The sanctions issued by the CNIL
02 January 2025
The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.
| Date | Type of organization | Main breaches/Theme subject | Adopted decision |
|---|---|---|---|
| 01/09/2025 | COMPANY CARRYING OUT INSULATION, ENERGY RENOVATION AND HEATING WORK (simplified procedure) |
Obligation to process data lawfully |
Fine of €15,000 and injunction |
| 01/16/2025 | DISTANCE LEARNING APPRENTICE TRAINING CENTRE (simplified procedure) | Data minimisation (CCTV, telephone recordings) Data retention period Failure to respect the right to object Information of individuals (telephone recordings, exercise of rights, CCTV) |
Fine of €10,000 |
| 01/23/2025 | ROAD HAULAGE COMPANY (simplified procedure) |
Data minimisation (geolocation) |
Fine of €8000 |
| 01/30/2025 | ENERGY BROKERAGE COMPANY (simplified procedure) | No response to injunction | Liquidation of the penalty payment of €4,000 |
| 03/27/2025 | BUSINESS AND MANAGEMENT CONSULTANCY COMPANY (simplified procedure) |
Obligation to process data lawfully (CCTV) |
Fine of €6000 |
| 04/03/2025 | COMPANY SPECIALISING IN THE SUPERMARKET SECTOR (simplified procedure) |
Failure to cooperate with the CNIL |
Fine of €5,000 and injunction |
| 04/03/2025 | WORKS BROKERAGE COMPANY, BUILDING AND PUBLIC WORKS CONSULTANCY, PURCHASE AND RESALE OF EQUIPMENT, PROPERTY TRANSACTIONS AND PROJECT MANAGEMENT (simplified procedure) |
Information of individuals (exercise of rights) |
Fine of €10,000 and injunction |
| 04/10/2025 | COMPANY SPECIALISING IN THE RETAIL SALE OF SPORTS GOODS IN SPECIALISED SHOPS (simplified procedure) |
Data minimisation (CCTV) |
Fine of €20,000 |
| 04/10/2025 | COMPANY OPERATING A CATERING BUSINESS (simplified procedure) | Data minimisation (CCTV) Information of individuals (CCTV) Register of processing activities Obligation to carry out a Privacy Impact Assessment |
Fine of €6,000 |
| 04/30/2025 | COMPANY PUBLISHING A DATING WEBSITE AIMED AT PEOPLE WITH SIMILAR POLITICAL CONVICTIONS (simplified procedure | Data retention period Consent of individuals (sensitive data) Information of individuals Framework for relations between the controller and the processor Lack of data security Obligation to notify a data breach to the supervisory authority Obligation to notify the data subject of a data breach |
Fine of €20,000 |
| 05/15/2025 | COMPANY OFFERING PRIVATE SECURITY SERVICES (simplified procedure) | Non-compliance (injunction procedure) | Liquidation of the penalty payment of €4,000 |
| 05/15/2025 | COMPANY WITH A MARKETING AND WEBSITE DESIGN BUSINESS | Consent of individuals (commercial prospecting - article L. 34-5 CPCE) Proof of consent (art 7 GDPR) Lack of legal basis (art 6-1 GDPR) |
Fine of €900,000 and injunction |
| 05/15/2025 | COMPANY CARRYING OUT ELECTRONIC COMMERCIAL CANVASSING ON BEHALF OF ADVERTISERS, INCLUDING DATA BROKERAGE ACTIVITIES | Consent of individuals (commercial prospecting - article L. 34-5 CPCE) Withdrawal of consent Lack of legal basis Data retention period |
Fine of €80,000 |
| 05/06/2025 | COMPANY ENGAGED IN THE MANUFACTURE AND SALE OF PHARMACEUTICAL PRODUCTS FOR THE FOOD SECTOR (simplified procedure) |
Data minimisation (CCTV) |
Fine of €5,000 |
| 05/06/2025 | COMPANY CARRYING OUT FOR-PROFIT HOSPITAL ACTIVITIES IN THE FIELD OF MEDICINE, SURGERY AND OBSTETRICS (simplified procedure) |
Limitation of purpose (CCTV) |
Fine of €5,000 |
| 05/06/2025 | COMPANY WHOSE MAIN ACTIVITY IS PUBLISHING (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injonction |
| 06/18/2025 | COMPANY ENGAGED IN DISTANCE SELLING FROM A GENERAL CATALOGUE (simplified procedure) | Consent of individuals (cookies) | Fine of €3,000 |
| 07/03/2025 | COMPANY ENGAGED IN THE DISTANCE SELLING OF FURNITURE, HOME DECORATION AND HOUSEHOLD EQUIPMENT (simplified procedure) | Data retention period Information of individuals Information and consent (cookies) Consent of individuals (commercial prospecting - article L. 34-5 CPCE) |
