Among factors cited are failure to implement a data retention policy, controller’s liability for insufficient third-party data processing application

On June 12, 2014, the French Data Protection Authority (the “CNIL”) issued a public warning to DHL for failure to limit access to client personal data via the Internet.

In February of this year, after being informed of a potential security breach, the CNIL conducted an on-site investigation that revealed 687,778 DHL client files had been indexed by a search engine and were thus freely available on the Internet. The files contained personal data, including client names, addresses, phone numbers and email addresses as well as specific information relating to deliveries.

Following the CNIL’s visit, DHL adopted specific measures to impede access to client data via the Internet. Nonetheless, the CNIL launched proceedings against DHL and in its June 12, 2014 decision, the CNIL stressed the following factors, some of which it considers as aggravating:

  • the clients’ personal information is very easily accessible because it was indexed by search engines;
  • although DHL was aware of the existence of an internal security breach since late 2013, it took no steps or measures to verify the application’s security, which would have isolated the data leak;
  • the steps taken by DHL after the CNIL’s investigation were not sufficient to justify terminating sanction proceedings;
  • even though the leak was due to the application’s design by a third party, and not to DHL’s actions, DHL as data controller remained responsible for the security and confidentiality of the processed personal data;
  • DHL had no data retention policy, and some of the data leaked dated from 2007.