The personal data of more than 1,000 recipients of the Gironde Family Allowances Fund (CAF) was published in March 2021 by a service provider. The information remained online for more than a year.
180 figures per beneficiary have been published March 2021by A service provider responsible for agent training. If the name and surname have not been made public, other equally important personal data has been put online. Household income, amounts and types of benefits, as well as dates of birth and addresses of beneficiaries have been unveiled, allowing for their identification.
The service provider then in charge of providing training to agents, published the personal data contained in a file on its website, believing that the information provided to him to carry out the training was unique fictitious. Then posted on the partner site, the file would be rest online during a year and a halfaccording to Radio France and accessible to all.
” When CAF gave me this data, I thought it was fictitious (…) we don’t need real data for training, just realistic data (…) these exercises could have been done with harmless datasets. »
If the service provider first gained access to the recipients’ personal data, this is because CAF forwarded it to him, which raises the question of the protection of personal data. For the association La Quadrature du Net, there is no justification for the Family Allowances Fund to transmit this sensitive information to private suppliers.
” This data transfer therefore seems to reveal (…) a feeling of ownership of our personal data by the managers, who seem to find it normal to transfer them without any reason to private service providers. “, entrusted the association to 20Minuti.
A misunderstanding shared by the recipients, most of whom are still unaware of the publication of their personal data, after the revelations of Radio France journalists.
CAF sanctioned soon?
For Alexandra IteanuCAF has violated the General Data Protection Regulation (GDPR). ” For a transfer of personal data to be lawful, it must be based on one of the six legal bases imposed by the GDPR: consent, contract, public interest mission, protection of vital interests, legitimate interest and legal obligation. CAF therefore did not have the right to communicate such data if it did not inform the interested parties in advance and obtained them consent »she said franceinfo.
The recipients whose personal data has been disclosed could also be the spoof targetsidentity. This is what Bastien Le fears Querrecwhich explains to France info that “The biggest risk is identity theft (…) there may also be malicious targeting. For example, we get a message saying ‘do how process for your child” and we connect to a fraudulent platform”. This leakage of recipients’ personal data could therefore have real consequences for them.
The CNILnotified of a data breach, could sanction both the cif And the private lender did not comply with thepersonal data protection law.