FREE SAS: Insufficient fulfilment of data subjects rights

The French DPA has imposed a fine of EUR 300,000 on FREE SAS. The DPA had received several complaints from individuals experiencing difficulties in exercising their rights to access and delete their personal data at FREE. During its investigation, the DPA found that the company did not process the requests for access and deletion of personal data in a timely manner. The DPA also found that the company failed to ensure the security of personal data. For example, the company allowed users to use insecure passwords and user passwords were stored unencrypted in the company's databases. Finally, the DPA found that the company had not adequately documented a data breach.

GDPR Articles: Art. 12 GDPR, Art. 15 GDPR, Art. 17 GDPR, Art. 32 GDPR, Art. 33 GDPR
Industry: Media, Telecoms and Broadcasting