FREE MOBILE: Insufficient technical and organisational measures to ensure information security

The French DPA has imposed a fine of EUR 27,000,000 on FREE MOBILE. The controller suffered a data breach due to insufficient technical and organisational measures. This was caused by using an inadequate authentication procedure to connect to their VPN for remote working. Additionally, the controller failed to adequately inform the affected data subjects due to necessary information being missing from the information email. Lastly, the controller failed to adequately sort data and retain personal data for a limited amount of time.

GDPR Articles: Art. 5 (1) e) GDPR, Art. 32 GDPR
Industry: Media, Telecoms and Broadcasting