2019-005 of May 28, 2019 pronouncing a financial penalty against the company SERGIC

 

[text_block id=”c0c0585db901181419998162cd5269d5″ content=”‹¨›ol‹˜›‹¨›li‹˜›‹¨›span‹˜›The company SERGIC (hereinafter the company) is specialized in the real estate promotion, the purchase, the sale, the renting and the real estate management. It employs 486 people and achieved a turnover of approximately 43 million euros in 2017.‹¨›/span‹˜›‹¨›/li‹˜›‹¨›/ol‹˜›‹¨›p‹˜›‹¨›span‹˜›2.For the purposes of its activity, the company publishes the website www.sergic.com (hereinafter the website) which allows applicants to rent a property to download the supporting documents necessary for the constitution of their property. folder.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›3.On 12 August 2018, the National Commission for Informatics and Liberties (hereinafter CNIL or the Commission) received a complaint from a user of the site. The complainant indicated that a change to the X character in the URL composed as follows: ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›https://www.crm.sergic.com/documents/upload/eresa/X.pdf,‹¨›/span‹˜›‹¨›/em‹˜›‹¨›span‹˜› where X represents an integer, had allowed access to the vouchers that he himself had downloaded ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›via‹¨›/span‹˜›‹¨›/em‹˜›‹¨›span‹˜› the site but also to those downloaded by other candidates for rent. In his complaint, the complainant provided several examples of URLs from which he was able to access parts downloaded by third parties. He said he informed the company of these facts as early as March 2018.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›4.In application of the President of the Commission Decision No. 2018-186C of 5 September 2018, an on-line inspection mission and a control mission within the company premises were carried out on 7 and 13 September respectively. 2018. The purpose of these missions was to verify compliance with the law of 6 January 1978 as amended (hereinafter the Data Protection Act) and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ( hereinafter RGPD or the Regulation) the processing of personal data accessible from the domain sergic.com or relating to personal data collected from it.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›5. During the on-line monitoring mission, the Delegation noted that the entry of one of the URLs provided by the complainant made it possible to download a tax assessment issued in a name other than its own. The delegation then proceeded to download 9,446 documents by means of a script, including copies of identity cards, vital cards, tax notices, death certificates and marriage certificates. , certificates of affiliation to social security, certificates issued by the family allowance fund, invalidity pension certificates, divorce decrees, account statements, bank identity of rent receipts.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›6.The company was informed by the Delegation on 7 September of the existence of a security defect on its site and an e-mail containing the type of URL addresses concerned by this security defect was sent to it.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›7. On 13 September 2018, during the inspection mission on the premises of the company, the CNIL delegation found that the URLs provided by the complainant in his referral still allowed access to the documents in question. The company told the delegation that the vouchers uploaded by the rental candidates are stored in a dedicated directory. It was clarified that the whole directory had been made accessible by the security defect. The findings revealed that this directory contained 290 870 files on the day of the check. The company further indicated that the documents provided by the candidates were not purged and not reused at a later stage,‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›8.The company confirmed to the delegation that a report informing it that documents were freely accessible from the site, without prior authentication, had been received in March 2018. It stated that following this report , it had proceeded to a first phase of analysis of the security defect, which gave rise to an action plan implemented from June 2018. It also indicated that a first action allowing to no longer display the URLs as they appeared at the time of the violation had been deployed a few days before the 13 September check. The company then explained that a measure definitively ending the lack of security was to be put into production on 17 September 2018. The minutes of 7 and 13 September were notified to the company on 17 September.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›9.Aux instructional purposes these items, the President of the CNIL has appointed on 1 ‹¨›/span‹˜›‹¨›sup‹˜›‹¨›span‹˜›st‹¨›/span‹˜›‹¨›/sup‹˜›‹¨›span‹˜› February 2019, Mr. Éric ‹¨›/span‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›PÉRÈS‹¨›/span‹˜›‹¨›/span‹˜›‹¨›span‹˜› as rapporteur on the basis of Article 47 of the Law of 6 January 1978. For mail 1 ‹¨›/span‹˜›‹¨›sup‹˜›‹¨›span‹˜›st‹¨›/span‹˜›‹¨›/sup‹˜›‹¨›span‹˜› February 2019, the President of the CNIL informed the company of the designation.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›10.On the conclusion of its investigation, the rapporteur sent SERGIC a report on 5 February 2019 detailing the deficiencies relating to Articles 5 and 32 of the RGPD that he considered to be constituted in this case.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›11.This report proposed to the CNIL restricted training to impose a financial penalty of 900,000 euros on SERGIC, which would be made public.