Fine of €600,000 |
| 07/03/2025 | DOCTOR (simplified procedure) | Failure to cooperate with the CNIL | Fine of €3,000 and injunction |
Sanctions issued in 2024
| Date | Type of organization | Main breaches/Theme subject | Adopted decision |
|---|---|---|---|
| 01/09/2024 | WEBSITE PUBLISHER - REVERSE LOOK-UP DIRECTORY (simplified procedure) |
Failure to cooperate with the CNIL |
Fine of €1,500 |
| 01/15/2024 | LAWYER (simplified procedure) | Failure to cooperate with the CNIL Failure to respect the right of erasure |
Fine of €5,000 |
| 01/22/2024 | LAWYER (simplified procedure) |
Failure to cooperate with the CNIL |
Fine of €500 |
| 01/24/2024 | PHARMACEUTICAL WHOLESALE BUSINESS (simplified procedure) | Lack of data security Failure to cooperate with the CNIL Register of processing activities Obligation for processors to offer sufficient guarantees, recruited after authorization by the controller |
Fine of €20,000 |
| 01/25/2024 | POLITICAL ASSOCIATION (simplified procedure) |
Information of individuals and transparency (political canvassing) |
Fine of €20,000 |
| 01/31/2024 | PUBLISHER OF A WEBSITE OFFERING INDIVIDUALS THE OPPORTUNITY TO PUBLISH OR CONSULT REAL ESTATE ADS AND OTHER SERVICES |
Lack of data security |
Fine of €100,000 |
| 01/31/2024 | INDIVIDUAL (simplified procedure) |
Failure to cooperate with the CNIL |
Fine of €500 |
| 01/31/2024 | DENTAL SURGEON (simplified procedure) | Lack of data security Failure to respect the right of access (health data) |
Fine of €5,000 |
| 01/31/2024 | WEBSITE PUBLISHER - NEWS IN THE FIELD OF NEW TECHNOLOGIES (simplified procedure) | Lack of data security | Fine of €20,000 |
| 01/31/2024 | COMPANY ENGAGED IN THE MARKETING AND MANAGEMENT OF LOYALTY PROGRAMS AND CARDS (simplified procedure | Obligation to process data lawfully (commercial prospecting by phone) |
Fine of €310,000 |
| 01/31/2024 | BUSINESS SUPPORT COMPANY (simplified procedure) | Lack of data security | Fine of €10,000 |
| 02/29/2024 | SCIENTIFIC RESEARCH AND DEVELOPMENT COMPANY (simplified procedure) | Obligation to process data lawfully | Fine of €10,000 |
| 02/29/2024 | DENTAL SURGEON (simplified procedure) | Failure to cooperate with the CNIL Failure to respect the right of access (health data) |
Fine of €4,000 |
| 04/04/2024 | RETAIL SALE OF TELECOMMUNICATIONS EQUIPMENT |
Consent of individuals (commercial prospecting by phone - Article L. 34-5 of the French Postal and Electronic Communications Code) |
Fine of €525,000 |
| 04/04/2024 | COMPANY ENGAGED IN COMMERCIAL PROSPECTING BY E-MAIL ON BEHALF OF ADVERTISERS | No response to injunction | Liquidation of the penalty payment of €25,000 |
| 04/25/2024 | COMPANY OPERATING SHOE AND SPORTSWEAR STORES (simplified procedure) | Information of individuals and consent (cookies) |
Fine of €15,000 |
| 04/25/2024 | ASSOCIATION PARTICIPATING IN THE ACTIVITIES OF POLITICAL ORGANIZATIONS (simplified procedure) | Lack of legal basis | Fine of €16,000 euros and injunction |
| 04/25/2024 | FRENCH LITERARY REVIEW (simplified procedure) | Late compliance for erasure requests (injunction procedure) | Liquidation of the penalty payment of €3,000 |
| 05/23/2024 | NATIONAL PUBLIC ESTABLISHMENT (TEACHING) (simplified procedure) | Data minimization Information of individuals and consent |
Fine of €6,000 |
| 05/23/2024 | COMPANY ENGAGED IN OPTICAL RETAILING (simplified procedure) | Late response to compliance order (injunction procedure) | Liquidation of the penalty payment of €4,000 |
| 05/23/2024 | COMPANY MANAGING A CALL PLATFORM FOR PROFESSIONAL SECRETARIAT (simplified procedure) | Data minimization Information of individuals and consent Lack of data security |
Fine of €15,000 |
| 05/23/2024 | COMPANY MANAGING A CALL PLATFORM FOR PROFESSIONAL SECRETARIAT (simplified procedure) | Data minimization Information of individuals and consent Lack of data security |
