Data retention period and data security: the CNIL fined PAP 100,000 euros

13 February 2024

On January 31, 2024, the CNIL imposed a penalty of 100,000 euros on PAP, publisher of the pap.fr (De Particulier à Particulier) website, notably for failing to comply with its obligations in terms of data retention periods and data security.

Information background

PAP is a company that publishes the pap.fr website, enabling individuals to consult and publish real estate advertisements.

In March and April 2022, CNIL carried out two investigations into the company. Its investigations revealed breaches concerning data retention periods, the provision of information to individuals, the framework for relations between PAP and a processor and data security.

As a result, the restricted committee - the CNIL body responsible for imposing sanctions - imposed a fine of 100,000 euros on the company for breaches of the General Data Protection Regulation (GDPR). This fine was issued in cooperation with the relevant European supervisory authorities* as part of the one-stop shop, as PAP's website has visitors in several EU member states as well as Norway.

The amount of this fine was determined in light of the breaches identified, the company's cooperation and the measures it took during the procedure to bring itself into compliance with certain breaches of which it was accused.

* Belgium, Spain, Portugal, Germany, Italy, the Netherlands, Ireland, Greece, Sweden, Austria, Finland, Denmark, Poland and Norway as a member of the European Economic Area.

Breaches sanctioned

Failure to comply with the obligation to retain data for a period limited to the intended purpose (Article 5.1.e of the GDPR)

The company had set a retention period of ten years for data of certain customer accounts that used the site's paid services, without this period being justified by the provisions of the Consumer Code that the company was relying on. The data in question included ad content, customers' first and last names, telephone numbers and e-mail addresses. The company had also set a five-year retention period for data relating to users of the site's free services, but failed to apply it, since it retained data for longer periods. 

Failure to comply with the obligation to inform individuals (Article 13 of the GDPR)

On its website, the company informed individuals by means of an incomplete and imprecise privacy policy:

- by failing to provide explanations relating to the legal bases indicated,

- by failing to specify the categories or processors with which it dealed,

- by failing to indicate the right to lodge a complaint with the CNIL,

- and by mentioning inaccurate data retention periods.

Failure to comply with the obligation to provide a legal framework for processing carried out on behalf of the data controller (Article 28 of the GDPR)

A contract concluded between the company and a processor did not include the information required by the GDPR.

Failure to ensure the security of personal data Article 32 of the GDPR)

The rules governing the complexity of passwords for site user accounts were insufficiently robust. It was also the case for the confidential credentials transmitted by the company, after a real estate ad had been placed on the site, to users who did not have an account in order to access that ad.

Furthermore, the unencrypted storage of user account passwords (associated with their IDs and e-mail addresses) and confidential references (associated with a personal space) did not guarantee data security.

Finally, all data relating to inactive user accounts was stored unsorted.

These security shortcomings exposed the data to risks of computer attacks and leaks.