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›12.Was also attached to the report a notice of the restricted training session of 11 April 2019. The company had one month to submit its written observations. On February 11, 2019, the company made a request for the meeting to be held in camera. This request was granted by letter of 22 February 2019 insofar as certain elements of the proceedings are protected by business secrecy, as provided for by Article L 151-1 of the Commercial Code.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›13.On 4 March 2019, the company submitted written comments on the report. These observations were answered by the rapporteur on 15 March 2019. On 2 April 2019, the company produced new observations in response to those of the rapporteur.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›14. All the observations were reiterated orally by the company and the rapporteur during the restricted training session of 11 April 2019.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›strong‹˜›‹¨›span‹˜›II. ‹¨›/span‹˜›‹¨›u‹˜›‹¨›span‹˜›Reasons for the decision‹¨›/span‹˜›‹¨›/u‹˜›‹¨›/strong‹˜›‹¨›/p‹˜›‹¨›ol‹˜›‹¨›li‹˜›‹¨›strong‹˜›‹¨›span‹˜›On the claim for nullity of the findings online of September 7, 2018‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/li‹˜›‹¨›/ol‹˜›‹¨›p‹˜›‹¨›span‹˜›15.The company argues that during the on-line audit of September 7, 2018, CNIL agents retrieved files accessible from URLs composed as follows: ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›https: //www.crm.sergic .com / documents / upload / eresa / X.pdf‹¨›/span‹˜›‹¨›/em‹˜›‹¨›span‹˜› while the provisions of Article 44 of the Data Protection Act authorize the agents of the CNIL to consult data freely accessible or made accessible and that they do not make it possible, under any circumstances, to maintain in an automated data processing system in order to extract data by downloading them.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›16.The company therefore requests the restricted formation to pronounce the nullity of the findings contained in the minutes n ° 2018-186 / 1 of September 7, 2018.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›17.The restricted training recalls that under Article 44 (3) (III) of the Data Protection and Freedom of Information Act, Commission officials ‹¨›em‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›may, in particular, from an online public communication service, refer to freely available or accessible data, including recklessness, negligence or by a third party, where appropriate by accessing and maintaining in automated data processing systems the time required for the findings; ‹¨›/span‹˜›‹¨›/em‹˜›‹¨›em‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›they can retranscribe the data by any appropriate treatment in documents directly usable for the purposes of control.‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›18. By downloading the files from the aforementioned URLs, the CNIL agents did a retranscription of the data and not an extraction, since the files were not moved from the database from the company but were simply copied. The restricted formation considers that by downloading the files made freely accessible by the lack of security, the agents of the CNIL acted in the strict respect of the provisions of the aforementioned article 44, which does not enumerate anyhow the forms that can take the transcripts of the authorized agents.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›19.As a result, the application for invalidity will be rejected.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›strong‹˜›‹¨›span‹˜›2. The use of elements resulting from the response of SERGIC ENTREPRISES‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›20.The company notes that in the report notified on 5 February 2019, the rapporteur indicated that he had taken into account information that had been transmitted by his subsidiary, SERGIC ENTREPRISES, a legal entity separate from SERGIC, within the framework of a sanction procedure previously initiated against the latter. SERGIC argues that neither the report nor the rapporteur‹³›s reply clearly indicate the information provided by SERGIC ENTREPRISES on which the rapporteur relied in the context of the present proceedings. The company states that it does not know how the rapporteur took these elements into account when drawing up his proposal.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›21. The Restricted Panel notes first of all that, in its report of 4 February 2019, the rapporteur clearly stated that a first sanction procedure had been initiated against SERGIC ENTREPRISES but that the investigations carried out under this procedure had revealed that SERGIC ENTREPRISES was not the controller who could be accused of breaches. The restricted formation notes that, moreover, the procedure of sanction initiated against the company SERGIC ENTERPRISES was closed on January 31, 2019.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›22.The Restricted Panel notes that, in its response to the company‹³›s comments, the rapporteur indicated that the elements that he had taken into account in preparing his report were the information that SERGIC had notified the violation the data subjects, the fact that the number of persons concerned by the data breach was clarified and the fact that the documents sent by the candidates were kept for pre-litigation and litigation purposes.