De Particulier à Particulier - Editions Neressis – €100,000 Fine (France, 2024)
De Particulier à Particulier - Editions Neressis was fined €100,000 for not properly informing users about their data rights and for keeping data longer than necessary. This ruling matters because it emphasizes the importance of transparency and compliance with data protection laws. It serves as a reminder for companies to clearly communicate their data practices to users.
What happened
The French DPA fined De Particulier à Particulier for failing to inform users about their rights and for retaining data for too long.
Who was affected
Users of the company's services who were not adequately informed about their data rights were affected.
What the authority found
The authority found that the company did not provide necessary information about data retention and user rights in its privacy policy.
Why this matters
This case highlights the need for clear communication regarding data practices. Companies should ensure their privacy policies are transparent and comply with data protection regulations.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
Société Particulier à Particulier - Editions Neressis ("controller") provides individuals with a set of publications and services allowing them to conclude real estate transactions without intermediaries. The CNIL conducted an online investigation of their website, www.pap.fr, to verify the methods of informing people about their rights as data subjects, and whether the procedure for creating a user account was sufficiently secure and confidential. The on-site investigation focused on the verification of the retention periods applied to user account data, the legality of data processor agreements in place and the technical and organizational measures to ensure the security of the data collected through the website. During its investigations, the CNIL found that the controller defined a systematic retention period of ten years from the acceptance of an order on the website. The CNIL also discovered that the controller did not include the right to lodge a complaint with the DPA, the legal basis for each processing as well as the recipients and categories of recipients in their privacy policy. The CNIL initiated a sanctioning procedure against the controller on 6 February 2023. Firstly, regarding the retention periods, the CNIL considered that a retention period of ten years from the date of acceptance of the order was justified by its legal obligations resulting from French law, in particular [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000032226994/ Articles L.213-1], [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000032807208 D.213-1] and [https://www.legifrance.gouv.fr/codes/article_lc/LEGIARTI000032807210 D.213-2] Consumer Code, for contracts worth more than €120. Therefore, the CNIL considered that for contracts that were less than €120, the 10 year retention period was excessive and therefore breaches Article 5(1)(e) GDPR. Additionally, while the CNIL agreed that a 5 year retention period commencing from the date of last connection to
Violations (1)
Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.
Art. 6(1) GDPR
Related Enforcement Actions (0)
No other enforcement actions found for De Particulier à Particulier - Editions Neressis in FR
This is the only recorded action for this entity in this jurisdiction.
Similar Cases
Enforcement actions with similar violations
Details
Fine Date
31 January 2024
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€100,000
GDPRhub ID
gdprhub-7602About this data
Cite as: Cookie Fines. De Particulier à Particulier - Editions Neressis - France (2024). Retrieved from cookiefines.eu
Last updated: