France
SLIMPAY
GDPR enforcement action by French Data Protection Authority (CNIL) on 2021-12-28.
Case details
- Authority
- French Data Protection Authority (CNIL)
- Date
- 2021-12-28
- Controller / Processor
- SLIMPAY
- Sector
- Finance, Insurance and Consulting
- Quoted Articles
- Art. 28 GDPR, Art. 32 GDPR, Art. 34 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The French DPA (CNIL) has imposed a fine of EUR 180,000 on the payment institution SLIMPAY.
In 2015, SLIMPAY conducted an internal research project in which it processed personal data in its databases. When the research project ended in July 2016, the data remained stored on a server, without any security measures and freely accessible on the Internet. The data breach affected about 12 million people.
During its investigation, the CNIL found that the company had failed to implement appropriate technical and organizational measures to ensure a level of security commensurate with the risk to data subjects. Thus, the server access was not subject to any security measures, so that it was possible to access it via the Internet between November 2015 and February 2020
In addition, the DPA found that the company had failed to inform the data subjects about the data breach.
The CNIL also found that in several cases, contracts the company had concluded with processors were inadequately drafted, as they did not include certain envisaged clauses obliging the processors to process personal data in accordance with the requirements of the GDPR.
Related fines