Fine of €10,000 |
| 06/10/2024 | BAKERY (simplified procedure) | Information of individuals Obligation to process data lawfully (CCTV) Data minimization (CCTV) |
Fine of €5,000 |
| 06/10/2024 | COMPANY DISTRIBUTING JOURNALISTIC CONTENT (simplified procedure) |
Information of individuals and consent (cookies) |
Fine of €3,000 and injunction |
| 06/10/2024 | GENERAL PRACTITIONER (simplified procedure) | Failure to respect the right of access (medical records) Lack of cooperation with the CNIL |
Fine of €4,000 and injunction |
| 06/27/2024 | COMPANY SPECIALIZING IN PROPERTY MANAGEMENT AND COMMERCIAL OPERATIONS COMPANY BROADCASTING JOURNALISTIC CONTENT (procédure simplifiée) |
Information of individuals and consent (cookies) |
Fine of €12,000 |
| 07/09/2024 | FRENCH MINISTRY |
Data retention |
Reprimand and injunction |
| 07/22/2024 | MUNICIPALITY | Failure to respond to injunction and non-compliance | Liquidation of the penalty payment of €6,900 |
| 07/25/2024 | PRIVATE HIGHER EDUCATION ESTABLISHMENT (simplified procedure) | Data minimization Data retention Lack of data security |
Fine of €20,000 |
| 08/08/2024 | ENERGY BROKERAGE COMPANY (simplified procedure) |
Data minimization |
Fine of €20,000 and injunction |
| 08/20/2024 | WEBSITE HOST (simplified procedure) | Failure to respect the right to object Lack of cooperation with the CNIL |
Fine of €8,000 |
| 08/28/2024 | COMPANY SPECIALIZING IN STATISTICAL STUDIES OF HEALTH DATA | Authorization from the CNIL unrequested (health data wahehouse) | Fine of €800,000 |
| 08/28/2024 | COMPANY SPECIALIZING IN THE MANAGEMENT OF HEALTH DATA FLOWS | Authorization from the CNIL unrequested (health data wahehouse) | Fine of €200,000 |
| 08/29/2024 | WEB PUBLISHER IN THE TRANSPORT SECTOR | Obligation to perform a data protection impact assessment Information of individuals and consent Obligation to process data lawfully |
Fine of €300,000 |
| 09/05/2024 | CLOTHING RETAILING COMPANY (simplified procedure) | Obligation to process data lawfully Data minimization Information of individuals and transparency (CCTV) Lack of cooperation with the CNIL |
Fine of €15,000 |
| 09/05/2024 | FENCE MANUFACTURING AND INSTALLATION COMPANY (simplified procedure) | Failure to respect the right to access Lack of cooperation with the CNIL |
Fine of €10,000 |
| 09/05/2024 | PUBLICATION AND SALE OF MANAGEMENT SOFTWARES FOR PHYSICIANS | Failure to apply for a CNIL authorization (health data warehouse) Obligation to process data lawfully |
Fine of €800,000 |
| 09/12/2024 | COMPANY OPERATING A CASINO AND A HOTEL (simplified procedure) | Information of individuals (CCTV) Failure to respect the right of access |
Fine of €12,000 |
| 09/13/2024 | MUNICIPALITY (simplified procedure) |
Unlawful processing of data |
Fine of €20,000 |
| 09/19/2024 | ARMOURY SELLING ONLINE AND IN-STORE (simplified procedure) | Data retention period Information of individuals and transparency Failure to respect the right of erasure Lack of data security Obligation to document a data breach |
Fine of €20,000 |
| 09/26/2024 | COMPANY OFFERING IT SYSTEMS AND SOFTWARE CONSULTANCY SERVICES, SOFTWARE PUBLISHING AND PRODUCTION | Lack of cooperation with the CNIL Failure to respect the right of erasure |
Fine of €15,000 and injunction |
| 09/26/2024 | TRAINING ORGANISATION FOR HEALTHCARE PROFESSIONALS |
Information of individuals and consent (cookies) |
Fine of €15,000 and injunction |
| 09/26/2024 | COMPANY OFFERING REMOTE DIVINATION SERVICES | Consent of individuals (online commercial prospection) Consent of individuals (special data category) Data retention period Minimisation of data |
Fine of €250,000 |
| 09/26/2024 | COMPANY ENGAGED IN THE DEVELOPMENT AND PROVISION OF IT AND DIGITAL SERVICES | Consent of individuals (online commercial prospection) Consent of individuals (special data category) Data retention period |