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›23.It considers that the information provided by the rapporteur allowed the company to unambiguously identify the information in question and the developments in the report containing it.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›24.Finally, the Restricted Training stresses that all the information on which the rapporteur based his sanction proposal, whatever its source, was brought to the attention of SERGIC in the context of the procedure and submitted to a contradictory debate. In doing so, the company became aware of the fact that this information was taken into account and was able to question the accuracy of the facts developed in the report and to contest their significance.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›25. Consequently, the company‹³›s request not to take into consideration the elements resulting from the proceedings against SERGIC ENTREPRISES must be rejected.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›strong‹˜›‹¨›span‹˜›3. Failure to give prior notice‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›26.The company argues that the deficiencies with which it is accused could have been corrected in the context of a formal notice. It therefore considers that the immediate initiation of a sanction procedure, without prior notice, deprived it of the possibility of becoming compliant.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›27.The Restricted Training notes that it follows from the very letter of the ‹¨›/span‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›provisions of Article 45 (III) of the‹¨›/span‹˜›‹¨›/span‹˜›‹¨›span‹˜› amended Law of 6 January 1978, issued by Law No 2018-493 of 20 June 2018 to bring the national legislative provisions with those of the RGPD, that the pronouncement of a sanction is not subordinated to the prior adoption of a formal notice. The decision to appoint a rapporteur and to seize the restricted formation is a power belonging to the President of the CNIL, which ‹¨›/span‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›has the opportunity of prosecution and can therefore ‹¨›/span‹˜›‹¨›/span‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›determine ‹¨›/span‹˜›‹¨›/span‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›, depending on the circumstances of the case, the follow-up to be given to investigations by closing ‹¨›/span‹˜›‹¨›/span‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›for example‹¨›/span‹˜›‹¨›/span‹˜› ‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›a file, by giving a formal notice or by seizing the restricted formation for the purpose of one or more corrective measures.‹¨›/span‹˜›‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›strong‹˜›‹¨›span‹˜›4. Failure to ensure the security and confidentiality of personal data‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›at. ‹¨›/span‹˜›‹¨›u‹˜›‹¨›span‹˜›Characterization of the breach‹¨›/span‹˜›‹¨›/u‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›28.Article 32 (1) of the Regulation provides that: ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purpose of the treatment and the risks, the degree of probability and severity of which varies for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/p‹˜›‹¨›ol‹˜›‹¨›li‹˜›‹¨›em‹˜›‹¨›span‹˜›pseudonymisation and encryption of personal data;‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/li‹˜›‹¨›li‹˜›‹¨›em‹˜›‹¨›span‹˜›means to ensure the ongoing confidentiality, integrity, availability and resilience of treatment systems and services;‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/li‹˜›‹¨›li‹˜›‹¨›em‹˜›‹¨›span‹˜›means to restore the availability of and access to personal data in good time in the event of a physical or technical incident;‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/li‹˜›‹¨›li‹˜›‹¨›em‹˜›‹¨›span‹˜›a procedure to test, analyze and regularly evaluate the effectiveness of technical and organizational measures to ensure the safety of processing.‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/li‹˜›‹¨›/ol‹˜›‹¨›p‹˜›‹¨›span‹˜›29.Article 32 (2) provides that: ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›In the assessment of the appropriate level of safety, particular account shall be taken of the risks of the treatment resulting in particular from the destruction, loss, alteration , unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data in an accidental or unlawful manner.‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›30. It is the responsibility of the Restricted Training to determine whether SERGIC has breached its obligation to ensure the security of the personal data processed and, in particular, whether the company has implemented any means to guarantee their confidentiality, in order to prevent them from being accessible to unauthorized third parties in accordance with Article 32 (1) ii.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›31. The restricted training notes first of all that the existence of a security defect on the site www.sergic.com is not contested by the company. It notes that this lack of security made possible the violation of personal data insofar as it allowed unauthorized third parties to access this data.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›32. The Restricted Training recalls that when a request to access a resource is sent to a server, the server must first ensure that the sender of that request is authorized to access the requested information. In this case, both the complainant and the delegation of control were able freely to consult the documents sent to the company by a large number of applicants for rent, without a measure restricting this possibility.