France France

FREE SAS

300,000 €

GDPR enforcement action by French Data Protection Authority (CNIL) on 2022-12-08.

Rank · Sector
#71
of 369 in Media, Telecoms and Broadcasting
Rank · France
#39
of 74
Rank · All fines
#299
of 3,050

Case details

Authority
French Data Protection Authority (CNIL)
Date
2022-12-08
Controller / Processor
FREE SAS
Sector
Media, Telecoms and Broadcasting
Quoted Articles
Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 32 GDPR, Art. 33 GDPR
Type of violation
Insufficient fulfilment of data subjects rights

Summary

The French DPA has imposed a fine of EUR 300,000 on FREE SAS.

The DPA had received several complaints from individuals experiencing difficulties in exercising their rights to access and delete their personal data at FREE.

During its investigation, the DPA found that the company did not process the requests for access and deletion of personal data in a timely manner.

The DPA also found that the company failed to ensure the security of personal data. For example, the company allowed users to use insecure passwords and user passwords were stored unencrypted in the company's databases.

Finally, the DPA found that the company had not adequately documented a data breach.

Open original source Links to the regulator's original publication or another source.

Related fines

France
France
2025-09-01
200,000,000 €
ETid-2862
GOOGLE LLC
Media, Telecoms and Broadcasting
France
France
2025-09-01
150,000,000 €
ETid-2864
INFINITE STYLES SERVICES CO. LIMITED
Industry and Commerce
France
France
2025-09-01
125,000,000 €
ETid-2863
GOOGLE IRELAND LIMITED
Media, Telecoms and Broadcasting
France
France
2021-12-31
90,000,000 €
ETid-978
Google LLC
Media, Telecoms and Broadcasting
France
France
2021-12-31
60,000,000 €
ETid-979
Google Ireland Ltd.
Media, Telecoms and Broadcasting
France
France
2021-12-31
60,000,000 €
ETid-980
Facebook Ireland Ltd.
Media, Telecoms and Broadcasting
Back to all fines