FR: CNIL does not spare SMEs - 180 000 euros fine

2B Advice
A CNIL decision of 18 July 2019 clearly shows the expensive consequences, even for medium-sized companies, of a customer data security breach under the GDPR.

The sanctioned company is a car insurance agency for private individuals that employs less than 10 people and had an annual turnover of approximately 10.7 million Euros in 2017.

According to a customer report, the CNIL carried out an online audit in the summer of 2018 and found that the company's customer accounts were accessible via hypertext links available simply via keyword searches in search engines (and without specific computer skills). This made it possible to view the data and documents of data subjects (driving licences, bank details, etc.), some of which contained sensitive information (suspension of the driving license, hit and run).

The CNIL noted the absence of basic measures, the particularly large number of personal data and documents involved, and the high degree of accuracy of information about the data subjects.

The company has responded quickly to these findings, but the CNIL during the on-site inspection has found that the measures taken were still inadequate and has criticised the fact that the birthday date was recommended to customers as a password and that the chosen password was provided simply via e-mail.

The accessibility for vulnerable persons is not a justification for recommending passwords that are too simple, as appropriate measures could have been taken that do not jeopardise the security of the data.

Concerning the amount of the fine, the CNIL seeks to strike a balance between the deterrent effect demanded by the GDPR and the company's rapid response. Instead of the initially proposed EUR 375 000 (3.75% of the company's annual turnover), the CNIL imposes a fine of EUR 180 000 (1.67% of the company's annual turnover).

The case shows that even "small companies" should be prepared for significant sanctions if basic security aspects are ignored. We therefore recommend that to implement state-of-the-art technical and organizational measures when planning and operating automated processing operations.

Foto: © 

Further information are available here:



Rating: 0 (0)

© 2012 - 2019 |  2B Advice LLC - the privacy benchmark
7220 Avenida Encinas Ste 208 | Carlsbad | CA | 92011 | Phone: +1 (858) 366-9750 | Fax: +1 (212) 898 1248 | Email:
The pages do not contain any legal advice | No responsibility for the accuracy of the information. Please also notice: Privacy Notice | Legals

2B Advice GmbH Italy
2B Advice GmbH Germany | 2B Advice s.r.o. Slovakia 
United States of America | Slovakia | Germany | San Diego | Bonn | Berlin | Munich | Brezno
 | Verona | Vienna