backThe French data protection authority, the Commission Nationale de l’Informatique et des Libertés (CNIL), imposed a combined €42 million fine on telecom operators Free and Free Mobile, both part of the Iliad Group, for serious violations of the General Data Protection Regulation (GDPR). The sanctions stem from a 2024 security incident that led to the compromise of personal data of more than 24 million individuals, including financial information such as IBANs.
According to CNIL, the companies breached the GDPR in three key respects: failure to implement appropriate technical and organizational measures to ensure data security, inadequate communication of the data breach to affected individuals, and non-compliance with data retention and deletion obligations. The decision emphasized the lack of basic security controls, including robust authentication for remote access and effective mechanisms to detect abnormal system behavior, as well as the unlawful retention of former subscribers’ data. The amount of the fines reflects both the sensitive nature of the data involved and the economic scale of the group, underscoring the strict enforcement approach adopted by European data protection authorities under the GDPR.
share
