The sanctions issued by the CNIL
The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.
Date | Type of organization | Main breaches/Theme subject | Adopted decision |
---|---|---|---|
01/23/2023 | COMPUTER SYSTEMS AND SOFTWARE CONSULTING COMPANY (simplified procedure) |
Failure to cooperate with the CNIL |
Fine of €5,000 and injunction |
02/08/2023 | MUNICIPALITY (simplified procedure) |
Obligation to appoint a data protection officer |
Fine of €5,000 and injunction |
02/08/2023 | GENERAL PRACTITIONER (simplified procedure) | Failure to respect the right of access Failure to cooperate with the CNIL |
Fine of €3,000 and injunction |
02/08/2023 | COMPANY EXERCISING A RETAIL CLOTHING ACTIVITY IN SPECIALIZED STORES (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injunction |
03/03/2023 | COMPANY EXERCISING PRIVATE SECURITY ACTIVITY (simplified procedure) |
Failure to comply with the principle of data minimization |
Fine of €15,000 |
03/16/2023 | SELF-SERVICE ELECTRIC SCOOTER RENTAL COMPANY | Failure to comply with the principle of data minimization Information to individuals Supervision of the relationship between the controller and the processor |
Fine of €125,000 |
03/28/2023 | COMPUTER PROGRAMMING COMPANY (simplified procedure) | Framework for the relationship between the controller and the processor Failure to maintain data security |
Fine of €20,000 |
03/28/2023 | MARKETING COMPANY (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injunction |
04/17/2023 | HOME CARE COMPANY FOR THE ELDERLY AND DISABLED |
Late compliance with data anonymization (injunction procedure) |
Liquidation of the penalty payment of €10,000 |
04/17/2023 | COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE | Failure to respond to the injunction | Liquidation of the fine of 5,200,000 euros |
05/11/2023 | COMPANY PUBLISHING A WEBSITE OFFERING ARTICLES, TESTS, QUIZES AND DISCUSSION FORUMS RELATED TO HEALTH AND WELL-BEING | Retention period Consent of individuals (health data) Relationship between data controller and data processor Lack of data security Consent of individuals (cookies and trackers) |
Amende de 380 000 euros |
05/12/2023 | DENTIST SURGEON (simplified procedure) | Failure to respect right of access Failure to cooperate with the CNIL |
Fine of €4,500 and injunction |
06/08/2023 | ONLINE CLEARVOYANCE | Failure to comply with data minimisation principle Retention period Obligation to process data lawfully Consent of individuals (sensitive data) Informing individuals and transparency Regulation of the relationship between the controller and the processor Lack of data security Obligation to document a data breach Consent of individuals (cookies) |
150,000 euro fine |
06/15/2023 | COMPANY SPECIALISING IN THE DISPLAY OF TARGETED ADVERTISING ON THE WEB | Consent of individuals Information and transparency Failure to respect the right of access Withdrawal of consent and deletion of data Supervision of relations between joint data controllers |
Fine of 40 million euros |
09/18/2023 | AIR FREIGHT | Data minimisation Prohibition on processing special categories of personal data Collection and processing of data relating to offences, convictions and security mesures Lack of cooperation with the CNIL |
Fine of 200,000 euros |
09/28/2023 | FRENCH LITERARY MAGAZINE (simplified procedure) | Information of individuals Lack of cooperation with the CNIL |
Fine of 10,000 euros and order to comply with periodic penalty payment |
09/28/2023 | MANUFACTURE OF PLASTIC GOODS FOR COMMON USE (simplified procedure) | Data minimisation Information of individuals and transparency Lack of data security |
Fine of 20,000 euros |
09/28/2023 | B2B RETAILING OF FROZEN FOOD(simplified procedure) | Data minimisation Data retention periods Collection and processing of data relating to offences, convictions and security mesures Information of individuals and transparency Record of processing activities Lack of data security |