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›33.This access to documents held by the company reflects a flawed design of the site, characterized in this case by the lack of implementation of a user authentication procedure. The data breach resulting from this security defect could have been avoided if, for example, the company had implemented a means of authentication to ensure that the persons accessing the documents were the ones who originated their information. download on the directory in question, and that only these could access it. The implementation of such a feature is an essential precautionary measure, which would have ensured the confidentiality of the personal data processed, in accordance with Article 32 (1) ii, and significantly reduce the risk of occurrence of this personal data. data breach.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›34. Restricted training recalls that exposure of personal data without prior access control is identified as one of the most widespread vulnerabilities and has already issued numerous public financial penalties for similar acts.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›35.In light of these elements, the Restricted Training considers that the company has not implemented the appropriate technical and organizational measures to guarantee the security of the personal data processed, in accordance with Article 32 of the Regulation.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›u‹˜›‹¨›span‹˜›b. ‹¨›/span‹˜›‹¨›/u‹˜›‹¨›u‹˜›‹¨›span‹˜›On the scope of the breach‹¨›/span‹˜›‹¨›/u‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›36.The company emphasizes that the exploitation of the vulnerability required special skills, as evidenced by the use of a script by the delegation of control, and that it was possible only with knowledge of the address URL ‹¨›em‹˜›https://www.crm.sergic.com/documents/upload/eresa/X.pdf‹¨›/em‹˜› . The company also notes that all the documents contained in the directory could not have been downloaded by the delegation of control. She also argues that no site user reported that her personal data had been misused.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›37.The company then emphasizes that each of the documents provided by the applicants for the lease is necessary for the constitution of the file, in particular to evaluate their solvency, and that it does not ask the candidates any other room than those covered by decree no. 2015-1437 of November 5, 2015 fixing the list of supporting documents that may be requested from the rental applicant and his surety.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›38. It also recalls that it does not have control of the documents spontaneously downloaded by the candidates whereas they do not appear in the decree mentioned above. Similarly, the company believes that it can not be held responsible for the fact that some candidates download their Vitale card as proof of identity or that the directory registration number (NIR) appears on documents issued by social organizations that people transmit.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›39.Finally, the company explains that as a result of the data breach, it has planned the correction of the vulnerability over several months, which resulted in the putting into production on September 17, 2018 of a corrective to put definitely a term to vulnerability. The company states that these delays are due to the high demand for rentals in the summer and the difficulty of suspending its activities during this period.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›40. ‹¨›/span‹˜›‹¨›u‹˜›‹¨›span‹˜›In the first place‹¨›/span‹˜›‹¨›/u‹˜›‹¨›span‹˜› , the restricted training observes that exploiting vulnerability does not require any particular technical expertise in computer science. Indeed, simply changing the value of X in the URL ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›https://www.crm.sergic.com/documents/upload/eresa/X.pdf‹¨›/span‹˜›‹¨›/em‹˜›‹¨›span‹˜›allowed anyone with knowledge of the above URL to download the documents in question, without the need to create an account on the site beforehand, and without the need for more complicated manipulation than simply changing the X value , which corresponds to a number. In addition, the restricted training considers that the use of a script does not require any advanced skills to exploit this vulnerability. The sole purpose of using a script by delegation of control was to automate a manual process of changing the value of X at the end of the URL in question, to download documents one by one from the other. faster way.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›41. ‹¨›/span‹˜›‹¨›u‹˜›‹¨›span‹˜›Secondly‹¨›/span‹˜›‹¨›/u‹˜›‹¨›span‹˜›, regarding the number of files concerned by the security defect, the restricted formation observes that it is the delegation of the CNIL which, of its own initiative, interrupted the execution of the script in order not to overload the server hosting the website. It then follows from the information provided by the company to the delegation during the inspection of 13 September 2018, and the findings made, that all the documents contained in the directory in question, namely 290 870 files, have been made accessible by the security defect. The files that, according to the company, could not have been downloaded corresponded to numberings that were not attached to files as the company agreed at the hearing. The Panel notes that, in its observations,‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›42. ‹¨›/span‹˜›‹¨›u‹˜›‹¨›span‹˜›In ‹¨›/span‹˜›‹¨›/u‹˜›‹¨›u‹˜›‹¨›span‹˜›third ‹¨›/span‹˜›‹¨›/u‹˜›‹¨›u‹˜›‹¨›span‹˜›place‹¨›/span‹˜›‹¨›/u‹˜›‹¨›span‹˜›Restricted training considers that the breach of the obligation of security is aggravated by the nature of the personal data made available. As stated above, the documents sent by the applicants for leasing are very diverse in nature and included, among the documents in question, marriage certificates, divorce decrees, employment contracts, documents relating to social benefits or tax notices. These documents contain both identification data, such as surname, first name and contact information, but also a large amount of information that may reveal some of the most intimate aspects of people‹³›s lives, such as divorced.