FREE SAS – €300,000 Fine (France, 2022)

€300,000Commission Nationale de l'Informatique et des Libertés8 December 2022France
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

FREE SAS was fined €300,000 by the French DPA for not handling data access and deletion requests properly and for poor data security. The company delayed responding to user requests and stored passwords insecurely. This case highlights the importance of respecting user rights and securing personal data.

What happened

FREE SAS failed to process data access and deletion requests timely and stored passwords insecurely.

Who was affected

Customers of FREE SAS who requested access to or deletion of their personal data.

What the authority found

The French DPA found that FREE SAS did not adequately respond to user requests and failed to secure personal data, violating GDPR requirements.

Why this matters

This ruling stresses the importance of timely responses to user data requests and robust data security measures. Companies should ensure they have processes in place to handle user rights efficiently and protect personal data from breaches.

GDPR Articles Cited

AI-verified

Art. 12 GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 32 GDPR
View original scraped data
Art. 12 GDPR
Art. 15 GDPR
Art. 17 GDPR
Art. 32 GDPR
Art. 33 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
articles corrected
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll FREE SAS actions
Full Legal Summary
Detailed

The French DPA has imposed a fine of EUR 300,000 on FREE SAS. The DPA had received several complaints from individuals experiencing difficulties in exercising their rights to access and delete their personal data at FREE. During its investigation, the DPA found that the company did not process the requests for access and deletion of personal data in a timely manner. The DPA also found that the company failed to ensure the security of personal data. For example, the company allowed users to use insecure passwords and user passwords were stored unencrypted in the company's databases. Finally, the DPA found that the company had not adequately documented a data breach.

Violations (1)

Cookies Placed Before Consent
critical

Non-essential cookies (tracking, advertising) are placed on the user's device before obtaining valid consent.

Art. 6(1) GDPR

Related Enforcement Actions (0)

No other enforcement actions found for FREE SAS in FR

This is the only recorded action for this entity in this jurisdiction.

Similar Cases

Enforcement actions with similar violations

Data Subject versus Telecommunications Company

2025 · DPA OLGKoblenz

Legal Person

2023 · Úřad pro ochranu osobních údajů

€4K

Ramona Films, S.L.

2022 · Agencia Española de Protección de Datos

€8K

CNIL

2019 · Court of Justice of the European Union

Minister for Legal Protection

2022 · DPA RbOverijssel

Details

Fine Date

8 December 2022

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€300,000

Enforcement Tracker ID

ETid-1527

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. FREE SAS - France (2022). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: