On December 28, 2021, the CNIL fined Slimpay 180,000 euros for insufficiently protecting its users' personal data and failing to inform them of a data breach.
Several shortcomings noted by CNIL
Founded in 2009, Slimpay is the European leader in recurring payments. The fintech offers innovative technologies and services designed to facilitate customer acquisition and maximize merchant sales through card payments and direct debits. Already established in Paris and Madrid, the company's ambition is to expand geographically by reinventing the recurring payment process.
In 2015, Slimpay carried out an "internal research project" on an anti-fraud mechanism, during which it used the personal data of its customers. The project ended a year later, and the data remained stored on a server freely accessible from the Internet.
During an inspection, the CNIL established that these data included " the civil status (title, surname, first name), postal and e-mail addresses, telephone numbers and bank details (BIC/IBAN) of over 12 million people " in several European Union countries.
More specifically, the Commission found three main shortcomings.
Failure to comply with the obligation to supervise processing entrusted to a subcontractor
Slimpay's contracts with its service providers did not all contain clauses guaranteeing that the latter would undertake to process personal data in accordance with the GDPR.
Failure to ensure the security of personal data
The CNIL was able to establish that access to the server on which customers' personal data was stored had not been subject to any particular security measures. This breach of Article 32 of the RGPD was upheld even in the absence of any proven harm to the users concerned.
Failure to notify customers of a personal data breach
Finally, the CNIL considered that, given the nature of the personal data, the number of people concerned and the possibility of identifying them through the breach using accessible data, the company should have informed its customers.
180,000 fine
Having identified a number of breaches concerning the processing of Slimpay customers' personal data, the CNIL's "formation restreinte" - the body responsible for imposing sanctions - fined the company 180,000 euros and decided to make its decision public. This decision was taken in cooperation with the Dutch, German, Spanish and Italian authorities, to take account of the fact that the people affected by the data breach are located in several European Union countries.
This sanction comes at a time when the CNIL has recently confirmed its intention to step up its surveillance of payment service providers. To this end, last October it published a white paper entitled "When trust pays", which warns of the risks posed by these players to the protection of personal data.