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›43.The restricted training does not call into question the need for SERGIC to dispose of most of these documents. However, it recalls that Article 32 of the Regulation requires the controller to implement security measures adapted to the risks of the treatment for the rights and freedoms of individuals, risks resulting in particular from unauthorized access to personal data. processed. In addition, since SERGIC handles documents containing very specific information on certain aspects of the privacy of individuals, the need for adequate security measures to guarantee their confidentiality was all the more important. more important. The Restricted Training recalls in this respect that Recital 83 of the Regulation provides that‹¨›/span‹˜›‹¨›em‹˜› ‹¨›/em‹˜›‹¨›span‹˜›‹º›…‹¹› ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of knowledge and the costs of implementation in relation to the risks and the nature of the personal data to be protected.‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›44. ‹¨›/span‹˜›‹¨›u‹˜›‹¨›span‹˜›Finally‹¨›/span‹˜›‹¨›/u‹˜›‹¨›span‹˜›, the restricted formation notes that the existence of the vulnerability on the site www.sergic.com was brought to the knowledge of the company from March 8, 2018 and was only resolved in September 2018. The personal data of the users have been accessible for at least six months even though SERGIC knew about it. While the Restricted Training recognizes that the vulnerability correction may require analysis and technical development, it considers that emergency measures are not intended to address the vulnerability but to reduce the magnitude of the violation. data were technically simple to implement and could have been rapidly deployed. For example, the files contained in the directory made accessible by the vulnerability could have been moved to a temporary directory or a filtering URL could have been implemented to prevent access to documents. In addition, it appears that the company, aware of the increase in its activities from May, due to the high demand for rentals, has made the choice to focus on the stability of its information system during this period to the correction of the vulnerability of the personal data which it comprised. Therefore, insofar as the security defect was brought to its attention as of March 8, 2018, and where the company knew that a peak of activities would intervene from the month of May, it was up to him to anticipate this difficulty and take it appears that the company, aware of the increase in its activities from May, due to the strong demand for rentals, has made the choice to privilege the stability of its information system during this period to the correction vulnerability of the personal data it contained. Therefore, insofar as the security defect was brought to its attention as of March 8, 2018, and where the company knew that a peak of activities would intervene from the month of May, it was up to him to anticipate this difficulty and take it appears that the company, aware of the increase in its activities from May, due to the strong demand for rentals, has made the choice to privilege the stability of its information system during this period to the correction vulnerability of the personal data it contained. Therefore, insofar as the security defect was brought to its attention as of March 8, 2018, and where the company knew that a peak of activities would intervene from the month of May, it was up to him to anticipate this difficulty and take chose to favor the stability of its information system during this period to the correction of the vulnerability of the personal data it contained. Therefore, insofar as the security defect was brought to its attention as of March 8, 2018, and where the company knew that a peak of activities would intervene from the month of May, it was up to him to anticipate this difficulty and take chose to favor the stability of its information system during this period to the correction of the vulnerability of the personal data it contained. Therefore, insofar as the security defect was brought to its attention as of March 8, 2018, and where the company knew that a peak of activities would intervene from the month of May, it was up to him to anticipate this difficulty and take‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›at least‹¨›/span‹˜›‹¨›/em‹˜›‹¨›span‹˜› all the necessary measures as soon as you know this vulnerability.