Demonstration
To process your request, we need to process your personal data. Find out more about the processing of your personal data here.

Data leaks, record fines, and GDPR tips GDPR everything you need to know this month!

As the year draws to a close, compliance takes no vacation. December saw a historic fine for LinkedIn, a huge data leak at Free, and a court ruling that redefines the rules of the game in terms of competition and GDPR.

But that's not all: we also share practical advice on how to manage a data leak, a reminder of theHR Data retention periods to be aware of, and an overview of CNIL (National Commission for Information Technology and Civil Liberties) checks. And to end the year on a high note: a webinar not to be missed, an exclusive referral offer, and a healthy dose of useful insights.

On the program:

1. GDPR news GDPR the month: New case law, non-compliance with GDPR unfair competition

2. Penalty of the month: €310 million for LinkedIn for non-compliant advertising practices

3. The data leak that everyone is talking about: Data from 19 million Free subscribers on the dark web

4. The GDPR tipfor effectively managing a data breach

5. The top 20 most commonlyused passwordsin France: are you on the list?

6. The CNIL (National Commission for Information Technology and Civil Liberties) monitoring campaign: mobile applications in the spotlight

7. The 4HR Data retention periodsHR remember (and apply)

8. You are invitedto our next webinar on Artificial Intelligence 

9. Have you seen our FAQ?

10–15% (cumulative) off your subscription thanks to referrals 

1. GDPR news GDPR the month: New case law, non-compliance with GDPR unfair competition

October 4, 2024 marks a key milestone: the Court of Justice of the European Union (CJEU) paves the way for unfair competition claims based on non-compliance with GDPR.

Why is this a turning point?In France, this possibility already existed, but it has now been validated at the European level.

What difference does this make?From now on, your competitors can take legal action if you do not comply with the GDPR this gives you an unfair advantage.

Key takeaway: Failure to complywith GDPR unfair competition. 

2. Penalty of the month: €310 million for LinkedIn for non-compliant advertising practices

Historic ruling: On October 24, 2024, LinkedIn was fined€310 millionby the Irish Data Protection Commission (DPC) for:

  • Use of personal data for targeted advertising without explicit consent
  • Lack of transparency in explanations to users

A broader trend: This decision is part of a series of sanctions against digital giants for similar violations of GDPR.

3. The data leak that everyone is talking about: 19 million Free subscribers had their data exposed on the dark web.

In October 2024, a cyberattack compromised the personal data, including IBANs, of nearly 19 million clients . This information was put up for sale on the dark web.

Timeline:

  • October 2024:A hacker claims responsibility for the data theft.
  • End of October 2024:Free confirms the attack, informs its subscribers, and files a complaint.
  • November 2024:The CNIL (National Commission for Information Technology and Civil Liberties) an audit to assess Free's security.

Consequences: Thiscase highlights security flaws even among major operators. Subscribers are urged to remain vigilant, particularly with regard to phishing and fraud.

Recommended measures for subscribers

Monitoring bank accounts:Regularly check statements for any suspicious activity.

Be cautious with communications:Be wary of unexpected emails or text messages asking for personal or financial information.

Change your login details:Change the passwords for accounts linked to Free and avoid using the same password for multiple services.

4. GDPR tip GDPR Effectively manage data leaks

Imagine: you discover a data leak within your organization.
And then panic sets in.

Here are three steps to respond effectively and limit the consequences:

1. Inform the Dipeeo team

As soon as a data breach is suspected or confirmed, immediately notify the Dipeeo team atdpo@dipeeo.com.

