The French data protection authority Commission nationale de l`informatique et des libertés (CNIL) imposed a EUR 400,000 fine on French property management company Sergic.
The French company was fined on 28 May 2019 for failure to comply with its obligation to maintain the security of and to limit the storage of personal data. This fine is the most significant financial penalty imposed on a French company for data breaches to date, as it represents close to 1% of the yearly turnover of the fined company.
The investigation conducted by the CNIL on the Sergic website showed that any user could access documents and files stored by other users in their personal spaces, by slightly changing the URL address displayed in the browser. These documents included copies of ID cards, death and marriage certificates, banking information, as well as very sensitive information such as copies of health cards and social insurance cards.
Failure to maintain the security of personal data has become one of the heaviest risks for French companies since the entry into force of the GDPR. The CNIL's recently published activity report states that the CNIL received 1,170 data breach notifications in 2018, compared to approximately 100 notifications in 2017.