The sanctions issued by the CNIL
The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.
Date | Type of organization | Main breaches/Theme subject | Adopted decision |
---|---|---|---|
01/23/2023 | COMPUTER SYSTEMS AND SOFTWARE CONSULTING COMPANY (simplified procedure) |
Failure to cooperate with the CNIL |
Fine of €5,000 and injunction |
02/08/2023 | MUNICIPALITY (simplified procedure) |
Obligation to appoint a data protection officer |
Fine of €5,000 and injunction |
02/08/2023 | GENERAL PRACTITIONER (simplified procedure) | Failure to respect the right of access Failure to cooperate with the CNIL |
Fine of €3,000 and injunction |
02/08/2023 | COMPANY EXERCISING A RETAIL CLOTHING ACTIVITY IN SPECIALIZED STORES (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injunction |
03/03/2023 | COMPANY EXERCISING PRIVATE SECURITY ACTIVITY (simplified procedure) |
Failure to comply with the principle of data minimization |
Fine of €15,000 |
03/16/2023 | SELF-SERVICE ELECTRIC SCOOTER RENTAL COMPANY | Failure to comply with the principle of data minimization Information to individuals Supervision of the relationship between the controller and the processor |
Fine of €125,000 |
03/28/2023 | COMPUTER PROGRAMMING COMPANY (simplified procedure) | Framework for the relationship between the controller and the processor Failure to maintain data security |
Fine of €20,000 |
03/28/2023 | MARKETING COMPANY (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injunction |
04/17/2023 | HOME CARE COMPANY FOR THE ELDERLY AND DISABLED |
Late compliance with data anonymization (injunction procedure) |
Liquidation of the penalty payment of €10,000 |
04/17/2023 | COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE | Failure to respond to the injunction | Liquidation of the fine of 5,200,000 euros |
05/11/2023 | COMPANY PUBLISHING A WEBSITE OFFERING ARTICLES, TESTS, QUIZES AND DISCUSSION FORUMS RELATED TO HEALTH AND WELL-BEING | Retention period Consent of individuals (health data) Relationship between data controller and data processor Lack of data security Consent of individuals (cookies and trackers) |
Amende de 380 000 euros |
05/12/2023 | DENTIST SURGEON (simplified procedure) | Failure to respect right of access Failure to cooperate with the CNIL |
Fine of €4,500 and injunction |
06/08/2023 | ONLINE CLEARVOYANCE | Failure to comply with data minimisation principle Retention period Obligation to process data lawfully Consent of individuals (sensitive data) Informing individuals and transparency Regulation of the relationship between the controller and the processor Lack of data security Obligation to document a data breach Consent of individuals (cookies) |
150,000 euro fine |
06/15/2023 | COMPANY SPECIALISING IN THE DISPLAY OF TARGETED ADVERTISING ON THE WEB | Consent of individuals Information and transparency Failure to respect the right of access Withdrawal of consent and deletion of data Supervision of relations between joint data controllers |
Fine of 40 million euros |
09/18/2023 | AIR FREIGHT | Data minimisation Prohibition on processing special categories of personal data Collection and processing of data relating to offences, convictions and security mesures Lack of cooperation with the CNIL |
Fine of 200,000 euros |
09/28/2023 | FRENCH LITERARY MAGAZINE (simplified procedure) | Information of individuals Lack of cooperation with the CNIL |
Fine of 10,000 euros and order to comply with periodic penalty payment |
09/28/2023 | MANUFACTURE OF PLASTIC GOODS FOR COMMON USE (simplified procedure) | Data minimisation Information of individuals and transparency Lack of data security |
Fine of 20,000 euros |
09/28/2023 | B2B RETAILING OF FROZEN FOOD(simplified procedure) | Data minimisation Data retention periods Collection and processing of data relating to offences, convictions and security mesures Information of individuals and transparency Record of processing activities Lack of data security |
Fine of 20,000 euros |
09/28/2023 | OPTICAL RETAILING (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros and order to comply with periodic penalty payment |
09/28/2023 | COMPUTER SYSTEMS AND SOFTWARE CONSULTING (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros and order to comply with periodic penalty payment |
10/12/2023 | CHANNELS EDITING AND PAY TELEVISION DISTRIBUTION | Consent of individuals (B2C prospecting purposes) Failure to respect the right of access Contractual framework between controllers and processors Data breach documentation |
Fine of 600,000 euros |
10/23/2023 | PRESS WEBSITE PUBLISHER (simplified procedure) |
Right to object Lack of cooperation with the CNIL |
Fine of 5,000 euros and order to comply |
10/23/2023 | CHILD ABUSE PREVENTION BLOG PUBLISHER (simplified procedure) | Lack of cooperation with the CNIL | Fine of 2,000 euros |
10/26/2023 | COMPANY WHOSE MAIN ACTIVITY IS EVENT MANAGEMENT (simplified procedure) |
Data minimisation Information of individuals and transparency Record of processing activities Lack of data security |
Fine of 2,000 euros |
11/08/2023 | COMPANY SPECIALISING IN THE DEVELOPMENT AND THE IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros |
11/09/2023 | FRENCH MINISTRY | Purpose diversion | Call to order |
11/09/2023 | FRENCH MINISTRY | Purpose diversion | Call to order |