GDPR News feed

08/10/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Heathrow Airport Limited (HAL): £120,000

Facts: On the 16th of October 2017, a USB memory stick lost by a HAL employee was found by a member of the public, who later viewed the material it contained (76 folders and over 1000 files containing employees’ personal data, not encrypted or password protected). It was viewed and passed to a national newspaper which took copies of the data. The ICO became aware of the incident via the media.

Data Security: Companies must ensure that proper corporate standards, training and procedures are being put in place to minimise the vulnerability of personal data. At HAL, only 2% of staff members had been trained in data protection, and staff members were using removable media in contravention of HAL’s policies. Controls and policies were inefficient. Appropriate technical and organisational measures shall be taken against unlawful/unauthorised processing and loss of personal data.

Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts. That being so, the HAL was fined £120000 (approximatively 136K€) in accordance with the Data Protection Act 1998 considering the seriousness of the contravention (sensitive data involved, inefficient measures, and size of HAL), and to promote compliance with privacy legislation.

28/09/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Bupa Insurance Services Limited (Bupa) : £175,000

Facts: An employee was able to extract 547 000 customers’ information (such as name, date of birth, email address, nationality) and offered it to sell on the dark web. The ICO was notified through complaints from Bupa’s customers.

Data security: Bupa failed to assess the risk and to have effective security measures in place to protect customers’ information. The data controller must take appropriate technical and organisational measures against unauthorised and unlawful processing.

Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts (2017). That being so, Bupa was fined £175000 (approximatively 197K€) in accordance with the Data Protection Act 1998 given the seriousness of the breach and to promote compliance with privacy legislation.

20/09/2018 – UK – ICO (Information Commissioner’s Office) / Data breach at Equifax Ltd : £500000

Facts: The US parent company of Equifax Ltd was subject to a cyber-attack back in 2017 which affected 146 million customers globally, including 15 million UK citizens.

Data security: The UK branch was responsible for the personal data of its UK customers and failed to take appropriate measures to ensure that the processor, i.e. the US branch, was protecting the information (names, dates of birth, addresses, passwords, driving licence and financial details).

Data principles breached: failure to secure personal data, poor retention practices (data retained much longer than needed), general lack of lawful purpose, and lack of legal basis for international transfers of UK citizens’ data.

Sanction: The case was not dealt with under the provisions and maximum penalties of the GDPR due to the timing of the facts (2017). That being so, Equifax Ltd was fined £500000 (approximatively 562K€) in accordance with the Data Protection Act 1998, which is the highest level of fine under this law (considering the number of victims, type of data at risk and Equifax’s inexcusable behaviour), in order to promote compliance with privacy legislation.

04/09/2018 – UK – ICO (Information Commissioner’s Office) / Enforcement notice served to the London Borough of Lewisham

Facts: Data subjects access requests to the London Borough of Lewisham are not handled in due time, owing to its inefficient internal systems, procedures and policies for dealing with subject access requests.

Exercise of the right of access: When a request of access is made, the data controller must respond to subject access requests without undue delay. In addition, the means to respond to such requests must be adequate.

Notice: The ICO set a deadline on the 15th of October, for the London Borough of Lewisham to respond to the 19 individuals who submitted a subject access request to their personal data before last 25th of May, with a weekly reporting on actions taken.

31/08/2018- Data breach at Abbyy’s

Facts: Failure of a server that has made nearly 200 000 scanned documents from a single client of the Russian company accessible.

Information through a press release (probably to avoid the possible bad buzz and to reassure).

28/08/2018 – Data breach at System U (car rental website)

Facts: hacking resulting in a data breach (identification, contact information, booking information, no payment date)

Notification of the violation to the CNIL et through a press release.


27/08/2018 – Data breach at T-Mobile US

Facts: Potential security breach detected and quickly corrected, potentially resulting in data breaches of possibly more than 2 million potential victims (name; billing postcode, phone number, email address, account number and type of account, no payment data).

Notification though a press release.


03/08/2018 – Publication of Decree No. 2005-1309 supplementing the LIL.