Fine of €150,000 |
| 09/26/2024 | MARKETING COMPANY (simplified procedure) | Failure to respond to the injunction and non-compliance (injunction procedure) | Liquidation of penalty of €3,000 |
| 09/30/2024 | ASSOCIATION FOR THE CREATION OF A PSYCHIATRIC HEALTH NETWORK (simplified procedure) | Lack of cooperation with the CNIL Failure to respect the right of access |
Fine of €3,000 |
| 10/10/2024 | COMPANY MARKETING CRYPTOCURRENCY WALLETS | Lack of data security Data retention period |
Fine of €750,000 |
| 10/11/2024 | ORTHOPHONIST (simplified procedure) | Failure to respond to the injunction and non-compliance | Liquidation of penalty of €4,000 |
| 10/17/2024 | MINISTRY |
Obligation to process accurate data |
Reprimand and injunction |
| 10/17/2024 | MINISTRY | Obligation to process accurate data Information of people Failure to respect the right of access Failure to respect the right of rectification Failure to respect the right of erasure |
Reprimand and injunction |
| 10/17/2024 | COMPANY ENGAGED IN THE PROVISION OF SERVICES (MANAGEMENT OF TELEPHONE CALLS) (simplified procedure) | Information of individuals (CCTV and phone recording) Failure to respect the right to object Lack of data security |
Fine of €20,000 |
| 10/17/2024 | DENTIST SURGEON (simplified procedure) | Failure to respect the right of access (medical file) Lack of cooperation with the CNIL |
Fine of €3,000 and injunction |
| 10/23/2024 | ASSOCIATION PARTICIPATING IN THE ACTIVITIES OF POLITICAL ORGANISATIONS (simplified procedure) | Failure to respond to an injunction and non-compliance (injunction procedure) | Liquidation of penalty of €4,000 |
| 11/14/2024 |
TELECOMMUNICATIONS OPERATOR |
Information of individuals (cookies) |
Fine of €50 million and injunction |
| 11/26/2024 |
IT FACILITIES MANAGEMENT COMPANY (simplified procedure) |
Failure to cooperate with the CNIL | Fine of €15,000 |
| 11/26/2024 |
ASSOCIATION PROVIDING SOCIAL SERVICES WITHOUT ACCOMMODATION AND MANAGING MEDICAL, SOCIAL AND HEALTH ESTABLISHMENTS (simplified procedure) |
Failure to respect the right of access |
Fine of €10,000 |
| 12/05/2024 | COMPANY OFFERING PRIVATE SECURITY SERVICES (simplified procedure) | Minimisation of data Information of individuals and transparency Register of processing activities |
Fine of €20,000 and injunction |
| 12/05/2024 | COMPANY SPECIALISING IN THE DEVELOPMENT AND ORGANISATION OF ADVERTISING CAMPAIGNS (simplified procedure) | Commercial prospecting (article L. 34-5 CPCE) Data retention period Information of individuals and transparency |
Fine of €20,000 |
| 12/05/2024 | COMPANY SELLING COSMETIC PRODUCTS (simplified procedure) | Obligation to process data lawfully (CCTV) Limitation of purpose (CCTV) Minimisation of data (CCTV) Information of individuals |
Fine of €3,000 |
| 12/05/2024 | CLINIC (simplified procedure) | Failure to cooperate with the CNIL | Fine of €15,000 |
| 12/05/2024 | COMPANY DEVELOPING AND MARKETING A BROWSER EXTENSION (simplified procedure) | Lack of legal basis Data retention period Information of individuals and transparency Failure to respect the right of access |
Fine of €240,000 and injunction |
| 12/12/2024 | COMMUNICATION AND AUDIOVISUAL PRODUCTION AGENCY (simplified procedure) | Transparency and information (exercise of rights) Failure to respect the right of access |
Fine of €6,000 |
| 12/12/2024 | RETAIL SALES COMPANY (simplified procedure) | Failure to respect the right of access | Fine of €18,000 |
| 12/12/2024 | COMPANY CARRYING ON THE BUSINESS OF COMPARING DRIVING SCHOOLS (simplified procedure) | Transparency and information (exercise of rights) Failure to respect the right of access |
Fine of €10,000 |
| 12/12/2024 | TWO COMPANIES OPERATING AS PRESS AGENCIES (simplified procedure) | Consent of individuals (cookies) | Fine of €5,000 and Fine of €5,000 |
