Individuals having difficulties in obtaining responses to their personal data subject access requests (DSAR) from French telephone operator Free Mobile filed several complaints before the Frenchdata protection authority (CNIL). These requests related to accessing their personal data and objecting to receiving direct marketing messages by electronic means. After its investigations, the CNIL imposed a fine of €300,000 against Free Mobile on 28 December 2021.
The CNIL charged Free Mobile with four grounds of breach of the General Data Protection Regulation (EU) 2016/679 (GDPR):
- failure to comply with the right of access of data subjects regarding their personal data (Articles 12 and 15 GDPR), since Free Mobile did not respond to the requests made by the claimants within the 30-day time limit;
- failure to comply with the right to object of the data subjects (Articles 12 and 21 GDPR), since Free Mobile did not take into account the requests of the claimants to cease sending them direct marketing communications;
- breach of the obligation to protect data by design (Article 25 GDPR), as Free Mobile kept invoicing claimants for telephone services despite their subscription being cancelled; and
- breach of the obligation to ensure the security of personal data (Article 32 GDPR), since Free Mobile communicated by unsecured emails the users’ passwords in clear text when they subscribed to Free Mobile’s services (these passwords being non-temporary and Free Mobile not requiring them to be changed).
The CNIL also decided to make the sanction public. Free Mobile argued that such publicity would be disproportionate considering the severity of the breaches, the low number of complaints (seven), and that it would irreversibly damage its reputation.
Nevertheless, the CNIL chose to publish the sanction, justifying its actions by the need to reiterate the importance of responding to data subjects’ access requests within the relevant timeline (usually 30 days) and with all the relevant and required information (Article 13 and 14 GDPR), and ensuring the security of users’ personal data.
In January 2020, the Dutch Supervisory Authority set the precedent on the importance of the GDPR principle of data minimization, especially when data subjects exercise their right through DSAR. According to such principle, controllers must not collect data that is unnecessary for the purpose of the processing.
Under this obligation, the Dutch Supervisory Authority fined media company Sanoma Media Netherlands B.V. on the ground that it conditioned DSAR to first upload a full copy of an identity document. However, this supervisory authority considered that such practice made it overly complicated for customers to access their data or have their data deleted, and that the media company collected unnecessary personal data in view of the request submitted by the data subject.
As GDPR approaches its fourth anniversary, it is becoming clear that on the one hand, data subjects have acquired the awareness necessary to exercise their rights and, on the other hand, data controllers must implement effective channels and internal process to handle DSAR properly, effectively, in a timely manner, and in a way that would not, in turn, generate its own set of breaches of GDPR.