Significant increase in GDPR sanctions issued by the French control authority

Under GDPR, significant increase in sanctions issued by the French control authority as shown by the €400.000 fine ruled against Sergic


Article published in the review Expertises, July-August 2019 :

On May 25, 2018, GDPR came into effect. Since then, apart from the emblematic decision against Google LLC of €50 million, few sanctions have been imposed by the French regulator (the CNIL) on the basis of GDPR, because most of the decisions issued after May 25 dealt with earlier facts and were submitted to prior data protection legislation.

The decision of 28 May 2019 which imposes a €400,000 fine on the real estate management company SERGIC, on the basis of a breach of security, of confidentiality and of the obligation to keep data for a proportionate period of time, is therefore of particular interest.

On the one hand, it enables to measure the scope of the new obligation of security established by article 32 of GDPR and to compare it to the security obligation previously weighing on controllers. On the other hand, it provides an assessment of fines imposed under GDPR as compared to those imposed under the pre-GDPR legislation for the same type of breach. Indeed, this penalty is the double or even the triple of the average fine imposed under prior data protection legislation by the CNIL for comparable breaches.

1. The Facts

Sergic collects, through its website, the documents it requires from applicants to property rentals. After receiving a complaint from a user, the CNIL conducts an online check. It is able to access more than 900,000 documents due to a security breach. Among these were highly sensitive data such as Bank Identity Statements or social security ID cards.

2. The security obligation, a best effort obligation?

The main sanctioned breach is the lack of security. As a reminder, Article 32 of the RGPD provides that:

“Given the nature of processing as well as (…) the risks (…) for the rights and freedoms of natural persons (…) the controller and the processor implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (…).”

The regulator considered that the lack of authentication procedure was an essential precaution that would have significantly reduced the risk of data breach occurrence.

Some consider that if the security requirement under prior law imposed a best effort obligation, article 32 of GDPR now imposes a reinforced security obligation. This has to do with the burden of proof. There are two different analysis of the nature of the controller’s obligation. If, in order to escape liability, it is required to prove the absence of any breach on its part or else the existence of a third party’s fault, it is subject to an obligation of fixed result. If, on the contrary it only needs to prove it has implemented state-of-the-art measures, as was the case under the previous law, it is bound by a best effort obligation.

In Sergic case, the CNIL points out that the breach of the security obligation is worsened by the sensitive type of data made available and by the lack of appropriate security measures in relation to such type of data.

This seems to confirm the position of the doctrine which leans towards a reinforced best effort obligation of security, which is an in-between.


3. A significant increase in the amount of sanctions imposed under GPDR

By way of comparison, the decisions issued in recent months on the basis of breaches to a security obligation are the following.

Under pre-GDPR law:

  • July 19 2017, Hertz receives a €40,000 fine
  • January 8, 2018, Darty is fined €100,000
  • May 7 2018, Optical Center is fined $250,000

Under GDPR, on October 2018 the Portuguese supervisory authority imposes a €400.000 fine to the Barreiro hospital.

We are witnessing the confirmation of a trend by supervisory authorities across Europe towards an increase in the amount of sanctions. However, the ceiling set at 2% or 4% of the group annual turnover has not been reached yet.

Florence Ivanier,
Partner Attorney, Member of the Paris Bar, Data Protection Officer
Aurele IT Law Firm