| 12/12/2024 | CLOTHING RETAIL COMPANY (simplified procedure) | Consent of individuals (cookies) | Fine of €5,000 |
| 12/12/2024 | CLOTHING RETAIL COMPANY (simplified procedure) | Consent of individuals (cookies) | Fine of €3,000 |
| 12/12/2024 | CLOTHING RETAIL COMPANY (simplified procedure) | Consent of individuals (cookies) | Fine of €20,000 |
| 12/12/2024 | CLOTHING RETAIL COMPANY (simplified procedure) | Consent of individuals (cookies) | Fine of €10,000 |
| 12/12/2024 | SOFTWARE DEVELOPMENT TOOLS AND LANGUAGES COMPANY (simplified procedure) | Consent of individuals (cookies) | Fine of €20,000 and injunction |
| 12/12/2024 | COMPANY OPERATING INTERNET PORTALS (simplified procedure) | Consent of individuals (cookies) | Fine of €20,000 and injunction |
| 12/19/2024 | PUBLIC ADMINISTRATIVE ESTABLISHMENT (simplified procedure) | Failure to respect the right of access Failure to cooperate with the CNIL |
Reprimand |
| 12/19/2024 | CALL CENTER (simplified procedure) | Obligation to process data lawfully and with transparency Lack of data security Failure to cooperate with the CNIL |
Fine of €20,000 |
| 12/19/2024 | COMPANY PROVIDING PRIVATE SECURITY, CLOSE PROTECTION, HOTESSARIAT AND LOGISTICS MANAGEMENT SERVICES (simplified procedure) | Failure to cooperate with the CNIL | Fine of €8,000 |
| 12/19/2024 | STOMATOLOGIST (simplified procedure) | Failure to respect the right of access (medical records) Failure to cooperate with the CNIL |
Fine of €5,000 |
| 12/19/2024 | COMPANY PUBLISHING A DEMATERIALISED GAMES WEBSITE (simplified procedure) | Failure to respect the right of access | Fine of €15,000 |
| 12/19/2024 | COMPANY RUNNING A GYM (simplified procedure) | Failure to cooperate with the CNIL | Fine of €3,000 |
| 12/19/2024 | COMPANY SPECIALISING IN INTERNET PORTALS (simplified procedure) | Failure to respect the right of opposition Failure to cooperate with the CNIL |
Fine of €5,000 |
| 12/19/2024 | IT SYSTEMS AND SOFTWARE CONSULTANCY COMPANY (simplified procedure) | Failure to respect the right of access | Fine of €8,000 |
| 12/19/2024 | COMPANY CARRYING ON ESTATE AGENCY BUSINESS | Minimisation of data (CCTV) Obligation to process data lawfully (CCTV) Information of individuals Lack of data security Obligation to perform a data protection impact assessment |
Fine of €40,000 |
| 12/19/2024 | ACCESS TO HEALTHCARE (simplified procedure) | Failure to cooperate with the CNIL | Fine of €5,000 |
| 12/19/2024 | REGIONAL SUPPORT GROUP FOR THE DEVELOPMENT OF E-HEALTH (simplified procedure) | Obligations relating to data processing in health sector Framework for relations between the controller and the processor |
Fine of €20,000 |
| 12/19/2024 | GENERAL PRACTITIONER (simplified procedure) | No response to injunction | Liquidation of the penalty payment of €2,000 |
| 12/26/2024 | COMPANY OPERATING SUPERMARKETS (simplified procedure) |
Minimisation of data |
Fine of €18,000 |
| 12/31/2024 | AMBULANCE TRANSPORT COMPANY (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 |
| 12/31/2024 | INDIVIDUALS (simplified procedure) | Failure to cooperate with the CNIL | Fine of €5,000 |
| 12/31/2024 | COMPANY MANAGING A CONVERSATIONAL ROBOT USING ARTIFICIAL INTELLIGENCE (simplified procedure) | Failure to cooperate with the CNIL | Fine of €5,000 |
Sanctions issued in 2023
| Date | Type of organization | Main breaches/Theme subject | Adopted decision |
|---|---|---|---|
| 01/23/2023 | COMPUTER SYSTEMS AND SOFTWARE CONSULTING COMPANY (simplified procedure) |
Failure to cooperate with the CNIL |
Fine of €5,000 and injunction |
| 02/08/2023 | MUNICIPALITY (simplified procedure) |
Obligation to appoint a data protection officer |
Fine of €5,000 and injunction |
| 02/08/2023 | GENERAL PRACTITIONER (simplified procedure) | Failure to respect the right of access Failure to cooperate with the CNIL |
Fine of €3,000 and injunction |
