The French CNIL imposed a new sanction of €180,000 last July 18th, 2019 to a French insurance company that provides car insurance to individuals (Active Assurances) which failed to adequately protect the personal data of users of its website. The amount is not as significant as the fine of last June in the real estate sector but the failures were not as serious.
The CNIL’s investigation also followed a complaint from a customer who was able to access personal data of other customers from his account. This included copies of driver’s licenses, car documentation and bank identification details. These data were accessible directly by typing the names of customers on a search engine, or by adding numbers in the URL address of the website. The CNIL ordered the company to remediate the situation.
When the CNIL carried out an inspection a few days later, it noted that the measures taken were insufficient to prevent the referencing of the personal data (a “robots.text” file could have been used to avoid referencing by search engines), the log in passwords (date of birth) were not sufficiently secure (they were indicated in the log in forms and were also sent by email in clear text) and the company should have ensured that each person accessing the documents was duly empowered. Thus, it ordered a fine for non-compliance with the obligation to preserve the security of the personal data of its website users, in breach of Article 32 of the GDPR.
The CNIL took into account the criteria set forth by Article 83 of the GDPR (type of personal data and documents publicly available, number of persons affected), as well as the company’s responsiveness to correct the lack of security and its cooperation with the CNIL to determine the amount of the fine.
Recent CNIL fines have concerned security issues. In most cases, they follow data subject complaints. The type of personal data concerned, the number of data subjects affected and the data controller’s responsiveness to correct security issues have impacted the level of the fine determined by the French supervisor authority.