NS Cards France – €105,000 Fine (France, 2023)

In the context of its investigations, the French DPA (CNIL) undertook online and an on-the-spot checks of the controller’s website and premises. The controller, NS Cards France, is an electronic money distributor that facilitates online payments. The CNIL found that when creating a user account on the controller's website, surname, first name, date of birth, postal address, email address, telephone number, and, if applicable, bank details were collected, as well as personal documents, such as proof of identity and residence. While the controller specified a retention period of ten years for this data from the last transaction carried out on the account, in fact, no deletion had been carried out in the databases since the beginning of the controller's activity in 2005. An estimated 70,049 accounts had been inactive for more than ten years. Additionally, 51,735 accounts were kept for no purpose, as they were "unconfirmed", i.e. the email address had not been confirmed when the account was created. Furthermore, the information provided by the company on the website and its mobile application via the privacy policy was incomplete, not up-to-date and only in English. The controller also allowed users to create account passwords of six characters, composed of only three categories of characters (uppercase, lowercase and numbers), and the CNIL found that no access restrictions in the event of authentication failure were implemented. 49,214 passwords were also stored in clear text in the company's database and associated with their email address and identifier. Additionally, the rapporteur noted that thirteen cookies were deposited before any action, including consent, could be taken by the user upon arrival on the home page of the website. The Google reCaptcha module, to block robots on the registration and connection page to the website and mobile application, was also used without asking for user consent. On 10 May 2023, under Article 56 GDPR, the CNIL informed all E