Fixation of deadlines and procedures applicable to CNIL’s missions and clarification of certain provisions of the law (medical data, means of information of the persons concerned, etc.)


24/07/2018- CNIL- Sanction for Dailymotion : 50 K€

Facts: Violation of encrypted data during an attack by accessing the identifiers of an administrator account stored clearly on the collaborative development platform “Github” and exploitation of a vulnerability in the code of the platform Dailymotion on “Github”: 82.5 million email addresses and 18.3 million passwords concerned.

Obligation of security of the personal data: elementary measures could have avoided the violation: to not store clearly in the source code identifiers related to an administrator account; Set up an IP address filtering system or a VPN (Virtual Private Network) when outsiders can connect remotely to an internal computer network.

Sanction: it would certainly have been higher if the data breach had not been encrypted.

Publication of the decision: to make accountable the responsible and given the huge amount of data involved.


24/07/2018 CNIL – Sanction for the Public Housing Office of Rennes Métropole Archipel Habitat : 30K€

Facts: Complaint received concerning the use of the President of the DPO (also Mayor of Rennes) of the file of the tenants of social housing to send them a politicized letter about the APL and the position of the government.

Lawful processing: the personal data collected cannot be processed for purposes other than those that justified the collect (here the management of application for social housing and for the real estate park). If a purpose of external communication was possible, it was not here a newsletter because of the controversial content of the mail (critique of a government announcement).

Publication of the decision: to remind all the actors of the social sector the prohibition to use the data out of the initial purpose and because of the lack of knowledge of the OPH of a fundamental principle of the LIL.



17/07/2018- CNIL – Closing of the formal notice against Genesis Industries Limited

Following the CNIL’s formal notice, the answers provided by Genesis and the subsequent controls from the CNIL, allowed to verify that the voice recognition, necessary for the toys to respond to the questions asked by the children, is no longer used. The discussions with the toys are no longer transferred to the servers of a third-party company outside the EU and the use of the toys no longer leads to the processing of data.


10/07/2018 CJUE- The data protection regulation applies to religious communities

Co-responsibility of a religious community (Jehovah’s witnesses) and its preaching member: preaching by door-to-door is not an exclusively personal and domestic activity of each preacher, which would allow them to escape from the regulation, since it goes beyond their private sphere. The joint responsibility does not necessarily presuppose that each actor has access to personal data: the community organizing, coordinating et encouraging preaching by its members participates in determining the purpose and the means of the treatment.


02/07/2018 CNIL press release – What controls for 2018?

The CNIL’s controls in 2018 will follow the same lines as before, with investigations based on complaints and reports sent to the CNIL, verifications carried out following closures, formal notices or sanctions, missions carried out on the basis of current topics and the annual program of controls on the specific themes selected. For 2018, it concerns the processing of personal data related to recruitment (including evaluation tools), rental real estate (on the vouchers requested by the agencies) and paid parking carried out with connected tools.


02/07/2018 CNIL- Formal notice against the Institute of informatic and commercial techniques- CCTV: The constant surveillance of employees or students is excluded.

Is excessive any systems that constantly monitors employees or students, that is to say, to film both access to the establishment, the traffic and the places of life during business hours of the establishment, except in exceptional circumstances.

The obligation of information of the filmed person can be filled by mentioning it in the general conditions of inscription, a posting and the diffusion to the employees (note of information/ employment contract).

When the final purpose of the treatment is to protect goods and people (thefts, aggression, damage) and to avoid overflowing students, an adequate conservation period would be of one month.


01/07/2018- International/ Brazil – the LGPD should come into force within 18 months.

After 8 years of work and inspired by the 1995 European Directive, the 1st Brazilian law on the protection of personal data (LGPD) will come into force. It creates and standardizes a comprehensive system of protection with 10 legal bases to justify the processing of personal data (including consent), enhanced protection for so-called sensitive data (eg ethnic origin, political and religious opinions, sexual preferences and genetical data), the creation of a dedicated authority (ANPD), the establishment of a function of leader of privacy within public and private entities, data breach notification obligations, fines that can escalate up to 50 million Brazilian reals (about 10 millions euros) with a possible prohibition of the incriminated treatments.