2. Assess the impact of the leak

To enable us to analyze the situation quickly, please provide as much information as possible:

  • The nature of the violation
  • The categories and approximate number of personal data concerned
  • The categories and approximate number of individuals affected by the breach
  • The likely consequences of the violation
  • Measures taken or to be taken to prevent such an incident from recurring and to limit its consequences

3. In case of high risk

If the assessment reveals a risk to the rights and freedoms of the individuals concerned, Dipeeo, as an external DPO, will take the following actions: 

  • Notification to the CNIL (National Commission for Information Technology and Civil Liberties) Wewill report the incident to the CNIL (National Commission for Information Technology and Civil Liberties) 72 hours of discovering the breach, in accordance with legal requirements. 
  • Information for affected individuals: Ifnecessary, we provide you with a clear and transparent email template to notify affected individuals. 
  • Documentation of the incident: The incidentwill be recorded in a dedicated log, providing evidence of diligence and transparency, which is essential during audits or inspections by data protection authorities.

5. The top 20 passwords used by French people (spoiler alert: it's not pretty)

1. 123456 🏆 (used 68,703 times in France and 3,018,050 times worldwide)

2. 123456789 

3. AZERTY 

4 qwerty123 

6. azertyuiop

7. Marseille 

8. comfort blanket

9. Loulou 

10. 12345678 

11. 1234561 

12. 000000 

13. favorite 

14. password 

15. sun 

16. mypassphrase

17. 1234567 

18. password 

19. Nicolas 

20. Camille 

 *NordPass Study 2024

The risk:These weak and predictable passwords directly expose personal data to the risk of breach.

What the GDPR  says GDPR  Article 32 requires a level of security appropriate to the risk. A strong password is the first step in protecting personal data.

How can you improve your password compliance?

✔ Choose long, unique, and complex passwords (minimum 12 characters).

✔ Encourage the use of password managers

✔ Double your security with multi-factor authentication

✔ Regularly raise awareness about the importance of security in the context of the GDPR

6. Mobile application: The CNIL (National Commission for Information Technology and Civil Liberties) a specific inspection campaign in spring 2025.

Context:Mobile applicationsaccess a lot of sensitive data (location, health, contacts), increasing risks to privacy and security.

Objective of the CNIL (National Commission for Information Technology and Civil Liberties): To strengthen the protection of personal data in the field of mobile applications.

Target audience: Application publishers, developers, SDK providers, advertising agencies, platform managers, data controllers.

Penalties for non-compliance: Temporary suspension of data processing, formal notice, penalties ranging from €20 million or 4% of global annual turnover.

The main recommendations of the CNIL (National Commission for Information Technology and Civil Liberties) mobile applications

  • Transparency and information:Provide clear information about the data collected, the purposes, and users' rights.
    Action:Update the privacy policy.

  • :Obtain explicit and easily revocable consentbefore collecting non-essential data. →Action:Implement compliant pop-ups or banners with clear accept/decline options.
  • Data minimization:Collect only data that is strictly necessary for the application to function.
    Action:Audit the data collected to identify actual needs.
  • Data security:Adopt technical and organizational measures to prevent unauthorized access and leaks.
  • Accountability :All mobile players must collaborate to ensure GDPR compliance.

Action:Verify your service providers' compliance and appoint a DPO.

[Learn more]

7. The four Data retention periods Data retention remember 

"Define Data retention periods": this is one of the six key principles ofGDPR.

Once this period has elapsed, the data must be destroyed, anonymized, or archived securely.

  1. Resume and cover letter: 2years from the last contact with the unsuccessful candidate
  2. Pay slip:50 years or until the employee's retirement age and the following 6 years
  3. Identity card:Until the hiring is confirmed, then immediately destroyed
  4. Disciplinary sanction:3 years from the date of notification of the sanction

8. Have you seen our FAQ?

Available directly on theDipeeo platformby clicking on your profile in the top right corner.

Here you will find allthe answers to your questionsand the resources you need to get the most out of our services.

9. 15% off (combined) on your subscription thanks to referrals 

Now is the time to spread the word!

Refer a new client Dipeeo and receive adiscount on your monthly or annual subscription for1 year:

  • 15% for the Sponsor
  • 5% for the Godchild 

This offer can be combined with other offers (and is unlimited)!

Good to know: If your discounts exceed the amount of your initial subscription, we will refund you the difference. 

Clémentine D
Clémentine D