FREE MOBILE fined €300,000
The CNIL imposed a fine of €300,000 on FREE MOBILE, in particular for failing to respect the rights of individuals and to ensure the security of its users' data.
The CNIL has received many complaints concerning the difficulties encountered by individuals in having responses to their requests for access and to object to receiving commercial prospecting messages from the French mobile telephone operator FREE MOBILE.
On-site and document-based investigations revealed breaches of the rights of data subjects (right of access and right to object), the obligation to protect data by design and the obligation to ensure data security (transmission of passwords in clear text by e-mail).
As a result, the restricted committee - the CNIL body responsible for issuing sanctions - imposed a fine of €300,000 on FREE MOBILE.
This fine takes into account the size and the financial situation of the company. Its publicity is justified by the need to reiterate the importance of responding to requests for exercising the data subject's rights and ensuring the security of users' data.
The CNIL retained four breaches of the GDPR against the company FREE MOBILE:
- a failure to respect the right of access of individuals regarding their personal data (Art. 12 and 15 of the GDPR), since the company did not respond to the requests made by the complainants within the time limits;
- a failure to respect the right to object of the persons concerned (Art. 12 and 21 of the GDPR), since the company did not take into account the requests of the complainants that no more commercial prospecting messages be sent to them;
- a breach of the obligation to protect data by design (Art. 25 of the GDPR), as the company continued to send invoices to complainants for telephone lines whose subscription had been cancelled;
- a breach of the obligation to ensure the security of personal data (Art. 32 of the GDPR), since the company transmitted by email, in clear text, the passwords of users when they subscribed to an offer with FREE MOBILE, without these passwords being temporary and the company requiring them to be changed.