Data security and individual rights FREE fined 300000 euros CNIL

pOn November 30 2022 the CNIL imposed a penalty of 300000 euros on FREE in particular for not respecting the rights of individuals and the security of its users datappThe CNIL received several complaints concerning the difficulties encountered by individuals in having their requests for access to and deletion of their personal data taken into account by the French phone operator FREEppInvestigations revealed several infringements in particular regarding the rights of data subjects right of access and right to erasure and of data security weak passwords storage and transmission of passwords in clear text return into circulation of approximately 4100 poorly reconditioned FreeboxesppAs a result the restricted committee the CNILs body in charge of issuing sanctions imposed a fine of 300000 euros on FREE and decided to make its decision public It also ordered the company to comply with its obligations regarding the management of requests of access by individuals and to justify its compliance within three months of the notification of the decision subject to a penalty payment of 500 euros for each day overdueppThis sanction takes into account the nature and seriousness of the infringements the categories of personal data concerned by these breaches and the size and financial situation of the company Its publicity is justified by the need to recall the importance of dealing with the rights of individuals and of securing users datappThe CNIL found four breaches of the GDPR by FREEppA failure to respect the right of access of individuals to data concerning them Art 12 and 15 of the GDPR as the company did not respond to the complainants requests in time or gave them an incomplete answer regarding the source of their datappA failure to respect the right to erasure of individuals Art 12 and 21 of the GDPR as the company did not process the complainants requests in timeppA failure to ensure the security of personal data Art 32 of the GDPR sinceppA failure to comply with the obligation to document a personal data breach Art 33 of the GDPR since the documentation established did not allow to be aware of all the measures taken to remedy the incident relating to the reconditioning of the FreeboxesppThe CNILs restricted committee issued an order to comply with the right of access The restricted committee considered that the company had taken measures during the procedure to comply with all the other breaches identifiedp