| 02/08/2023 | COMPANY EXERCISING A RETAIL CLOTHING ACTIVITY IN SPECIALIZED STORES (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injunction |
| 03/03/2023 | COMPANY EXERCISING PRIVATE SECURITY ACTIVITY (simplified procedure) |
Failure to comply with the principle of data minimization |
Fine of €15,000 |
| 03/16/2023 | SELF-SERVICE ELECTRIC SCOOTER RENTAL COMPANY | Failure to comply with the principle of data minimization Information to individuals Supervision of the relationship between the controller and the processor |
Fine of €125,000 |
| 03/28/2023 | COMPUTER PROGRAMMING COMPANY (simplified procedure) | Framework for the relationship between the controller and the processor Failure to maintain data security |
Fine of €20,000 |
| 03/28/2023 | MARKETING COMPANY (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injunction |
| 04/17/2023 | HOME CARE COMPANY FOR THE ELDERLY AND DISABLED |
Late compliance with data anonymization (injunction procedure) |
Liquidation of the penalty payment of €10,000 |
| 04/17/2023 | COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE | Failure to respond to the injunction | Liquidation of the fine of 5,200,000 euros |
| 05/11/2023 | COMPANY PUBLISHING A WEBSITE OFFERING ARTICLES, TESTS, QUIZES AND DISCUSSION FORUMS RELATED TO HEALTH AND WELL-BEING | Retention period Consent of individuals (health data) Relationship between data controller and data processor Lack of data security Consent of individuals (cookies and trackers) |
Amende de 380 000 euros |
| 05/12/2023 | DENTIST SURGEON (simplified procedure) | Failure to respect right of access Failure to cooperate with the CNIL |
Fine of €4,500 and injunction |
| 06/08/2023 | ONLINE CLEARVOYANCE | Failure to comply with data minimisation principle Retention period Obligation to process data lawfully Consent of individuals (sensitive data) Informing individuals and transparency Regulation of the relationship between the controller and the processor Lack of data security Obligation to document a data breach Consent of individuals (cookies) |
150,000 euro fine |
| 06/15/2023 | COMPANY SPECIALISING IN THE DISPLAY OF TARGETED ADVERTISING ON THE WEB | Consent of individuals Information and transparency Failure to respect the right of access Withdrawal of consent and deletion of data Supervision of relations between joint data controllers |
Fine of 40 million euros |
| 09/18/2023 | AIR FREIGHT | Data minimisation Prohibition on processing special categories of personal data Collection and processing of data relating to offences, convictions and security mesures Lack of cooperation with the CNIL |
Fine of 200,000 euros |
| 09/28/2023 | FRENCH LITERARY MAGAZINE (simplified procedure) | Information of individuals Lack of cooperation with the CNIL |
Fine of 10,000 euros and order to comply with periodic penalty payment |
| 09/28/2023 | MANUFACTURE OF PLASTIC GOODS FOR COMMON USE (simplified procedure) | Data minimisation Information of individuals and transparency Lack of data security |
Fine of 20,000 euros |
| 09/28/2023 | B2B RETAILING OF FROZEN FOOD(simplified procedure) | Data minimisation Data retention periods Collection and processing of data relating to offences, convictions and security mesures Information of individuals and transparency Record of processing activities Lack of data security |
Fine of 20,000 euros |
| 09/28/2023 | OPTICAL RETAILING (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros and order to comply with periodic penalty payment |
| 09/28/2023 | COMPUTER SYSTEMS AND SOFTWARE CONSULTING (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros and order to comply with periodic penalty payment |
| 10/12/2023 | CHANNELS EDITING AND PAY TELEVISION DISTRIBUTION | Consent of individuals (B2C prospecting purposes) Failure to respect the right of access Contractual framework between controllers and processors Data breach documentation |