Fine of 20,000 euros |
09/28/2023 | OPTICAL RETAILING (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros and order to comply with periodic penalty payment |
09/28/2023 | COMPUTER SYSTEMS AND SOFTWARE CONSULTING (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros and order to comply with periodic penalty payment |
10/12/2023 | CHANNELS EDITING AND PAY TELEVISION DISTRIBUTION | Consent of individuals (B2C prospecting purposes) Failure to respect the right of access Contractual framework between controllers and processors Data breach documentation |
Fine of 600,000 euros |
10/23/2023 | PRESS WEBSITE PUBLISHER (simplified procedure) |
Right to object |
Fine of 5,000 euros and order to comply |
10/23/2023 | CHILD ABUSE PREVENTION BLOG PUBLISHER (simplified procedure) | Lack of cooperation with the CNIL | Fine of 2,000 euros |
10/26/2023 | COMPANY WHOSE MAIN ACTIVITY IS EVENT MANAGEMENT (simplified procedure) |
Data minimisation |
Fine of 2,000 euros |
11/08/2023 | COMPANY SPECIALISING IN THE DEVELOPMENT AND THE IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros |
11/09/2023 | FRENCH MINISTRY | Purpose diversion | Call to order |
11/09/2023 | FRENCH MINISTRY | Purpose diversion | Call to order |
11/08/2023 | COMPANY SPECIALISED IN THE DEVELOPMENT AND IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros |
11/15/2023 | MUNICIPALITY (simplified procedure) | Lawfulness of the processing Data retention Lack of security of personal data |
Fine of 6,000 euros |
11/16/2023 | COMPANY INVOLVED IN BUSINESS SUPPORT ACTIVITIES, IN PARTICULAR FOR TELEVISED EVENTS (simplified procedure) | Lawfulness of the processing Purpose misuse Lack of security of personal data |
Fine of 8,000 euros |
11/22/2023 | ORTHOPHONIST (simplified procedure) | Lack of cooperation with the CNIL Health data right of access |
Fine of 5,000 euros and order to comply |
12/11/2023 | PUBLIC FIGURE (procédure simplifiée) | Lack of respect of right to object | Fine of 3,000 euros and order to comply |
12/11/2023 | FRENCH MINISTRY | Lawfulness of the processing Data accuracy principle Lack of security of personal data |
Call to order |
12/11/2023 | FRENCH MINISTRY | Lawfulness of the processing Data accuracy principle Lack of security of personal data |
Call to order |
12/12/2023 | MUNICIPALITY | Designation of a data protection officer Lack of cooperation with the CNIL |
Fine of 5,000 euros et injonction |
12/27/2023 | ASSOCIATION PROMOTING ACTIONS WITHIN A CITY (simplified procedure) | Lack of cooperation with the CNIL | Fine of 5,000 euros and order to comply |
12/27/2023 | PAEDIATRICIAN (simplified procedure) | Lack of cooperation with the CNIL | Fine of 1,000 euros |
12/27/2023 | COMPANY SOCIAL AND ECONOMIC COMMITTEE (simplified procedure) | Obligation to involve the Data Protection Officer (DPO) in data protection issues Obligation to help the DPO carry out his duties Obligation to allow data subjects to contact the DPO |
Fine of 10,000 euros |
12/27/2023 | LOGISTICS SUPPORT COMPANY | Lack of legal basis Data minimisation Information of individuals and transparency Lack of security of personal data |
Fine of 32 million euros |
12/29/2023 | IT SYSTEMS AND SOFTWARE CONSULTANCY COMPANY | Prohibition on the processor recruiting another processor without the authorisation of the controller Lack of security of personal data |
Fine of 100,000 euros |
12/29/2023 | ONLINE PAYMENT COMPANY | Data retention Information of individuals and transparency Lack of security of personal data Consent of individuals (cookies) |
Fine of 105,000 euros |
12/29/2023 |
COMPANY OFFERING TELECOMMUNICATION SERVICES | Information of individuals and transparency Consent of individuals (cookies) |
Fine of 10 million euros |
12/29/2023 | COMPANY PROVIDING ONLINE COMPETITIONS AND PRODUCT TESTS | Lawfulness of the processing (commercial prospecting) Record of processing activities |
Fine of 75,000 euros and order to comply |