The French data protection authority (CNIL) recently announced in its decision against Optical Center, a French retailer of eyewear and other optical products, that it was fined €50,000 for violations related to security and confidentiality of its customers’ personal data. The fine is based on the CNIL’s audit of the company’s processing activities.
Following a complaint, an initial audit was carried out demonstrating that the Optical Center did not secure (i) the homepage on which web users log into their online accounts nor (ii) the web page on which users change their passwords. The audit also found that Optical Center (iii) failed to respect employee’s privacy and (iv) did not implement a proper data processor agreement with service providers (i.e. which did not impose specific data security obligations on the service provider nor specify that service provider could only act on Optical Center’s instructions). The fine is a result of the company’s failure to comply with CNIL’s first formal notice, ordering it to become compliant with the customer violations within 30 days.
TIP: As mentioned above, in addition to finding that the homepage and the web page were not secure enough, CNIL also found that the company did not foster respect for its employees’ privacy. If you are a company operating in France, you need to make sure that (i) you require strong passwords, (ii) you have a password management policy for accessing your employees’ workstations, (iii) said workstations are automatically locked in the event of inactivity, and (iv) access to the Internet from the back office is secure.