If a recent decision of the French Data Protection Authority (CNIL) is any indication, companies can expect that data protection authorities will hold them responsible for ensuring that the vendors they contract with can secure and protect the company’s personal data. On July 27, 2017, the French Data Protection Authority (CNIL) fined the Hertz Corporation €40,000 when information about approximately 35,000 users was exposed to inappropriate access because of the negligence of a vendor in charge of designing the Hertz France website.

The privacy office’s enforcement committee July 18 held that Hertz failed to meet its data security obligations. The enforcement audit of the company’s website determined that a computer coding error by a subcontractor exposed personal data, including names, addresses, and driver’s license numbers, for customers signed up for a discount promotion.

On October 15, 2016, the CNIL was made aware of the existence of the security incident. The CNIL notified Hertz France of the issue, which then informed its third-party vendor in charge of designing the website. The service provider immediately took corrective actions to address the problem, which was caused by its own error.

The CNIL concluded that Hertz France had been negligent in overseeing the actions of its service provider (acting as a data processor) and imposed the €40,000 fine.

This case sends a message to companies that authorities will hold data controllers responsible for its data holdings, no matter who processes, stores or secures it.

This approach is central to the accountability requirements in the General Data Protection Regulation (GDPR), which comes into effect in May 2018. Under the requirements of the GDPR, companies are responsible for the personal data they collect and process, even when they contract with a third-party vendor to carry out the work. Companies are required to conduct due diligence to be sure the vendor is capable of appropriately securing and protecting the data entrusted to them, and to require in contract that the vendor do so.

Any company that collects and processes the data of European citizens must comply with the GDPR, regardless of its size. The GDPR comes into effect in May 2018.


Achieved Compliance – helping you navigate the complex world of data compliance.

Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.

For more information as to how we can help your organization be GDPR compliant please contact info@achievedcompliance.com.