SERGIC SAS – €400,000 Fine (France, 2019)

The customer of a real estate company noticed that the service used by the company to collect application files for a lease was unprotected. By modifying one or several characters in the URL address of its personal documents, the customer was able to access personal data of other customers. After notifying the company in March 2018, the customer filed a complaint to the CNIL in August 2018. The DPA launched an investigation in September 2018. Does making personal data publicly available on the web through an unprotected URL address constitute a breach of data confidentiality ? Does retaining personal data of the applicant for a rental lease after the lease had been awarded violates article 5(1)(e) GDPR on storage limitation ? During the investigation, the investing delegation were able to download 9,446 documents containing personal data of customers, using a script. They also found that the entire database of the company was accessible by default and that there were no technical or operational procedure to delete personal data of customers. The DPA held that the access made possible to personal data was proof of a faulty website design due to the absence of required authentication to access the data. According to the DPA this constitutes one of the most common vulnerabilities and has been sanctioned several times as a violation of article 32 GDPR. Furthermore, during the investigation the company admitted to not having set up a way to delete personal data of applicants. Even though this point was not raised by the plaintiff, the DPA decided to take it into account and held that retaining the candidates file after the lease has been awarded violates the storage limitation principle of article 5(1)(e) GDPR as the purpose of the processing had been reached by awarding the lease to one of the candidates. The DPA sanctioned the company with a €400000 fine. It decided to make the sanction public due to the seriousness of the breach which involved particularly precise