The CNIL pronounced against the company Discord INC. a fine of 800,000 euros for failing to comply with several GDPR obligations, in particular with regard to retention periods and the security of personal data. Discord is a voice over IP (technology that allows users to chat via their microphone and/or webcam over the Internet) and instant messaging service, in which users can create servers, text, voice and video channels. The amount of this fine was decided with regard to the breaches identified, the number of people concerned, but also taking into account the efforts made by the company to comply throughout the procedure and the fact that its business model business is not based on the exploitation of personal data. Discord did not :
– have a written data retention pollicy (Article 5.1.e of the RGPD)
– guarantee data protection by default when user closed down the application (article 25.2 of the RGPD)
– have strong password policy and a Captcha (article 25.2 du RGPD
– carry out a data protection impact assessment (Article 35 of the RGPD)