Understanding the PAP penality and the key lessons risk managers can learn to stay ahead of GDPR and data security concerns

The French National Commission for Information Technology and Liberties (CNIL) has imposed a penalty of 100,000 euros on PAP, publisher of the pap.fr (De Particulier à Particulier) website.

The fines have been issued due to the company failing to comply with its obligations in terms of data retention periods and data security.

Data breach

Background to the fine

PAP is a company that publishes the pap.fr website, enabling individuals to consult and publish real estate advertisements.

In March and April 2022, CNIL carried out two investigations into the company.

Its investigations revealed breaches concerning data retention periods, the provision of information to individuals, the framework for relations between PAP and a processor and data security.

As a result, the restricted committee - the CNIL body responsible for imposing sanctions - imposed a fine of 100,000 euros on the company for breaches of the General Data Protection Regulation (GDPR).

This fine was issued in cooperation with the relevant European supervisory authorities as part of the one-stop shop, as PAP’s website has visitors in several EU member states as well as Norway.

The amount of this fine was determined in light of the breaches identified, the company’s cooperation and the measures it took during the procedure to bring itself into compliance with certain breaches of which it was accused.

Breaches sanctioned

Failure to comply with the obligation to retain data for a period limited to the intended purpose (Article 5.1.e of the GDPR)

The company had set a retention period of ten years for data of certain customer accounts that used the site’s paid services, without this period being justified by the provisions of the Consumer Code that the company was relying on.

The data in question included ad content, customers’ first and last names, telephone numbers and e-mail addresses. The company had also set a five-year retention period for data relating to users of the site’s free services, but failed to apply it, since it retained data for longer periods.

Failure to comply with the obligation to inform individuals (Article 13 of the GDPR)

On its website, the company informed individuals by means of an incomplete and imprecise privacy policy:

  • by failing to provide explanations relating to the legal bases indicated,
  • by failing to specify the categories or processors with which it dealed,
  • by failing to indicate the right to lodge a complaint with the CNIL,
  • by mentioning inaccurate data retention periods.

Failure to comply with the obligation to provide a legal framework for processing carried out on behalf of the data controller (Article 28 of the GDPR)

A contract concluded between the company and a processor did not include the information required by the GDPR.

Failure to ensure the security of personal data Article 32 of the GDPR)

The rules governing the complexity of passwords for site user accounts were insufficiently robust. It was also the case for the confidential credentials transmitted by the company, after a real estate ad had been placed on the site, to users who did not have an account in order to access that ad.

Furthermore, the unencrypted storage of user account passwords (associated with their IDs and e-mail addresses) and confidential references (associated with a personal space) did not guarantee data security.

Finally, all data relating to inactive user accounts was stored unsorted. These security shortcomings exposed the data to risks of computer attacks and leaks.

How companies can mitigate GDPR risks

To effectively manage cyber risks, it’s important to recognise that whilst technical measures and controls are essential, many cyber incidents typically come down to poor governance and inadequate preparation, and are magnified by the age and extent of data that many organisations are unnecessarily retaining.

Matthew Worsfold, a partner in Ashurst’s Risk Advisory practice, and Rachel Sexton, the head of the Risk Advisory Practice said: “Whilst GDPR does not specify time periods for retention, organisations must be able to justify why they are still retaining data, which aside from the legal and regulatory requirements, many organisations fail to do.

“Fundamentally, much of this comes down to robust risk management”

“Fundamentally, much of this comes down to robust risk management which in itself is not new. It involves understanding the cyber risk profile, but importantly recognising how the move to digital heightens and changes this risk profile.”

Digital transformation programs will need to include considerations around new or improved data security and cyber controls, both technical and non-technical.

Finally, cyber risks need to be effectively governed, monitored and reported on, all the way up to the board.

Building better governance

Another foundational element of cyber risk management is data governance.

In today’s world, any organisation undertaking a large-scale digital transformation needs a fit-for-purpose data governance framework that has been designed and implemented effectively.

Worsfold and Sexton said: “As part of the implementation of the framework, businesses must have a clear understanding of what data they hold, the level of risk it carries, where it resides, what their legal obligations are in relation to data retention, whether they should be retaining that data, and whether they have the right controls to safeguard it.

“Undertaking a detailed data cataloguing and mapping starts with identifying key systems, and identifying the types of data that sit in those systems.”

“Given the increasing deployment of new platforms and technologies and the complexity of many IT environments, many business executives fall at the first hurdle. Undertaking a detailed data cataloguing and mapping starts with identifying key systems, and identifying the types of data that sit in those systems.”

Each data category will have different retention periods, for example, a requirement to hold the data for the length of the customer relationship, meaning deleting or archiving the data for a period after the relationship has ceased.

During the life of the customer relationship, data needs to be stored and managed in such a way that should a cyber breach occur, the data is secured through methods like encryption, masking, or access controls.