Data breach: SLIMPAY fined €180,000

30 December 2021

On December 28, 2021, the CNIL's restricted committee issued SLIMPAY a fine of €180,000 for insufficiently protecting users' personal data and failing to inform them of a data breach.

Investigation and sanction of the CNIL

SLIMPAY is an authorised payment institution that offers recurring payment solutions to its customers. During 2015, it conducted an internal research project, during which it processed personal data contained in its databases. When the research project ended in July 2016, the data remained stored on a server, without any security procedures and freely accessible from the Internet. SLIMPAY wasn’t aware of the data breach, which affected approximately 12 million people, until February 2020.

The CNIL carried out an investigation on the company SLIMPAY in 2020. It found several breaches concerning the processing of personal data of customers.

On the basis of these elements, the restricted committee - the CNIL body responsible for issuing sanctions - effectively considered that the company had failed to comply with several GDPR requirements.

Since the data subjects concerned by the breach were located in several European Union countries, the CNIL cooperated with the supervisory authorities of four countries (Germany, Spain, Italy and the Netherlands).

At the end of this process, the restricted committee imposed a fine of €180,000 and decided to make its decision public.

The breaches

Failure to comply with the obligation to provide a formal legal framework for the processing operations carried out by a processor (Article 28 of the GDPR)

Some of the contracts concluded by SLIMPAY with its service providers do not contain all the clauses allowing to ensure that these processors commit themselves to processing personal data in compliance with the GDPR (article 28-3 of the GDPR lists several obligations that must appear in the contracts). Some of the contracts do not even contain any of these mentions.

Failure to ensure the security of personal data (Article 32 of the GDPR)

The restricted committee noted that access to the server was not subject to any security measures: it was possible to access it from the Internet between November 2015 and February 2020. The civil status data (name, surname, first name), postal and e-mail addresses, telephone numbers and bank details (BIC/IBAN) of more than 12 million people were compromised.

While the company defended itself by stating that the data was probably not used fraudulently, the CNIL still found a breach of Article 32 of the GDPR, considering that the absence of proven harm to data subjects has no effect on the existence of the security deficiency.

Failure to inform data subjects of a personal data breach (Article 34 of the GDPR)

The CNIL considered that, given the nature of the personal data (including bank details), the number of people affected (more than 12 million), the possibility of identifying the people affected by the breach from the accessible data and the possible consequences for the people concerned (risk of phishing or identity theft), the risk associated with the breach should be considered high. Therefore, the company should have informed all affected individuals, which it did not do.