*Reassuringly dull cyber security

Company fined €250,000 for multiple GDPR violations, including data minimisation and retention


The French data protection authority has imposed a €250,000 fine on a company for violating multiple provisions of the GDPR.

In particular, the company breached the GDPR by

  • retaining data for longer than was necessary
  • failing to provide privacy information (i.e. have an appropriate privacy policy) and
  • not taking adequate measures to ensure the security of data.

Retaining data for longer than was necessary

For the purposes of processing data for employee training and fraud prevention, the company permanently kept recordings of telephone calls with customer service Employees.

In addition the company;

  • had not set up a retention period for customer and prospect data, and also did not regularly erase and archive personal data
  • retained, for a period exceeding five years, names and passwords in a non-anonymised form to enable customers to re-use their account

Failing to provide privacy information

Customers and employees were misinformed about the legal bases for the data processing and had not been adequately informed about the purpose behind the processing, the recipients of the data, the data retention period, and their rights.

Not taking adequate measures to ensure the security of data.

The company had not used adequately strong passwords for accessing customer accounts.


This substantial fine shows that regulators have little sympathy for companies that do understand or take seriously their data protection obligations and responsibilities.

I’m thrilled to have signed off on the CSaaS offering.  I’m looking forward to having the most complete cyber security package for the mid-market and continuing our successful working relationship with norm.

Richard Taylor, CIO
Summit Therapeutics

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

The biggest factor was that they had a data protection lawyer in-house who worked for them, which meant there was someone we could directly go to with specific questions about the (GDPR) regulation.

Phil Everitt, Management Information Systems Manager
Leicester Tigers

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group