The GDPR has applied in Europe since 2018, but the sanctions imposed by the protection authorities, including the CNIL, demonstrate that the actors concerned retain a more than significant margin for progress.
On February 13, the French Commission formalized a sanction of 100,000 euros against the company PAP, publisher of the classified ads site pap.fr (From Particulier to Particulier). This is particularly sanctioned for its practices in terms of data retention and protection.
Data kept for 5 to 10 years
Inspections carried out by the CNIL in 2022 revealed breaches of the GDPR. The most important concerns the retention period and the security of this information.
However, the regulator also accuses PAP of offenses relating to the information of people and the supervision of its relations with a subcontractor.
Regarding retention periods, the site editor had a standard of 10 years. This excessively long period applied to data from certain customer accounts using paid services.
Content of advertisements, surname, first name, telephone number and email address of paying customers were subject to retention for 10 years. For users of free services, the defined retention period was 5 years.
Subcontracting: GDPR applies
However, CNIL checks revealed that this deadline was not respected. Data was stored longer. PAP also displayed to Internet users an incomplete confidentiality policy, and not only on the exact retention period.
The publisher is also singled out for a breach of the GDPR linked to a contract with a subcontractor. The company is obliged to regulate by a legal act the processing carried out on behalf of the data controller.
Finally, PAP has shown itself to be insufficiently mature on cybersecurity. In violation of Article 32 of the GDPR, the company was unable to comply with its obligation to ensure the security of its users’ personal data.
Risks of attacks and data leaks
“The site’s user account password complexity rules were insufficiently robust. It was the same for the confidential references transmitted by the company, after posting a real estate advertisement on the site, to users who did not hold an account in order to access this advertisement,” cites the CNIL for example.
The Authority also criticizes the retention of user account passwords and confidential references in plain text. These flaws “did not guarantee data security”. Consequence: the security flaws observed “exposed the data to the risk of computer attacks and leaks.”
Six years after its entry into force in EU member states, the GDPR remains a work in progress in many organizations in terms of compliance. This is also what Michel Paulin, CEO of OVHcloud, recently highlighted, for whom this regulation constitutes a priority compared to the AI Act.