French Business Optical Center Hit with €250k Penalty for Pre-GDPR Data Breach

June 16, 2018


Optical Center, a French business that concentrates on selling eye and hearing supports, has been struck with a €250,000 penalty for a data breach that happened before the launch of the General Data Protection Regulation (GDPR) on May 25.

CNIL, the French data safety organization, applied the penalty following the company failed to safeguard the data of its clients on its company website. It was found in July 2017 that it was possible to retrieve clients’ bills with relative easiness. These bills detail PII including first and last name, physical address, and social security number. Besides this, there were also other health details like ophthalmic correction.

There was no verification procedure in place for a client to confirm their identity before retrieving their bills. This was confessed by Optical Center. In spite of correcting the fault on the IT systems, it was found, by CNIL, that the business didn’t adhere with article 34 of the French Data Protection Act.

This penalty is the biggest penalty for a data secrecy breach ever imposed in France. It is also the second time that Optical Center was sanctioned with a fine for a breach of confidential data. In 2015 it was also hit with a €50,000 penalty for a different data breach. This earlier authorization was taken into consideration when calculating the level of the latest violation of data secrecy.

CNIL chose to issue the details of the breach in question, and the fine applied, with the decision due to “the specific sensitivity of the data that was made easily available, the number of customers impacted and the number of documents held in the firm’s database at the time of the occurrence (over 334,000).”

The French Data Protection Law, which can impose the maximum fine of €3,000,000 for non-compliance with the data safety laws, under GDPR the maximum penalty might have been up to €20m or 4% of the company’s yearly income – whichever amount is higher.