Excessive data collection and lack of cooperation : the CNIL imposed a sanction on the company SAF LOGISTICS

Background information

SAF LOGITICS is an air freight company whose parent company is located in China. An employee reported to the CNIL that SAF LOGISTICS collected data relating to its employees' private lives, as part of an internal recruitement for a position in the parent company.

Therefore, the CNIL carried out an onsite investigation in order to verify the legality of the form used for the collection of data.

During the investigation, the CNIL observed some infringements regarding, in particular, an excessive data collection, a non-compliance with the ban on processing sensitive data and data relating to offences and a lack of cooperation with the CNIL services.

As a consequence, the restricted committee – CNIL body responsible for issuing sanctions – imposed a fine of 200 000 euros on SAF LOGISTICS.

In order to determinde the amount of the fine, the CNIL took into account, in particular, the fact that many breaches observed concerned key principles of the GDPR.

Infringements sanctioned

The CNIL noticed four breaches of the GDPR by SAF LOGISTICS.

Infringement of the data minimisation (Article 5(1)(c) of the GDPR)

Via the form sent to its employees, the company collected a large amount of information on employees' family members, including their identity, contact details, position, employer and marital status.

The restricted committee considered that the amount and variety of information collected were too significant, this breach leading to infringing on the employees' private lifes.

Infringement of the ban on processing sensitive data (Article 9 of the GDPR)

The CNIL noticed that some of the information required on the form was sensitive data such as blood type, ethnicity and political affiliation.

The CNIL restricted committee noted that the company didn't meet any of the conditions provided for by the GDPR (Article 9(2)) to collect this sensitive data.

A breach of the ban on processing personal data relating to criminal convictions and offences and related security measures (Article 10 of the GDPR)

The restricted committee noticed that the company was keeping extracts from the criminal records of employees working in air freight, even though these employees had already been cleared by the relevant authorities following an administrative inquiry. It considered that the company didn't meet the conditions for reading or keeping its employees' criminal records.

Moreover, with respect to employees that were not subject to the clearance procedure, the company could read their criminal records without keeping them.

Infringement of the obligation to cooperate with the CNIL services (Article 31 of the GDPR)

When the CNIL asked the company to provide a translation of the form that was written in Chinese, it gave an incomplete translation, in which  the fields about ethnicity and political affiliation were missing. Therefore, the CNIL had it translated in order to have all the fields of the form. The restricted committee thus considered that the company  intentionally sought to prevent the CNIL from exercising its powers of investigation.