Fine of 600,000 euros |
| 10/23/2023 | PRESS WEBSITE PUBLISHER (simplified procedure) |
Right to object |
Fine of 5,000 euros and order to comply |
| 10/23/2023 | CHILD ABUSE PREVENTION BLOG PUBLISHER (simplified procedure) | Lack of cooperation with the CNIL | Fine of 2,000 euros |
| 10/26/2023 | COMPANY WHOSE MAIN ACTIVITY IS EVENT MANAGEMENT (simplified procedure) |
Data minimisation |
Fine of 2,000 euros |
| 11/08/2023 | COMPANY SPECIALISING IN THE DEVELOPMENT AND THE IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros |
| 11/09/2023 | FRENCH MINISTRY | Purpose diversion | Reprimand |
| 11/09/2023 | FRENCH MINISTRY | Purpose diversion | Reprimand |
| 11/08/2023 | COMPANY SPECIALISED IN THE DEVELOPMENT AND IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure) | Lack of cooperation with the CNIL | Fine of 20,000 euros |
| 11/15/2023 | MUNICIPALITY (simplified procedure) | Lawfulness of the processing Data retention Lack of security of personal data |
Fine of 6,000 euros |
| 11/16/2023 | COMPANY INVOLVED IN BUSINESS SUPPORT ACTIVITIES, IN PARTICULAR FOR TELEVISED EVENTS (simplified procedure) | Lawfulness of the processing Purpose misuse Lack of security of personal data |
Fine of 8,000 euros |
| 11/22/2023 | ORTHOPHONIST (simplified procedure) | Lack of cooperation with the CNIL Health data right of access |
Fine of 5,000 euros and order to comply |
| 12/11/2023 | PUBLIC FIGURE (procédure simplifiée) | Lack of respect of right to object | Fine of 3,000 euros and order to comply |
| 12/11/2023 | FRENCH MINISTRY | Lawfulness of the processing Data accuracy principle Lack of security of personal data |
Reprimand |
| 12/11/2023 | FRENCH MINISTRY | Lawfulness of the processing Data accuracy principle Lack of security of personal data |
Reprimand |
| 12/12/2023 | MUNICIPALITY | Designation of a data protection officer Lack of cooperation with the CNIL |
Fine of 5,000 euros et injonction |
| 12/27/2023 | ASSOCIATION PROMOTING ACTIONS WITHIN A CITY (simplified procedure) | Lack of cooperation with the CNIL | Fine of 5,000 euros and order to comply |
| 12/27/2023 | PAEDIATRICIAN (simplified procedure) | Lack of cooperation with the CNIL | Fine of 1,000 euros |
| 12/27/2023 | COMPANY SOCIAL AND ECONOMIC COMMITTEE (simplified procedure) | Obligation to involve the Data Protection Officer (DPO) in data protection issues Obligation to help the DPO carry out his duties Obligation to allow data subjects to contact the DPO |
Fine of 10,000 euros |
| 12/27/2023 | LOGISTICS SUPPORT COMPANY | Lack of legal basis Data minimisation Information of individuals and transparency Lack of security of personal data |
Fine of 32 million euros |
| 12/29/2023 | IT SYSTEMS AND SOFTWARE CONSULTANCY COMPANY | Prohibition on the processor recruiting another processor without the authorisation of the controller Lack of security of personal data |
Fine of 100,000 euros |
| 12/29/2023 | ONLINE PAYMENT COMPANY | Data retention Information of individuals and transparency Lack of security of personal data Consent of individuals (cookies) |
Fine of 105,000 euros |
|
12/29/2023 |
COMPANY OFFERING TELECOMMUNICATION SERVICES | Information of individuals and transparency Consent of individuals (cookies) |
Fine of 10 million euros |
| 12/29/2023 | COMPANY PROVIDING ONLINE COMPETITIONS AND PRODUCT TESTS | Lawfulness of the processing (commercial prospecting) Record of processing activities |
Fine of 75,000 euros and order to comply |
Sanctions issued in 2022
| Date | Type of organization | Main breaches/Theme subject | Adopted decision |
|---|---|---|---|
| 01/02/2022 | VEHICLE MAINTENANCE AND REPAIR COMPANY |
Failure to cooperate with the CNIL |
Fine of €3,000 and injunction |
| 03/21/2022 | RESTAURANT |
Failure to respect the principle of data minimization |
Fine of €10,000 |
| 03/24/2022 | NOTARY | Partial compliance with the injunction issued | Liquidation of the fine of €1,000 |
