Real estate company handed €400,000 fine by the French data protection regulator, CNIL, for insufficiently protecting the data of the users of its web site.

SERGIC specialises in real estate development, buying, selling, renting and property management and their website allows users to download the supporting documents necessary to manage their services.

In August 2018, CNIL received a complaint from a user of the site stating that they could access documents saved by other users by slightly modifying the URL displayed in the browser.

An online check conducted on 7th September 2018 found that documents transmitted by the applicants for rent were freely accessible, without prior authentication. These documents included copies of identity cards, vital cards, tax notices, certificates issued by the family allowance fund, divorce decrees, account statements or bank identity. .

CNIL conduted an investigation and discovered a lack of security. A few days later, an on-site inspection was carried out and it became apparent that the company had been aware of the vulnerability since March 2018.

On the basis of the investigations carried out, the Restricted Training Unit – the CNIL body responsible for imposing sanctions – found two breaches of the General Data Protection Regulation (GDPR).

First of all, SERGIC failed in its obligation to preserve the security of the personal data of the users of its site, because they didn’t have a user authentication procedure for the site to ensure that the people accessing the documents were the ones who downloaded them, even though it was a elementary measure to be expected. This failure was aggravated by the nature of the data made available, and by the particular lack of diligence of the company.

CNIL fined the firm €400 000 euros, and published the details of the sanction. CNIL considered the seriousness of the breach, the firm’s lack of diligence in addressing the vulnerability, and the fact that the accessible documents revealed very intimate aspects of people’s lives. However, it also took into account the size of the company and its financial size.

If you’re not sure how you should be managing your customers online accounts, we’re here to help.  For more information on our data protection solutions, see