Legal development

CNIL fined PAP €100,000 for data retention and security failures

Insight Hero Image

    On the 31st of January 2024, the CNIL fined De Particulier à Particulier ("PAP"), the publisher of the real estate advertisements website, €100,000 after conducting two investigations which revealed the following violations of the General Data Protection Regulation ("GDPR"): 

    1. Failure to comply with the obligation to retain data for a period limited to the intended purpose (Article 5.1.e GDPR) as PAP retained personal data beyond the stated retention period and beyond what was necessary for the stated purpose . Indeed, PAP implemented a ten-year retention period for data associated with certain customer accounts utilising the site's paid services, without justification provided by the provisions of the Consumer Code. Moreover, PAP set a five-year retention period from the last account connection for free usage on the website but neglected to enforce this duration in practice. The retained data encompassed users' personal information, including their names, email addresses, and telephone numbers.

    2. Failure to comply with the obligation to sufficiently inform data subjects when personal data was collected from them (Article 13 GDPR) as PAP operated an incomplete and imprecise privacy policy. Indeed, PAP's privacy policy: 

    • failed to provide explanations relating to the legal bases indicated, 
    • failed to specify the categories of processors that received personal data from PAP,
    • failed to indicate the right to lodge a complaint with the CNIL, and 
    • mentioned inaccurate data retention periods.

    3. Failure to comply with the obligation to provide a legal framework for processing carried out on behalf of the data controller (Article 28 GDPR) as data processing agreements between PAP and data processors did not include information required by the GDPR such as the duration, nature, and purpose of processing. 

    4. Failure to ensure the security of personal data (Article 32 GDPR) as PAP neglected to uphold adequate technical and organisational measures to ensure a level of security commensurate with the associated risks. For example, the composition of passwords were deemed insufficiently robust, user account passwords were stored in an unencrypted format and data relating to inactive user accounts were stored unsorted. The CNIL found that these security shortcomings heightened the vulnerability of the data to risks of cyber-attacks and leaks.

    In light of the aforementioned breaches, the CNIL imposed a €100,000 fine upon PAP. This fine was notably issued in cooperation with other European supervisory authorities due to the fact that PAP's website attracts visitors from several EU member states as well as Norway.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.


    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest