News
π«π· Data security and real estate
π Real Estate & Personal Data: €400,000 Fine
π
CNIL Decision – May 28, 2019 (Ref: 2019-995)
π A security breach + excessive data retention = double GDPR violation
π Context:
In 2019, a company specialized in rental management was fined €400,000 for two major GDPR breaches:
π 1. Inadequate security (Art. 32 GDPR)
π A technical flaw allowed access to 290,000 confidential documents simply by modifying the URL.
π₯ Result: Unauthorized access to ID cards, bank details, divorce judgments, CAF attestations, etc.
β οΈ No access control, no filtering, and no emergency measures taken after the breach was discovered.
π₯ 29,440 people affected
π 2. Excessive data retention (Art. 5-1.e GDPR)
β³ The company retained all supporting documents for 6 years, even for unsuccessful applicants.
πΈ Aggravating factors:
• No authentication on the online portal
• Lack of responsiveness despite being alerted
• High sensitivity of the data exposed
• No secure archiving safeguards