*Reassuringly dull cyber security

Company fined €250,000 for multiple GDPR violations, including data minimisation and retention

Back

The French data protection authority has imposed a €250,000 fine on a company for violating multiple provisions of the GDPR.

In particular, the company breached the GDPR by

  • retaining data for longer than was necessary
  • failing to provide privacy information (i.e. have an appropriate privacy policy) and
  • not taking adequate measures to ensure the security of data.

Retaining data for longer than was necessary

For the purposes of processing data for employee training and fraud prevention, the company permanently kept recordings of telephone calls with customer service Employees.

In addition the company;

  • had not set up a retention period for customer and prospect data, and also did not regularly erase and archive personal data
  • retained, for a period exceeding five years, names and passwords in a non-anonymised form to enable customers to re-use their account

Failing to provide privacy information

Customers and employees were misinformed about the legal bases for the data processing and had not been adequately informed about the purpose behind the processing, the recipients of the data, the data retention period, and their rights.

Not taking adequate measures to ensure the security of data.

The company had not used adequately strong passwords for accessing customer accounts.

Insight

This substantial fine shows that regulators have little sympathy for companies that do understand or take seriously their data protection obligations and responsibilities.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager
Marmalade

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO
Perpetuum

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group