First GDPR Fine in Real Estate Sector by French CNIL

apartments 2
The French CNIL imposed a €400,000 fine on a company specialized in real estate development, purchase, sale, rental and property management, for failing to adequately protect the data of users of its website and for implementing inappropriate procedures for storing data.



The company operates a website on which users can create a file to apply for a rental and upload supporting documents. In August 2018, the CNIL received a complaint from a user who had been able to access, from his personal space on the website, documents registered by other users by slightly modifying the URL displayed in the browser. An online check was carried out in September 2018 by the CNIL and revealed that documents sent by applicants for rentals were freely accessible, without prior authentication. These documents included copies of ID, social security cards, tax returns,certificates issued by the family allowance fund,divorce judgments, account statements and bank account details.

The CNIL alerted the company of the existence of this security breach and subsequent violation of personal data. A few days later, the CNIL carried out an inspection at the company premises and discovered that the company had been aware of the issue since March 2018 but that, although it had initiated IT correction measures, it was not until 17 September 2018 that the issue was resolved.



The CNIL identified two violations of the GDPR: The company failed to fulfil its obligation to preserve the security of the personal data of its website users, in breach of Article 32 of the GDPR. The company had not put in place a procedure to authenticate users of its website to ensure that the persons accessing the documents were the ones who had uploaded them, a basic measure. This failure was aggravated, on the one hand, by the nature of the data made available and, on the other hand, by the company’s particular lack of diligence in correcting it: the security issue was only resolved six months later and no emergency measures were taken to limit the impact of the issue in the meantime.

The company kept the documents uploaded by candidates for an unlimited period of time.

The documents uploaded by candidates who were not selected for the accommodations they had applied for were kept for a duration that was longer than necessary for the purpose of the processing. The CNIL noted that once the purpose for processing is achieved (e.g., managing the candidacies), the data must be deleted – or at least  archived if it needs to be kept for compliance with legal obligations or for dispute management purposes in compliance.



Taking into account, on the one hand, the seriousness of the breach, the lack of diligence by the company in addressing the breach and the fact that the accessible documents revealed very private aspects of people’s lives, and on the other hand, the size of the company and its financial strength, the CNIL decided to impose a ¤400,000 fine on the company.

Although the CNIL has seemed rather lenient up until now with regard to GDPR compliance, giving only formal notices to comply with the legislation, this significant fine should be considered as a warning for companies.


For further information, please contact:

Partner, Head of Data and Cyber Security

T: +44 (0)20 3400 3207
M: +44 (0)7977 410922



T: +33 (0)1 44 17 77 25
M: +33 (0)6 13 77 41 27


Similar articles

Autonomous Ship

The future is here: Unmanned ships cross the oceans

It may still sound like science fiction to some, but remote controlled or autonomous ships are quickly becoming a reality in the maritime world, shifting the liability exposure of shipowners.

Oil and Gas Production

Where oil & gas contractors are left unprotected

The oil and gas industry presents a complex contractual “landscape” for all participating businesses, with long supply chains and, crucially from an insurance perspective, huge variations in the allocation of risk in relation to matters such as injury, property damage, pollution and financial loss.

Litigation privilege court ruling: what it could mean for internal investigations

Litigation privilege court ruling: what it could mean for internal investigations

By Anne Davies, Partner at Gunnercooke LLP, and Michael Lea, Head of Management Liability, Lockton Companies.


Why companies must face up to the risk of flooding

Businesses and insurers need to explore alternative measures to combat flood damage.