28/06/2018 CEDH- When convicted criminals more than 20 years ago are denied anonymity in the media à The right to be forgotten is not absolute.

In order to identify whether the right to be forgotten has to be implemented, a balance must be struck between respect of privacy and public’s freedom of expression and information.


28/06/2018 CNIL press release- The most common negligence in the security of websites.

The pitfalls quite easy to avoid and yet most often encountered concerning the security of the web sites are in particular: an authentication by a password too flexible, the absence of authentication rules to an account (the only incremental URL enough to access), the lack of encrypted data, the indexing of data in a search engine.


21/06/2018 CNIL- Sanction for the association for the development of fireplaces : 75K€.

Facts: Notification sent to the CNIL, which carries out an online check and warns the ADEF of a personal data breach (modification of the path of the URL displayed in the browser allowed access to documents registered by other applicants: taxi notices, passports, identity cards, residence permits, pay slips, CAF payment certificates, NIR, IBAN, etc. housing applicants who have made a registration process on the website of the association) and asks him to fix it. A few days later, the CNIL notes that, although the ADEF asked the company that developed its website to intervene, the data is still accessible.

Obligation of security and confidentiality of the personal data: basic measures upstream of the development of the site could have avoided the violation: to set up a device allowing to avoid the predictability of the URL and the procedure of authentication of the users of the web site.

Sanction: it would certainly have been higher if the ZDEF had not cooperated with the CNIL.

Publication of the decision: in view of the gravity of the situation related to the open access and the volume of documents (42652) and having in mind the intimate and complete nature of the data concerned.


21/06/2018- The age of the numerical majority in France is set at 15 years old.

A minor may consent to the processing of his personal data from the age of fifteen. Before this age, additional parental consent is required. 5Ar. 20 Law No 2018-493 of June 20, 2018, on the protection of personal data).


21/06/2018 – Promulgation of Law No. 2018-493 of June 20, 2018 amending the LIL.

Update of certain provisions regarding the Data Protection Regulation, exercise of the national maneuvers foreseen in the Data Protection Regulation (eg age of numerical majority) and transposition of the Directive 2016/680 “Police Justice”.

According to the CNIL, an order for a complete rewriting of the law “Data processing and liberty” is planned within a period of six months, to allow a legibility of the current legal framework (The current LIL still contains provisions which, according to the Data protection regulation, are no longer applicable or do not mention certain new rights and obligations provided by the Data Protection Regulation.


13/06/18 – Supreme Court – No conviction for Air France

Compliance: the tracking software of the activity of the pilots complies with the LIL (except for a few minor failures reported): fair collection of data (information of person concerned about the existence of the treatment, its purposes, the recipients and their rights by means of a paper memo and on the dedicated intranet), no diversion of the final purpose of the processing (the data contained in this software are not crossed with those taken into account for the monitoring or the pilots career).

Nature of the data: information about sick leaves are not sensitive data because the reason of the leave is not indicated, and therefore is not data on the health.


06/06/18 State Council- Conviction for : 25K€

Legal basis of the treatment: The advertising cookies even if they would be necessary for the economic viability of the web site, require a consent of the web user prior to their deposit.

Obligation of information: It is essential to inform the web user of the cookies that can be deposited by specifying those that are obligatory or subject to his consent, as well as the consequences of a possible opposition on his part. The only proposal to the web user to configure his browser is not a valid mode of opposition.

Shelf life: Cookies/ 13 months.

Obligation to cooperate with the CNIL: it is up to the company which has been subject of a notice from the CNIL to show that it has done what is necessary to rectify its infringement.


05/06/18 CJUE – Joint responsibility of the treatmentà Deactivation of a fan page on the social network Facebook.

