CNIL imposes 100,000 euro fine on PAP for GDPR breaches

CNIL imposes 100,000 euro fine on PAP for GDPR breaches

By

On January 31, 2024, the French data protection authority (CNIL) imposed a penalty of 100,000 euros on PAP, publisher of the pap.fr website, for several breaches of the General Data Protection Regulation (GDPR). The investigation was carried out by the CNIL in March and April 2022.The CNIL found that PAP had violated the GDPR by retaining personal data for longer periods than necessary. This included data of customers who used the site's paid services, such as ad content, first and last names, telephone numbers, and email addresses, which were retained for 10 years without any valid justification.

Similarly, data of users of the site's free services were also retained for longer than the specified five-year period.It was also found that PAP had failed to inform individuals adequately about the processing of their personal data. The company's privacy policy was incomplete and imprecise, as it did not provide sufficient explanations about the legal basis for data processing, did not specify the categories of processors involved, did not mention the right to lodge a complaint with the CNIL, and provided inaccurate information about data retention periods.

Another violation was related to PAP's obligation to ensure a legal framework for data processing carried out on its behalf by a processor. The contract between the company and the processor did not include all the required information under the GDPR.PAP was also found to have inadequate security measures in place to protect personal data, in violation of the GDPR's provisions. The complexity of passwords for user accounts was not strong enough, and confidential credentials were transmitted in an inadequate manner.

Additionally, the storage of user account passwords and confidential references in unencrypted form exposed the data to risks of computer attacks and leaks.The decision of the CNIL was made in cooperation with other relevant European supervisory authorities under the one-stop shop mechanism, as PAP's website has visitors from multiple EU member states and Norway. The penalty of 100,000 euros was determined based on various factors, including the severity of the breaches, the company's cooperation during the investigation, and the measures taken to address some of the identified issues.

This decision serves as a reminder to companies operating websites accessible to individuals in the EU to comply with the strict data protection rules under the GDPR, and to take necessary steps to ensure the security and confidentiality of personal data.