CNIL, the French data privacy regulator, issued a 400,000 euro ($448,358) fine against a company for GDPR violations stemming from sensitive information collected on its website. Investigating a complaint, the CNIL discovered that the online real estate company Sergic allowed customer information to be freely accessed online and kept that information longer than needed. By editing the text of a certain URL, a Sergic user could retrieve sensitive files that another home rental candidate had uploaded into the website. This security defect led the trove of nearly 300,000 tax and identity documents to be accessible to anyone who thought to change the text of that URL. The CNIL said that this website design flaw affected the confidentiality of data in violation of Article 32(1)(ii) of GDPR.
Continue Reading French Regulator Says “Oui” to GDPR Fines for Under-Protected and Over-Retained Data
Alyssa Sones
Alyssa M. Sones is an associate in the Business Trial Practice Group in the firm's Century City office.
Contact:Read more about Alyssa Sones