The French data protection authority has imposed a €250,000 fine on a company for violating multiple provisions of the GDPR.
In particular, the company breached the GDPR by
- retaining data for longer than was necessary
- not taking adequate measures to ensure the security of data.
Retaining data for longer than was necessary
For the purposes of processing data for employee training and fraud prevention, the company permanently kept recordings of telephone calls with customer service Employees.
In addition the company;
- had not set up a retention period for customer and prospect data, and also did not regularly erase and archive personal data
- retained, for a period exceeding five years, names and passwords in a non-anonymised form to enable customers to re-use their account
Failing to provide privacy information
Customers and employees were misinformed about the legal bases for the data processing and had not been adequately informed about the purpose behind the processing, the recipients of the data, the data retention period, and their rights.
Not taking adequate measures to ensure the security of data.
The company had not used adequately strong passwords for accessing customer accounts.
This substantial fine shows that regulators have little sympathy for companies that do understand or take seriously their data protection obligations and responsibilities.