SERGIC (Real Estate) – €400,000 Fine (France, 2019)

€400,000Commission Nationale de l'Informatique et des Libertés28 May 2019France
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

SERGIC, a real estate firm, was fined for not securing sensitive customer data and storing it too long. This highlights the need for companies to implement strong security measures and manage data retention properly.

What happened

SERGIC failed to secure sensitive documents online and stored them longer than necessary.

Who was affected

Individuals who submitted sensitive documents to SERGIC for rental applications.

What the authority found

The CNIL fined SERGIC for inadequate security measures and excessive data retention, violating GDPR.

Why this matters

This case stresses the importance of securing personal data and adhering to data retention limits. Businesses must ensure they have effective security protocols and data management practices in place.

GDPR Articles Cited

AI-verified

Art. 5(1)(e) GDPR
View original scraped data
Art. 5(1)(e) GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
verified correct
France enforcementCommission Nationale de l'Informatique et des Libertés actionsAll SERGIC (Real Estate) actions
Full Legal Summary
Detailed

The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.

Related Enforcement Actions (0)

No other enforcement actions found for SERGIC (Real Estate) in FR

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

28 May 2019

Authority

Commission Nationale de l'Informatique et des Libertés

Fine Amount

€400,000

Enforcement Tracker ID

ETid-24

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. SERGIC (Real Estate) - France (2019). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: