The sanctions issued by the CNIL

02 January 2025


The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.

 

Sanctions issued

Sanctions issued in 2025

Date Type of organization Main breaches/Theme subject Adopted decision
01/09/2025 COMPANY CARRYING OUT INSULATION, ENERGY RENOVATION AND HEATING WORK (simplified procedure)

Obligation to process data lawfully
(commercial prospecting)
Data minimisation
Obligation to process accurate data

Fine of €15,000 and injunction

01/16/2025 DISTANCE LEARNING APPRENTICE TRAINING CENTRE (simplified procedure) Data minimisation (CCTV, telephone recordings)
Data retention period
Failure to respect the right to object
Information of individuals (telephone recordings, exercise of rights, CCTV)
Fine of €10,000
01/23/2025 ROAD HAULAGE COMPANY (simplified procedure)

Data minimisation (geolocation)
Data retention period (geolocation)
Information of individuals (geolocation)
Obligation to carry out a Privacy Impact Assessment

Fine of €8000

01/30/2025 ENERGY BROKERAGE COMPANY (simplified procedure) No response to injunction Liquidation of the penalty payment of €4,000
03/27/2025 BUSINESS AND MANAGEMENT CONSULTANCY COMPANY (simplified procedure)

Obligation to process data lawfully (CCTV)
Data minimisation (CCTV)
Information of individuals

Fine of €6000
04/03/2025 COMPANY SPECIALISING IN THE SUPERMARKET SECTOR (simplified procedure)

Failure to cooperate with the CNIL

Fine of €5,000 and injunction
04/03/2025 WORKS BROKERAGE COMPANY, BUILDING AND PUBLIC WORKS CONSULTANCY, PURCHASE AND RESALE OF EQUIPMENT, PROPERTY TRANSACTIONS AND PROJECT MANAGEMENT (simplified procedure)

Information of individuals (exercise of rights)
Failure to cooperate with the CNIL

Fine of €10,000 and injunction
04/10/2025 COMPANY SPECIALISING IN THE RETAIL SALE OF SPORTS GOODS IN SPECIALISED SHOPS (simplified procedure)

Data minimisation (CCTV)
Data retention period (CCTV)
Information of individuals (CCTV)
Register of processing activities
Lack of data security

Fine of €20,000
04/10/2025 COMPANY OPERATING A CATERING BUSINESS (simplified procedure) Data minimisation (CCTV)
Information of individuals (CCTV)
Register of processing activities
Obligation to carry out a Privacy Impact Assessment
Fine of €6,000
04/30/2025 COMPANY PUBLISHING A DATING WEBSITE AIMED AT PEOPLE WITH SIMILAR POLITICAL CONVICTIONS (simplified procedure Data retention period
Consent of individuals (sensitive data)
Information of individuals
Framework for relations between the controller and the processor
Lack of data security
Obligation to notify a data breach to the supervisory authority
Obligation to notify the data subject of a data breach
Fine of €20,000
05/15/2025 COMPANY OFFERING PRIVATE SECURITY SERVICES  (simplified procedure) Non-compliance (injunction procedure) Liquidation of the penalty payment of €4,000
05/15/2025 COMPANY WITH A MARKETING AND WEBSITE DESIGN BUSINESS Consent of individuals (commercial prospecting - article L. 34-5 CPCE)
Proof of consent (art 7 GDPR)
Lack of legal basis (art 6-1 GDPR)
Fine of €900,000 and injunction
05/15/2025 COMPANY CARRYING OUT ELECTRONIC COMMERCIAL CANVASSING ON BEHALF OF ADVERTISERS, INCLUDING DATA BROKERAGE ACTIVITIES Consent of individuals (commercial prospecting - article L. 34-5 CPCE)
Withdrawal of consent
Lack of legal basis
Data retention period
Fine of €80,000
05/06/2025 COMPANY ENGAGED IN THE MANUFACTURE AND SALE OF PHARMACEUTICAL PRODUCTS FOR THE FOOD SECTOR (simplified procedure)

Data minimisation (CCTV)

Fine of €5,000
05/06/2025 COMPANY CARRYING OUT FOR-PROFIT HOSPITAL ACTIVITIES IN THE FIELD OF MEDICINE, SURGERY AND OBSTETRICS (simplified procedure)

Limitation of purpose (CCTV)
Data minimisation
Information of individuals
Obligation to carry out a Privacy Impact Assessment

Fine of €5,000
05/06/2025 COMPANY WHOSE MAIN ACTIVITY IS PUBLISHING (simplified procedure) Failure to cooperate with the CNIL Fine of €10,000 and injonction
06/18/2025 COMPANY ENGAGED IN DISTANCE SELLING FROM A GENERAL CATALOGUE (simplified procedure) Consent of individuals (cookies) Fine of €3,000
07/03/2025 COMPANY ENGAGED IN THE DISTANCE SELLING OF FURNITURE, HOME DECORATION AND HOUSEHOLD EQUIPMENT (simplified procedure) Data retention period
Information of individuals
Information and consent (cookies)
Consent of individuals (commercial prospecting - article L. 34-5 CPCE)
Fine of €600,000
07/03/2025 DOCTOR (simplified procedure) Failure to cooperate with the CNIL Fine of €3,000 and injunction
07/17/2025 DENTAL SURGEON (simplified procedure)

Failure to respect the right of access (health data)
Failure to cooperate with the CNIL

Fine of €5,000 and injunction
08/25/2025 LAWYER (simplified procedure) Failure to respect the right of access
Failure to cooperate with the CNIL
Fine of €3,000 and injunction
09/01/2025 ASSOCIATION FOR THE DEFENCE OF FUNDAMENTAL RIGHTS (simplified procedure) Failure to respect the right of erasure
Failure to cooperate with the CNIL
Fine of €10,000 and injunction
09/01/2025 COMPANY DEVELOPING SEVERAL ONLINE SERVICES Information and consent (cookies)
Consent of individuals (commercial prospecting - article L. 34-5 CPCE)
Fine of €325 million and injunction
09/01/2025 ONLINE RETAILER OF CLOTHING, SHOES AND ACCESSORIES Information and consent (cookies) Fine of €150 million
09/03/2025 COMPANY ENGAGED IN THE DEVELOPMENT OF RESIDENTIAL PROPERTIES (simplified procedure)  Failure to respect the right of access Fine of €20,000
09/04/2025 COMPANY DEVELOPING AND MARKETING RECRUITMENT SUPPORT SOFTWARE (simplified procedure) Framework for relations between the controller and the processor
Register of processing activities
Lack of data security
Obligation to notify a data breach
Fine of €7,000
09/04/2025 COMPANY COLLECTING PROSPECT DATA FROM SEVERAL SOURCES, INCLUDING ONLINE CONTEST ENTRY FORMS (simplified procedure) Data retention period
Lack of legal basis
Information of individuals
Consent of individuals (commercial prospecting - article L. 34-5 CPCE)
Register of processing activities
Fine of €17,000
09/04/2025 COMPANY ENGAGED IN LARGE-SCALE DISTRIBUTION Obligation to process data lawfully (CCTV)
Data minimisation (CCTV)
Information of individuals (CCTV)
Obligation to carry out a Privacy Impact Assessment
Fine of €75,000 and injunction
09/11/2025 COMPANY ENGAGED IN BANKING AND INSURANCE ACTIVITIES (simplified procedure) Information of individuals (exercice of rights)
Failure to respect the right of access
Fine of €10,000
09/11/2025 SPECIALISED CATALOGUE MAIL-ORDER COMPANY (simplified procedure) Failure to cooperate with the CNIL Fine of €5,000
09/11/2025 ASSOCIATION MANAGING A SECONDARY SCHOOL AND BOARDING SCHOOL FOR YOUNG PEOPLE WHO HAVE DROPPED OUT OF SCHOOL (simplified procedure) Data minimisation (CCTV)
Data retention period
Lack of data security
Fine of €7,000 and injunction
09/11/2025 MUNICIPALITY (simplified procedure) Data retention period (special data category)
Register of processing activities
Fine of €10,000 and call to order
09/18/2025 COMPANY OPERATING A DEPARTMENT STORE Obligation to process data lawfully and principle of responsability (CCTV)
Data minimisation (CCTV)
Obligation to notify a data breach
Obligation to involve the data protection officer in matters relating to data protection
Fine of €100,000

Sanctions issued in 2024


Sanctions issued in 2023


Sanctions issued in 2022


Sanctions issued in 2021


Sanctions issued in 2020


Sanctions issued in 2019


Sanctions issued in 2018