SERGIC was fined for non-compliance with the GDPR
The French company SERGIC, specializing in the purchase, sale and rental of real estate was fined 400,000 euros for non-compliance with the rules for storing personal data of its clients.
In August 2018, the company received a complaint from one of the users, that with simple manipulations with the URL of a SERGICgot access to the clients of the real estate company.
This fact confirmed not only the vulnerability of personal data relating to the privacy and economic activities of individuals, but also revealed another problem: the personal data stored by the company did not pass the authenticity check, so it could be false.
It was later discovered that the personal data stored by this company were in its databases longer than it was necessary for the purposes for which they were collected. This is permissible only in the case when an increase in the period of storage is necessary to comply with the law, or, if necessary, to use this data in court or during the investigation. In the absence of these factors, it is forbidden to keep personal data for a long time as a violation of GDPR.
CNIL, which is responsible for imposing sanctions, penalized SERGIC for 400,000 euros for violating three of the six principles for storing personal data provided for by the GDPR, since the company knew about the leak of personal data for more than a year, but avoided this problem. However, Such a soft sanction was applied in connection with the economic turnover of the real estate company.