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›strong‹˜›‹¨›span‹˜›5. Failure to maintain the data for a sufficient period of time‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›45.Article 5 (1) (e) of the Regulations provides that:‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›em‹˜›‹¨›span‹˜›1. The personal data must be:‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›em‹˜›‹¨›span‹˜›‹º›…‹¹› ( ‹¨›/span‹˜›‹¨›/em‹˜›‹¨›em‹˜›‹¨›span‹˜›e) kept in a form permitting the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are processed; personal data may be stored for longer periods of time to the extent that they are processed solely for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 , paragraph 1, provided that the appropriate technical and organizational measures required by this Regulation are implemented in order to guarantee the rights and freedoms of the data subject (limitation of retention).‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›46.The rapporteur criticizes SERGIC for keeping the documents submitted by the candidates who did not access the lease beyond the time necessary to achieve the purpose for which the personal data were collected and processed – namely the renting of real estate – without this conservation being framed by appropriate guarantees.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›47.In defense, the company first recalls that these people are likely to appeal to the Defender of Rights alleging discrimination and, as such, the Defender of Rights may require the company to transmit the all the file submitted by the candidate. The company specifies that the limitation period applicable to acts of discrimination being six years, the documents are kept for this duration. It adds that the delegation of control did not note the presence in the directory affected by the vulnerability of document prior to 2012. The company points out in its writings that no part of the file proves the absence of intermediate archiving of the data. and a management of access rights to documents.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›48. Restricted training recalls that the retention period of personal data must be determined according to the purpose of the processing. When this purpose is reached, the data must either be deleted or archived in the interim when their retention is necessary for compliance with legal obligations or for pre-litigation or litigation purposes. These data must then be placed in intermediate archive, for a duration not exceeding that necessary for the purposes for which they are kept, in accordance with the provisions in force. Thus, after having sorted the relevant data to be archived, the controller must provide, for this purpose, a dedicated archive database or a logical separation in the active database. This logical separation is ensured by the introduction of technical and organizational measures to ensure that only those persons who have an interest in processing the data because of their functions, such as those in the legal service, can access it. Beyond these retention periods for data transferred to intermediate archives, personal data must be deleted.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›49. ‹¨›/span‹˜›‹¨›u‹˜›‹¨›span‹˜›In the present case ‹¨›/span‹˜›‹¨›/u‹˜›‹¨›span style‹´›‹²›color: #71716e;‹²›‹˜›‹¨›span‹˜›,‹¨›/span‹˜›‹¨›/span‹˜›‹¨›span‹˜› the restricted training recalls that the SERGIC company‹³›s collection of candidates‹³› personal data is for the purpose of allocating housing. As soon as this purpose is reached, the personal data of candidates who have not accessed the lease can no longer be kept for more than three months, within the active database and beyond. a logical separation or even an intermediate archiving.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›50.Or, the restricted formation observes that the company indicated to the delegation of the CNIL during the mission of control of September 13, 2018 that the documents transmitted by the candidates not having acceded to the rent, that is to say ie those for which further processing was no longer justified, were not deleted and no purges were implemented in the database. It also notes that, in its defense observations, the company produced a document showing that its policy for the retention of customer and prospect data was only formalized in November 2018. Finally, during the meeting of April 11, 2019, the company indicated that the implementation of a solution for archiving the documents in question was in progress.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›51.It is clear from these various elements that SERGIC kept on an active basis the personal data of candidates who did not have access to the lease for a period exceeding in significant proportions that necessary to achieve the purpose of the processing, namely the allocation of housing, without any intermediate archiving solution has been implemented.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›52. In the light of all these elements, the Restricted Panel considers that a breach of the obligation to keep data, as provided for in Article 5 of the Regulation, is characterized.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›III.On sanction and advertising‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›53. Article 45-III 7 ° of the law of 6 January 1978 provides: ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›the highest amount being withheld. In the cases mentioned in Article 83 (5) and (6) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 referred to above, these ceilings are set at EUR 20 million and 4% respectively of turnover. Restricted training shall take into account, in determining the amount of the fine, the criteria specified in the same Article 83.