- Date of final decision: 30 November 2022
- Cross-border case or national case: National case
- Controller: FREE
- Legal Reference: right of access (article 15 of the GDPR), right to erasure (articles 12 and 21 of the GDPR), obligation to secure personal data (Article 32 of the GDPR), obligation to document a personal data breach (Article 33 of the GDPR)
- Decision: infringement of the GDPR, Administrative fine, order to comply with periodic penalty payments
- Key words: rights of individuals, passwords, data breach, security
Summary of the Decision
Origin of the case
The CNIL, French Supervisory Authority (SA), received several complaints concerning the difficulties encountered by individuals in having their requests for access to and deletion of their personal data taken into account by the French phone operator FREE.
- Failure to respect the right of access of individuals (Article 15 of the GDPR)
- Failure to respect individual’s rights of erasure (Article 12 and 21 of the GDPR)
- Failure to ensure the security of personal data (Article 32 of the GDPR)
- Failure to comply with the obligation to document a personal data breach (Article 33 of the GDPR)
As a result, the restricted committee - the CNIL's body in charge of issuing sanctions - imposed a fine of 300,000 euros on FREE and decided to make its decision public. It also ordered the company to comply with the management of requests for access by individuals and to justify its compliance within three months of the notification of the decision, subject to a penalty payment of 500 euros for each day overdue.
Further information: link to decision in national language
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.