CNIL fined PAP €100,000 for data retention and security failures

On the 31st of January 2024, the CNIL fined De Particulier à Particulier ("PAP"), the publisher of the real estate advertisements website pap.fr, €100,000 after conducting two investigations which revealed the following violations of the General Data Protection Regulation ("GDPR"): 

1. Failure to comply with the obligation to retain data for a period limited to the intended purpose (Article 5.1.e GDPR) as PAP retained personal data beyond the stated retention period and beyond what was necessary for the stated purpose . Indeed, PAP implemented a ten-year retention period for data associated with certain customer accounts utilising the site's paid services, without justification provided by the provisions of the Consumer Code. Moreover, PAP set a five-year retention period from the last account connection for free usage on the website but neglected to enforce this duration in practice. The retained data encompassed users' personal information, including their names, email addresses, and telephone numbers.

2. Failure to comply with the obligation to sufficiently inform data subjects when personal data was collected from them (Article 13 GDPR) as PAP operated an incomplete and imprecise privacy policy. Indeed, PAP's privacy policy: 

• failed to provide explanations relating to the legal bases indicated, 
• failed to specify the categories of processors that received personal data from PAP,
• failed to indicate the right to lodge a complaint with the CNIL, and 
• mentioned inaccurate data retention periods.

3. Failure to comply with the obligation to provide a legal framework for processing carried out on behalf of the data controller (Article 28 GDPR) as data processing agreements between PAP and data processors did not include information required by the GDPR such as the duration, nature, and purpose of processing. 

4. Failure to ensure the security of personal data (Article 32 GDPR) as PAP neglected to uphold adequate technical and organisational measures to ensure a level of security commensurate with the associated risks. For example, the composition of passwords were deemed insufficiently robust, user account passwords were stored in an unencrypted format and data relating to inactive user accounts were stored unsorted. The CNIL found that these security shortcomings heightened the vulnerability of the data to risks of cyber-attacks and leaks.

In light of the aforementioned breaches, the CNIL imposed a €100,000 fine upon PAP. This fine was notably issued in cooperation with other European supervisory authorities due to the fact that PAP's website attracts visitors from several EU member states as well as Norway.