News

🇫🇷 Data accessible on a server

Subcontracting, Confidentiality & Security | 27/03/2025

Source : SAN 2021-20

🔒 Banking Data Left on a Server: Service Provider Fined €180,000 🔒

A payment service provider has been fined €180,000 by the CNIL for serious breaches of personal data protection regulations.

Details:

  • In 2015, the company reused personal data from its databases for internal testing purposes.
  • Data belonging to 12 million individuals remained stored on an unsecured server, freely accessible from the internet.
  • This situation persisted from 2015 to 2020, with no proper security procedures in place.

Identified Violations:

  1. Article 32 of the GDPR: Security of Processing
    • The data controller failed to implement measures to ensure:
      • Confidentiality
      • Integrity
      • Availability
      • Resilience of processing systems and services.
  2. Article 28(3) of the GDPR: Subprocessing Contracts
    • Subprocessing contracts were not properly formalized.
    • They lacked the necessary clauses to ensure subcontractors process personal data in compliance with the GDPR.
  3. Article 34 of the GDPR: Notification to Data Subjects
    • The data controller did not inform affected individuals about the data breach, despite the high risk to their rights and freedoms.

Audit and European Cooperation:

The CNIL conducted an inspection in 2020.
As individuals affected by the breach were located in several EU countries, the CNIL cooperated with supervisory authorities from:

  • Germany
  • Spain
  • Italy
  • The Netherlands

Consequences:

  • Administrative Fine: €180,000.
  • Public Decision: Significant impact on the company’s reputation

🔧 Best Practices for GDPR Compliance

To avoid such penalties, companies should:

  • Ensure Data Security: Protect systems with appropriate technical and organizational measures.
  • Formalize Subprocessing Contracts: Include clear clauses ensuring subcontractors comply with GDPR requirements.
  • Notify Data Breaches: Promptly inform affected individuals when there is a risk to their rights and freedoms.
  • Limit Data Use: Avoid reusing personal data for internal testing without strict safeguards and guarantees.
Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance