On December 28, 2021, French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL) imposed a €300,000 GDPR fine on FREE MOBILE, for failing to provide appropriate security measures for the protection of personal data and to respect the rights of individuals.
After receiving multiple complaints from the individuals about difficulties they have encountered when wanting to exercise their GDPR rights– the right to access their personal data, and the right to object to receiving commercial offers and messages, CNIL conducted an on-site investigation.
Results of the investigation
The investigation revealed that the FREE MOBILE did not respond to data subject access requests within the legal time limit, thus violating Article 12 and Article 15 and failing to respect the right to object to the processing (Article 12 and Article 21).
Additionally, CNIL discovered that the mobile operator continued to send invoices to the individuals for subscriptions that had been canceled and did not implement the concept of data protection by design (Article 25).
The company also transmitted users’ passwords in clear text by email when users subscribed to an offer. These passwords were not temporary and the company did not require them to be changed by the user.
Therefore CNIL found this to be a violation of Article 32 and the obligation to ensure the security of personal data.
You can read the entire decision in French.