‹¨›/span‹˜›‹¨›/em‹˜›‹¨›span‹˜›Article 83 of the GDPR provides that‹¨›/span‹˜›‹¨›strong‹˜› ‹¨›/strong‹˜›‹¨›em‹˜›‹¨›span‹˜›Each supervisory authority shall ensure that the administrative fines imposed under this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive. Depending on the particular circumstances of each case, administrative fines are imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, the following shall be taken into account in each case: (a) the nature, gravity and the duration of the infringement, having regard to the nature, scope or purpose of the processing concerned, as well as the number of affected persons affected and the level of damage they have suffered; (b) the fact that the violation was committed deliberately or by negligence; (c) any measure taken by the controller or processor to mitigate the harm suffered by the data subjects; (d) the degree of responsibility of the controller or processor, having regard to the technical and organizational measures they have implemented pursuant to Articles 25 and 32; (e) any relevant violation previously committed by the controller or the processor; (f) the degree of cooperation established with the supervisory authority to remedy the breach and to mitigate any negative effects; (g) the categories of personal data concerned by the infringement; (h) the manner in which the supervisory authority became aware of the breach, including whether, and to what extent, the controller or the processor notified the violation; (i) where measures referred to in Article 58 (2) have been previously ordered against the controller or the subcontractor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved under section 40 or certification mechanisms approved under section 42; and (k) any other aggravating or mitigating circumstance applicable in the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach. the supervisory authority became aware of the breach, including whether, and to what extent, the controller or the processor notified the violation; (i) where measures referred to in Article 58 (2) have been previously ordered against the controller or the subcontractor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved under section 40 or certification mechanisms approved under section 42; and (k) any other aggravating or mitigating circumstance applicable in the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach. the supervisory authority became aware of the breach, including whether, and to what extent, the controller or the processor notified the violation; (i) where measures referred to in Article 58 (2) have been previously ordered against the controller or the subcontractor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved under section 40 or certification mechanisms approved under section 42; and (k) any other aggravating or mitigating circumstance applicable in the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach. the controller or the processor has notified the violation; (i) where measures referred to in Article 58 (2) have been previously ordered against the controller or the subcontractor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved under section 40 or certification mechanisms approved under section 42; and (k) any other aggravating or mitigating circumstance applicable in the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach. the controller or the processor has notified the violation; (i) where measures referred to in Article 58 (2) have been previously ordered against the controller or the subcontractor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved under section 40 or certification mechanisms approved under section 42; and (k) any other aggravating or mitigating circumstance applicable in the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach. against the controller or the subcontractor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved under section 40 or certification mechanisms approved under section 42; and (k) any other aggravating or mitigating circumstance applicable in the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach. against the controller or the subcontractor concerned for the same purpose, compliance with those measures; (j) the application of codes of conduct approved under section 40 or certification mechanisms approved under section 42; and (k) any other aggravating or mitigating circumstance applicable in the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach.‹¨›/span‹˜›‹¨›/em‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›54.The company considers that an administrative fine of € 900,000 is disproportionate, taking into account the criteria set by Article 83 of the Rules, its financial capacity and the sanctions previously imposed by the Restricted Training. It goes on to point out that neither the RGPD nor the Loi Informatique et Libertés provides any rules regarding the maximum amount of the fine that may be imposed by the supervisory authority when the deficiencies retained are punished for one, a fine of up to EUR 10 million or 2% of worldwide annual turnover and for the other, a fine of up to EUR 20 million or 4% annual global turnover.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›55. ‹¨›/span‹˜›‹¨›u‹˜›‹¨›span‹˜›First of all,‹¨›/span‹˜›‹¨›/u‹˜›‹¨›span‹˜› the Restricted Panel considers that, in the present case, the abovementioned breaches justify the imposition of an administrative fine on the company for the following reasons.