The famous real estate ad site De Particulier à Particulier (PAP) was sanctioned by the CNIL with a fine of 100,000 euros. The platform is guilty of numerous breaches relating to security and data retention.
The National Commission for Information Technology and Liberties (CNIL) banged its fist on the table. Tuesday February 13, the data policeman announced that he had imposed a fine of 100,000 euros on the company PAP, publisher of the pap.fr site, “From Particulier to Particulier”. The CNIL has noted several breaches of the GDPR, the European data protection regulation, singling it out for a confidentiality policy that is too lax and imprecise, as well as a failure to secure user passwords. All the details.
Lies about how long user data is kept
It is one of the largest French real estate ad sites, with 3 million visits per month, according to figures provided by Similarweb. However, PAP was sanctioned by the CNIL for four major breaches of the GDPR.
The first concerns the duration of data retention. For the authority, the retention of data from customer accounts having carried out transactions from the site for a period of 10 years was not sufficiently well justified. Among the data retained, PAP kept the last name, first name(s), telephone number and email address of these customers.
Worse still, PAP had announced that it would keep the data of customers using free features of the site for a shorter period, exactly 5 years. But the CNIL noticed that the company kept them well beyond this period.
Poor security, which exposed PAP to the risk of leaks and cyberattacks
Another breach noted was that relating to the confidentiality policy, considered to be “ incomplete and imprecise » by the CNIL. For example, PAP did not mention the correct data retention periods and did not provide sufficient information on their right to lodge a complaint with the CNIL, among other things.
The De Particulier à Particulier site had concluded a contract with a subcontractor, for the processing of personal data, which did not include the information required by the GDPR. This is his third violation.
Finally, the CNIL considered that PAP did not protect user data well enough. “ The site’s user account password complexity rules were insufficiently robust », Underlines the authority. The latter also pointed out the retention of user passwords in plain text, associated with their email address and their identifiers. The company was thus directly exposed to the risk of leaks and cyberattacks. But the CNIL has been there.
Source : CNIL
2