SLIMPAY – €180,000 Fine (France, 2021)

In 2015, SLIMPAY (a payment service provider) reused personal data contained in its databases for testing purposes, as part of a research project that ended in July 2016. The data used remained stored on a server without any particular security procedure and freely accessible from the Internet. SLIMPAY was warned of the issue by one of its client (a legal person) in 2020. Then, SLIMPAY took measures to put an end to the data breach and proceeded to notify it to the French Data Protection Authority (DPA), but decided not to notify it to the data subjects. Afterwards, the DPA decided to carry out an investigation of SLIMPAY's GDPR compliance. The DPA found out that SLIMPAY breached several GDPR provisions. = The DPA noted that some of the contracts concluded by SLIMPAY with its service providers (subprocessors) did not contain all of the clauses that would make it possible to ensure that these subcontractors undertake to process personal data in compliance with GDPR, whereas some other contracts did not even contain any of these clauses. = The DPA noted that the server in question was not subject to any appropriate security measures, and was freely accessible by anyone between November 2015 and February 2020. Furthermore, the categories of data aggravated the case, considering that civil status data (name, surname, first name), postal and e-mail addresses, telephone numbers and bank details (BIC/IBAN) of more than 12 million people were compromised. The DPA also held that the absence of proven harm to the data subjects has no bearing on the existence of the violation of Article 32 GDPR, contrary to what SLIMPAY claimed during the procedure. = The DPA considered that, given the nature of the personal data concerned by the breach, the number of data subjects affected (more than 12 million), and the possibility to identify them from the accessible data and the risks of phishing or identity theft that were implied because of the breach, the risk associated with