On November 13, 2015, the French Data Protection Authority (“CNIL”) announced its decision in a case against Optical Center, imposing a fine of €50,000 on the company for violations related to the security and confidentiality of its customers’ personal data.
Optical Center distributes optical products via its store network and website, which contains 170,000 customer accounts in France. In July 2014, following a complaint, the CNIL audited the company’s data processing activities. On December 9, 2014, the CNIL served a formal notice on Optical Center, ordering it to cease its non-compliant activities within one month. Optical Center made representations indicating that it would partially comply. Subsequently, the CNIL conducted another inspection, and confirmed that Optical Center still was not complying with its data security obligations. As a result, the CNIL imposed a significant fine on Optical Center and decided to make its decision public.
In its decision, the CNIL noted that Optical Center did not secure (1) the homepage on which web users log into their online accounts or (2) the web page on which users change their passwords. The CNIL also stated that (1) customer and employee passwords were not robust enough; (2) Optical Center did not implement a password management policy for accessing employee computer workstations; (3) employee workstations were not automatically locked in the event of prolonged inactivity; and (4) access from the Internet to the company’s back office was not secure. The CNIL concluded that, as a data controller, Optical Center failed to implement appropriate data security measures. In addition, the CNIL determined that Optical Center did not implement a proper data processor agreement with a service provider. In particular, the agreement with the service provider did not (1) specify that the service provider must act only on instructions from Optical Center, and (2) impose specific data security obligations on the service provider.