access their e-mails. On 8 February 2019, the controller also notified the DPA of a personal data breach. The controller had distributed 4.137 refurbished hardware boxes, called FREE-boxes, to new subscribers. The main use of this FREE-box was to store television programmes, but could also be used to store personal photos and personal video’s. The DPA found that these boxes still contained the personal data of subscribers who had used this hardware previously. The controller did not wipe the data from the device. The controller had accidentally deleted a procedure from its security mea