The sanctions issued by the CNIL

22 December 2020

The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.

Sanctions issued in 2023

Date Type of organization Main breaches/Theme subject Adopted decision
01/23/2023 COMPUTER SYSTEMS AND SOFTWARE CONSULTING COMPANY (simplified procedure)

Failure to cooperate with the CNIL
Consent of individuals
Information of the persons
Failure to respect the right of erasure
Register of processing activities
Lack of data security

Fine of  €5,000 and injunction

02/08/2023 MUNICIPALITY (simplified procedure)

Obligation to appoint a data protection officer
Failure to cooperate with the CNIL

Fine of  €5,000 and injunction
02/08/2023 GENERAL PRACTITIONER (simplified procedure) Failure to respect the right of access
Failure to cooperate with the CNIL
Fine of  €3,000 and injunction
02/08/2023 COMPANY EXERCISING A RETAIL CLOTHING ACTIVITY IN SPECIALIZED STORES (simplified procedure) Failure to cooperate with the CNIL Fine of  €10,000 and injunction
03/03/2023 COMPANY EXERCISING PRIVATE SECURITY ACTIVITY (simplified procedure)

Failure to comply with the principle of data minimization
Information to individuals
Register of processing activities

Fine of  €15,000
03/16/2023 SELF-SERVICE ELECTRIC SCOOTER RENTAL COMPANY Failure to comply with the principle of data minimization
Information to individuals
Supervision of the relationship between the controller and the processor
Fine of  €125,000
03/28/2023 COMPUTER PROGRAMMING COMPANY (simplified procedure) Framework for the relationship between the controller and the processor
Failure to maintain data security
Fine of €20,000
03/28/2023 MARKETING COMPANY (simplified procedure) Failure to cooperate with the CNIL Fine of €10,000 and injunction
04/17/2023 HOME CARE COMPANY FOR THE ELDERLY AND DISABLED

Late compliance with data anonymization (injunction procedure)

Liquidation of the penalty payment of €10,000
04/17/2023 COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE Failure to respond to the injunction Liquidation of the fine of 5,200,000 euros
05/11/2023 COMPANY PUBLISHING A WEBSITE OFFERING ARTICLES, TESTS, QUIZES AND DISCUSSION FORUMS RELATED TO HEALTH AND WELL-BEING Retention period
Consent of individuals (health data)
Relationship between data controller and data processor
Lack of data security
Consent of individuals (cookies and trackers)
Amende de 380 000 euros
05/12/2023 DENTIST SURGEON (simplified procedure) Failure to respect right of access
Failure to cooperate with the CNIL
Fine of €4,500 and injunction
06/08/2023 ONLINE CLEARVOYANCE Failure to comply with data minimisation principle
Retention period
Obligation to process data lawfully
Consent of individuals (sensitive data)
Informing individuals and transparency
Regulation of the relationship between the controller and the processor
Lack of data security
Obligation to document a data breach
Consent of individuals (cookies)
150,000 euro fine
06/15/2023 COMPANY SPECIALISING IN THE DISPLAY OF TARGETED ADVERTISING ON THE WEB Consent of individuals
Information and transparency
Failure to respect the right of access
Withdrawal of consent and deletion of data
Supervision of relations between joint data controllers
Fine of 40 million euros
09/18/2023 AIR FREIGHT Data minimisation
Prohibition on processing special categories of personal data
Collection and processing of data relating to offences, convictions and security mesures
Lack of cooperation with the CNIL
Fine of 200,000 euros
09/28/2023 FRENCH LITERARY MAGAZINE (simplified procedure) Information of individuals
Lack of cooperation with the CNIL
Fine of 10,000 euros and order to comply with periodic penalty payment
09/28/2023 MANUFACTURE OF PLASTIC GOODS FOR COMMON USE (simplified procedure) Data minimisation
Information of individuals and transparency
Lack of data security
Fine of 20,000 euros
09/28/2023 B2B RETAILING OF FROZEN FOOD(simplified procedure) Data minimisation
Data retention periods
Collection and processing of data relating to offences, convictions and security mesures
Information of individuals and transparency
Record of processing activities
Lack of data security
Fine of 20,000 euros
09/28/2023 OPTICAL RETAILING (simplified procedure) Lack of cooperation with the CNIL Fine of 20,000 euros and order to comply with periodic penalty payment
09/28/2023 COMPUTER SYSTEMS AND SOFTWARE CONSULTING (simplified procedure) Lack of cooperation with the CNIL Fine of 20,000 euros and order to comply with periodic penalty payment
10/12/2023 CHANNELS EDITING AND PAY TELEVISION DISTRIBUTION Consent of individuals (B2C prospecting purposes)
Failure to respect the right of access
Contractual framework between controllers and processors
Data breach documentation
Fine of 600,000 euros
10/23/2023 PRESS WEBSITE PUBLISHER (simplified procedure)

Right to object

Lack of cooperation with the CNIL

Fine of 5,000 euros and order to comply
10/23/2023 CHILD ABUSE PREVENTION BLOG PUBLISHER (simplified procedure) Lack of cooperation with the CNIL Fine of 2,000 euros
10/26/2023 COMPANY WHOSE MAIN ACTIVITY IS EVENT MANAGEMENT (simplified procedure)

Data minimisation

Information of individuals and transparency

Record of processing activities

Lack of data security

Fine of 2,000 euros
11/08/2023 COMPANY SPECIALISING IN THE DEVELOPMENT AND THE IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure) Lack of cooperation with the CNIL Fine of 20,000 euros
11/09/2023 FRENCH MINISTRY Purpose diversion Call to order
11/09/2023 FRENCH MINISTRY Purpose diversion Call to order

Sanctions issued in 2022


Sanctions issued in 2021


Sanctions issued in 2020


Sanctions issued in 2019


Sanctions issued in 2018