Free – €300,000 Fine (France, 2022)
France's data protection authority fined Free, a communications provider, EUR 300,000 for mishandling user data requests and failing to secure personal data on refurbished devices. This matters because it highlights the importance of responding to user data requests promptly and ensuring data is wiped from old devices to protect privacy.
What happened
Free mishandled user data requests and failed to secure personal data on refurbished devices.
Who was affected
Customers of Free who requested access to their data or had their data left on refurbished devices.
What the authority found
The authority found that Free did not comply with GDPR requirements for timely data access responses and failed to properly erase data from old devices.
Why this matters
This case emphasizes the need for companies to handle data requests efficiently and ensure data is securely erased from devices before reuse. It serves as a reminder for businesses to review their data management and security practices.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Between October 2018 and November 2019, the DPA received 41 complaints regarding FREE, a French communications provider (controller), after which the DPA started an investigation based on 10 of these complaints. Some of these complaints concerned access requests for information regarding the data broker from which the controller got personal data. The controller did not respond to these requests in time or provided incomplete answers. According to the controller, the requests were not answered in time due to human error. However, specifically with regard to information regarding the source of the data, the controller stated that it was not obliged to reveal information that was deemed a 'business secret' according to recital 63 and Article 15(4) GDPR (in this case, the identity of the data broker who supplied the data). The controller also stated that it had recently changed its internal procedure, and now asked its data brokers to also provide the identity of the primary source of the data collection, which the controller could then provide to the data subjects. The data subjects also requested the deletion of their e-mail accounts. However, the DPA confirmed that data subject’s personal data was still present in the controller’s database after they had submitted their erasure requests. Also, these e-mail accounts still had the status of ‘active’ and data subjects were still able to access their e-mails. On 8 February 2019, the controller also notified the DPA of a personal data breach. The controller had distributed 4.137 refurbished hardware boxes, called FREE-boxes, to new subscribers. The main use of this FREE-box was to store television programmes, but could also be used to store personal photos and personal video’s. The DPA found that these boxes still contained the personal data of subscribers who had used this hardware previously. The controller did not wipe the data from the device. The controller had accidentally deleted a procedure from its security mea
Related Enforcement Actions (1)
Other enforcement actions involving Free in FR
Details
Fine Date
30 November 2022
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€300,000
GDPRhub ID
gdprhub-5522About this data
Cite as: Cookie Fines. Free - France (2022). Retrieved from cookiefines.eu
Last updated: