*Reassuringly dull cyber security e: info@normcyber.comt: +44 (0) 203 855 6215

Multiple GDPR violations lead to €250,000 fine


The French data protection authority has imposed a €250,000 fine on a company for multiple violations of the GDPR.

In particular, the company breached the GDPR by

  • retaining data for longer than was necessary
  • failing to provide privacy information (i.e. have an appropriate privacy policy) and
  • not taking adequate measures to ensure the security of data.

Retaining data for longer than was necessary

For the purposes of processing data for employee training and fraud prevention, the company permanently kept recordings of telephone calls with customer service Employees.

In addition the company;

  • had not set up a retention period for customer and prospect data, and also did not regularly erase and archive personal data
  • retained, for a period exceeding five years, names and passwords in a non-anonymised form to enable customers to re-use their account

Failing to provide privacy information

Customers and employees were misinformed about the legal bases for the data processing and had not been adequately informed about the purpose behind the processing, the recipients of the data, the data retention period, and their rights.

Not taking adequate measures to ensure the security of data.

The company had not used adequately strong passwords for accessing customer accounts.


This substantial fine for multiple violations of the GDPR shows that regulators have little sympathy for companies that do understand or take seriously their data protection obligations and responsibilities.

If your organisation is looking to comply with the requirements of the GDPR then take a look at how our CSaaS and DPaaS solutions can help.

Appointing NormCyber as our virtual DPO has given Ferrero the best of both worlds – access to data protection experts who understand what we stand for as a business, without the hefty overheads usually associated with appointing an in-house DPO.

Harpreet Thandi
Regional Counsel, UK & Ireland, Ferrero

We were looking for a virtual DPO service that offered all of the benefits of a fully qualified data protection lawyer, without the overheads of an in-house hire. The DPaaS solution from norm. has been invaluable in helping us to ensure we respect the integrity of our customers’ personal information, while using it to continue to deliver differentiated products and services which support our growing customer base.

Mike Whitfield, Compliance Manager

CSaaS allows me to step away from multi-vendor management as the Security Operations Centre coordinates all of the technology for me.

David Vincent, CTO

We were in the market for an independent Data Protection Officer service that was well versed with both UK and EU regulators. We’re thrilled to have acquired this service knowing that an expert is available 24/7.

Suzanne McCabe, Head of Project Management
James Hambro & Partners

Norm’s penetration testing layer, along with the suite of CSaaS modules has enabled MA to exceed all its audit requirements for its major clients.

Rob Elisha, ICT and CRM Manager
Montreal Associates

The speed of your Data Protection Officer’s response was very impressive – it was far quicker than I would have expected even from an in-house DPO

Will Blake, Director of Technology and Analytics
CRU Group