Responsibility: Although the Social network is primarily responsible, the administrator of a fan page is jointly responsible for the processing: He brings an active and voluntary contribution (setting action) to the collection by RS of the personal data of the visitors of his page and profits from statistics resulting, for the purposes of management of the promotion of his activity (knowledge of the profile of the visitors who appreciate the fan page or use its applications, in order to propose them a more relevant content and to develop functionalities most likely to interest them more…). Even if their statistics are received by the administrator in an anonymized form, the processing itself is not, and it is not necessary in practice for the user to have an account on the RS for his data to be processed.


25/05/2018- The entry into force of the long awaited GDPR … and so dreaded

The week of entry into force of the new European regulation on personal data will have seen many companies rush around this deadline to assail their contacts and clients with e-mails.

  • Several observations: the majority of these e-mails aimed to ask for a (new) consent to the people; the majority of people did not read these e-mails, received in shambles and even less confirmed a consent.
  • Several reflections: it seems that in most cases, the legal basis of data processing did not have to be the consent (remember that a company can on the basis of a legitimate interest send offers to its customers naturally interested by its products and services); by massively addressing this demand, the companies themselves have had to obtain a consent; even if a consent was necessary, it is far from certain that is really was necessary for the 25th of May; the result of this precipitation is most certainly a massive loss of business data and the value that goes with it.

The CNIL has announced that it will remain fairly flexible as part of its controls until the end of 2018. So it is still time to reflect on the legal part and to verify on a case-by-case basis what are the obligations of the company and the steps to take regarding the compliance that needs to be implemented.


07/05/18 CNIL- Conviction for Optical Center : 250K€

Control online and then on the spot.

Security requirement: Default when placing online orders on its website: access to hundreds of customer invoices containing personal data (surname, first name, postal address, health data and sometimes date of birth and social security numbers).

Sanction: 250K€ despite the active collaboration of Optical Center to solve the flaw, because: the restriction of access to documents present on the personal spaces is a precaution of essential use; the company knew the risks of computer security, having already been condemned in 2015 (to 50K €).

Publication of the decision: because the data made available were particularly sensitive and numerous (334,769 documents) ant the number of customers affected important.


09/03/2018 State Council – Confirmation of the non-dismissal by the CNIL of a Correspondent Informatique and Liberty (CIL).

The information of the customers of a banking institution on the financial risk that they take by contracting a loan is not part of the duties of the CIL who did not therefore fail in its obligations.


14/02/2018 TGI Paris- Invasion of privacy and malice : 2K€ D&I, 2K€ art. 700, removal of the web page.

If court decisions are published in full, the freely accessible databases that reproduce them must anonymize them.

To identify on a web page a convicted person (for illegal practice of pharmacy, marketing of drugs without a MA, non-compliance with the rules of advertisement on drugs and tax evasion) by publishing the anonymized court decisions, by highlighting the facts that are very old and without fueling the debate with new elements is a malicious lift of anonymity and reprehensible.


20/02/2018 Referred Council of State- Implementation of an automated treatment of personal data “Parcoursup”.

Several students’ unions were calling for the suspension of an order authorizing the implementation of an automated processing of personal data “Parcoursup” considered illegal. After balancing the interests in question, the Stat Council considered that the suspension of “Parcoursup” would cause an infringement on the general interest (good progress of the procedures of pre-registration for the higher education) exceeding the inconvenient invoked by the claiming unions in view of the limited nature of the processing. The severity and urgency were not retained.


20/11/2017 CNIL – Notice against Genesis Industries Limited

Notice to proceed within two months to secure the connected toys the doll “My Friend Cayla” and the robot “I-QUE”, which answers the questions asked by children, who are equipped with a microphone and a speaker and associated with a mobile application, so the company collects a lot of personal information about children and their entourage (voice, conversation content, information entered in the application “My Friend Cayla App).

Failure of security: anyone located 9 meters away from the toys with a Bluetooth communication system can connect to the doll, without having to authenticate, and thus hear and record the words exchanged between the child and the toy or any conversation near the toy and also communicate with the child.

Default of information for the users of the toys: while personal information are processed by the company, toy users are not informed of the company’s data processing of informed that the company is transferring content from conversation to a service provider locates outside the European Union.