DISCORD INC.: Non-compliance with general data processing principles

The French DPA has imposed a fine of EUR 800,000 on DISCORD INC.. DISCORD offers an online communication service through which users can chat or make video calls. During its investigation, the DPA found that the company had failed to establish and also comply with a data retention period appropriate to the purpose of the processing. For example, there were over two million accounts within the DISCORD database of French users who had not used their account for more than three years and approximately 50,000 accounts that had not been used for more than five years. Further, the DPA noted that the company did not have complete information regarding retention periods. Also, the DPA found that the company had failed to ensure data protection by default, contrary to the obligation under Art. 25 (2) GDPR. Thus, it was possible for user data to be transmitted even after the communication application was closed. The DPA also found that the company had failed to sufficiently ensure the security of personal data by accepting insecure passwords from users. The company accepted user passwords that consisted of six characters containing only letters and numbers. Finally, the DPA found that the company had failed to conduct a data protection impact assessment.

GDPR Articles: Art. 5 (1) e) GDPR, Art. 13 GDPR, Art. 25 (2) GDPR, Art. 32 GDPR, Art. 35 GDPR
Industry: Media, Telecoms and Broadcasting