Electronic payment: CNIL fined NS CARDS FRANCE €105,000

11 janvier 2024

On 29 December 2023, the French Data Protection Authority (CNIL) fined NS CARDS FRANCE €105,000 for failing to comply with the rules on cookies and tracers and for several breaches of the GDPR relating to data retention periods, information to individuals and data security.

Background information

NS CARDS FRANCE is a company that publishes the neosurf.com website and the "Neosurf" mobile application that allows to pay online after registering with the service.

At the end of 2021, the CNIL carried out two inspections of the company. It found breaches concerning the time user account data was kept, the information provided to individuals, the security of data and the methods for depositing cookies and tracers on users' terminals.

As a result, the restricted committee - the CNIL body responsible for imposing penalties - has imposed two fines on NS CARDS FRANCE:

  • a fine for breaches of the General Data Protection Regulation (GDPR). This fine was imposed in cooperation with 17 of the CNIL's European counterparts as part of the one-stop shop, as the website has visitors in several EU Member States, as well as in Norway.
  • a fine for a breach relating to the use of cookies and tracers (article 82 of the French Data Protection Act). In this case, the CNIL is competent to act alone.

To determine the amount of the fines, the CNIL took into account the nature of the breaches, the negligence shown by the company, the categories of personal data (including bank details), the number of people concerned and the company's financial situation.

Breaches sanctioned

The CNIL found three breaches of the GDPR and a breach of the French Data Protection Act by NS CARDS FRANCE.

Failure to comply with the obligation to retain data for a period limited to the purpose for which it was collected (article 5.1.e of the GDPR)

The company had set a data retention period of ten years, after which user accounts were deactivated, but not deleted. Account data was therefore kept indefinitely.

In addition, the ten-year retention period was applied to all user accounts, without sorting the data to be retained, for instance in accordance with some rules of the consumer code.

Failure to comply with the obligation to inform individuals (Articles 12 and 13 of the GDPR)

Both on its website and on its mobile application, NS CARDS FRANCE informed people via an incomplete and obsolete privacy policy. In addition, this information was provided in English, whereas the company's target audience is mainly French-speaking.

Failure to comply with the obligation to ensure the security of personal data (Article 32 of the GDPR)

The password complexity rules for user accounts were insufficiently robust.

In addition, almost 50,000 passwords were stored unencrypted in the database, together with the e-mail address and ID of users.

Finally, regarding the passwords that were stored in hashed and salted form, the hash function used was obsolete (SHA-1).

This lack of security exposed account data to the risk of computer attacks or leaks.

Failure to comply with obligations relating to the use of cookies and trackers (article 82 of the French Data Protection Act)

The CNIL noted that Google Analytics cookies were deposited on users' terminals without their consent. However, since these cookies may contain advertising functionalities and, either way, enable the collection of data that may be used to maintain and protect the Analytics service, they may not be deposited on the user's terminal without their consent.

In addition, the company used a reCAPTCHA mechanism, provided by GOOGLE, when creating an account and when connecting to the website and mobile application. This mechanism works by collecting hardware and software information (such as device and application data). While the data collected was transmitted to GOOGLE for analysis, the company did not provide any information to the user and did not obtain their prior consent, either to access the information stored on their equipment or to write information on it.

The failure to obtain consent to deposit Google Analytics cookies affected every visitor to the website, i.e. several hundred thousand people. Similarly, the failure to obtain consent for the use of reCAPTCHA potentially affected each of the 700,000 account holders at the time of the investigations.