France France

SERGIC (Real Estate)

400,000 €

GDPR enforcement action by French Data Protection Authority (CNIL) on 2019-05-28.

Rank · Sector
#2
of 86 in Real Estate
Rank · France
#35
of 74
Rank · All fines
#266
of 3,051

Case details

Authority
French Data Protection Authority (CNIL)
Date
2019-05-28
Controller / Processor
SERGIC (Real Estate)
Sector
Real Estate
Quoted Articles
Art. 5 (1) e) GDPR
Type of violation
Insufficient technical and organisational measures to ensure information security

Summary

The CNIL based the penalty on two grounds: Lack of basic security measures and excessive data storage. As to the first, sensitive user documents uploaded by rental candidates (including ID cards, health cards, tax notices, certificates issued by the family allowance fund, divorce judgments, account statements) were accessible online without any authentication procedure in place. Although the vulnerability was known to the company since March 2018, it was not finally resolved until September 2018. In addition, the company stored the documentation provided by candidates for longer than necessary. The CNIL took into account i.a. the seriousness of the breach (lack of due care in addressing vulnerability and the fact that the documents revealed very intimate aspects of users' lives), the size of the company and its financial standing.

Open original source Links to the regulator's original publication or another source.

Related fines