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›56. On the one hand, it recalls that, in the face of the risks represented by the infringements of personal data, the European legislator intended to reinforce the obligations of the controllers in terms of security of treatment. Thus, according to recital 83 of the RGPD,‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›In order to ensure security and to prevent any processing carried out in violation of this Regulation, it is important that the controller or the processor assess the risks inherent in the processing and implement measures to mitigate them, such as encryption. These measures should ensure an appropriate level of security, including confidentiality, taking into account the state of knowledge and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In the context of the risk assessment for data security, the risks of processing personal data, such as destruction, loss or alteration, unauthorized disclosure of the data, should be taken into account. personal data transmitted,‹¨›/span‹˜›‹¨›/em‹˜›‹¨›span‹˜›. However, the restricted training observes that the lack of security that made possible the data breach has its origin in a defective design of its site by the company SERGIC. The implementation of an authentication procedure on the site was a basic measure to take, which would have prevented the violation of personal data.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›57. On the other hand, The Restricted Training notes that SERGIC has been diligent in correcting the vulnerability whereas in the presence of a data breach, the RGPD imposes a rapid response. It is thus provided in recital 85 that ‹¨›/span‹˜›‹¨›em‹˜›‹¨›span‹˜›A breach of personal data may, if it is not timely and appropriate, cause the natural persons concerned physical or material damage or non-material damage ‹º›…‹¹› ‹¹›. ‹¨›/span‹˜›‹¨›/em‹˜›‹¨›span‹˜›Even though no physical person has, so far, reported having suffered any damage due to the data breach, society‹³›s lack of speed in the correction of vulnerability, for a period of at least six months has had the effect of prolonging the risk of such damage occurring.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›u‹˜›‹¨›span‹˜›58. Next,‹¨›/span‹˜›‹¨›/u‹˜›‹¨›span‹˜› the gravity of the infringements must also be assessed in relation to the categories of data concerned. In this respect, the restricted training recalls that the data processed by the company as part of the management of the files of the prospective tenants contain particularly precise information on certain aspects of their private life. As soon as it receives this type of data, the company must pay particular attention to the preservation of their confidentiality and their methods of preservation; however, it did not provide for an intermediate base and kept this data for a period of time that was clearly excessive.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›59. The Restricted Training further recalls that Article 83 (3) of the Regulations provides that in case of multiple violations, the total amount of the fine may not exceed the amount fixed for the most serious violation. In the present case, in so far as the company is accused of a breach of Article 5 of the Regulation, which may be subject to a fine of up to EUR 20 million or 4% annual global turnover, this is the maximum amount that should be taken into consideration.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›60.In view of all these elements, the restricted training, taking into account the criteria set out in Article 83 of the GDPR and the financial situation of the company, considers that an administrative fine of 400,000 euros is justified and proportionate, as well as a supplementary advertising sanction for the same reasons.‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p align‹´›‹²›center‹²›‹˜›‹¨›strong‹˜›‹¨›span‹˜›FOR THESE REASONS‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span‹˜›The restricted formation of the CNIL, after having deliberated, decides:‹¨›/span‹˜›‹¨›/p‹˜›‹¨›ul‹˜›‹¨›li‹˜›‹¨›strong‹˜›‹¨›span‹˜›to reject the request for invalidity raised by the company SERGIC;‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/li‹˜›‹¨›/ul‹˜›‹¨›ul‹˜›‹¨›li‹˜›‹¨›strong‹˜›‹¨›span‹˜›to reject SERGIC‹³›s request not to take into consideration the elements resulting from the proceedings against SERGIC ENTREPRISES;‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/li‹˜›‹¨›/ul‹˜›‹¨›ul‹˜›‹¨›li‹˜›‹¨›strong‹˜›‹¨›span‹˜›pronounced against the SERGIC company ‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›, ‹¨›/span‹˜›‹¨›/span‹˜›‹¨›strong‹˜›‹¨›span‹˜›an administrative fine of $ 400,000 (four hundred thousand);‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/li‹˜›‹¨›/ul‹˜›‹¨›ul‹˜›‹¨›li‹˜›‹¨›strong‹˜›‹¨›span‹˜›to make public, on the site of the CNIL and on the site of Légifrance, its deliberation which will be anonymized at the expiry of a delay of two years as from its publication.‹¨›/span‹˜›‹¨›/strong‹˜›‹¨›/li‹˜›‹¨›/ul‹˜›‹¨›p‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›President‹¨›/span‹˜›‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›‹¨›span style‹´›‹²›color: black;‹²›‹˜›‹¨›span‹˜›Alexandre LINDEN‹¨›/span‹˜›‹¨›/span‹˜›‹¨›/p‹˜›‹¨›p‹˜›#CNIL, #France #Property, #EstateAgents #Fines #GDPR #EU,‹¨›/p‹˜›‹¨›p‹˜›‹¯›nbsp;‹¨›/p‹˜›‹¨›p‹˜›‹¨›a href‹´›‹²›https://www.legifrance.gouv.fr/affichCnil.do?oldAction‹´›rechExpCnil‹¯›amp;id‹´›CNILTEXT000038552658‹¯›amp;fastReqId‹´›119744754‹¯›amp;fastPos‹´›1‹²› target‹´›‹²›_blank‹²› rel‹´›‹²›noopener‹²›‹˜›https://www.legifrance.gouv.fr/affichCnil.do?oldAction‹´›rechExpCnil‹¯›amp;id‹´›CNILTEXT000038552658‹¯›amp;fastReqId‹´›119744754‹¯›amp;fastPos‹´›1‹¨›/a‹˜›‹¨›/p‹˜›” paragraph_whitespace=”true” text_size=”” line_height=”” text_color=”” margin=”0px 0px 15px 0px” class=”” _fw_coder=”aggressive” __fw_editor_shortcodes_id=”7300ee48d3d26555a12ec14fec31c23e”][/text_block]