| 04/15/2022 | APPLICATION SOFTWARE PUBLISHING COMPANY | Obligation to regulate the relationship between the controller and the processor Obligation for the processor to process data only on the instructions of the controller Failure to maintain data security |
Fine of €1,500,000 |
| 06/23/2022 | ELECTRICITY AND GAZ PRODUCER & PROVIDER |
L 34-5 CPCE |
Administrative fine of one million euros |
| 06/13/2022 | VEHICLE MAINTENANCE AND REPAIR COMPANY | Failure to cooperate with the CNIL | Liquidation of the fine of €3,900 |
| 07/07/2022 | VEHICLE RENTAL COMPANY | Inadequacy, irrelevance and excessive nature of data Length of retention Information to individuals |
Fine of 175,000 euros |
| 08/03/2022 | COMPANY SPECIALIZING IN THE HOTEL SECTOR | L 34-5 CPCE Consent of individuals Failure to inform Failure to respect the right of access Failure to respect the right of opposition Security and confidentiality of data |
Fine of 600,000 euros |
| 09/08/2022 | ECONOMIC INTEREST GROUPING OF THE CLERKS OF THE COMMERCIAL COURTS OF FRANCE |
Data retention periods |
Fine of 250,000 euros |
| 10/17/2022 | COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE |
Failure to determine a legal basis |
Fine of 20,000,000 euros and injunction |
| 10/11/2022 | COMPANY DEVELOPING VOICE OVER IP SOFTWARE AND INSTANT MESSAGING | Data retention periods Transparency Failure to inform Data protection by default Obligation to conduct a privacy impact assessment Failure to secure personal data |
Fine of 800,000 euros |
| 11/24/2022 | ENERGY, GAZ AND RELATED SERVICES PROVIDER | L 34-5 CPCE - commercial prospecting Failure to inform Transparency Failure to respect the right to object Failure to respect the right of access Failure to secure personal data |
Fine of 600,000 euros |
| 11/30/2022 | PHONE OPERATOR |
Exercice of rights |
Fine of 300,000 euros and injunction |
| 12/19/2022 | COMPANY SELLING OPERATING SYSTEMS, APPLICATION SOFTWARE, HARDWARE AND RELATED SERVICES | Consent of individuals (cookies and tracking devices) | Fine of 60,000,000 euros and injunction |
| 12/20/2022 | COMPANY MARKETING A BUSINESS CONTACT EXTENSION | Failure to dermine a legal basis Failure to respect the right of access |
Dismissal |
| 12/29/2022 | A COMPANY THAT DEVELOPS AND MARKETS CONSUMER ELECTRONICS, PERSONAL COMPUTERS AND SOFTWARE | Failure to respect the right of access Lack of cooperation with the CNIL |
Fine of 8,000,000 euros |
| 12/29/2022 | PHYSICIAN (simplified procedure) | Failure to respect the right of access Lack of cooperation with the CNIL |
Fine of 5,000 euros |
| 12/29/2022 | PHYSICIAN (simplified procedure) | Failure to respect the right of access Lack of cooperation with the CNIL |
Fine of 5,000 euros |
| 12/29/2022 | UNIVERSITY (simplified procedure) | Failure to respect the right of access Lack of cooperation with the CNIL |
Fine of 10,000 euros |
| 12/29/2022 | COMPANY DEVELOPING MANAGEMENT SOFTWARE AND MARKETING SOFTWARE FOR LOCAL AUTHORITIES (simplified procedure) |
Failure to comply with the data minimisation principle |
Fine of 15,000 euros |
| 12/29/2022 | COMPANIES OPERATING A RANGE OF CONTENT DISTRIBUTION PLATFORMS | Consent of individuals (cookies and tracking devices) | Fine of 5,000,000 euros |
| 12/29/2022 | MOBILE GAMES DEVELOPMENT COMPANY | Consent of individuals (cookies and tracking devices) | Fine of 3,000,000 euros |
Sanctions issued in 2021
| Date | Type of organization | Main breaches/ Theme subject | Adopted decision |
|---|---|---|---|
| 01/06/2021 | OPTICAL RETAIL TRADE |
Failure to respect the exercise of individuals' rightsdata security deficiency |
€250,000 financial penalty and injunction under penalty payment |
| 01/11/2021 | IT SOLUTIONS DEVELOPMENT COMPANY | Lack of data security | Financial penalty of €75,000 |
| 01/12/2021 | MINISTRY |
Lawfulness of the treatment |
Call to order and injunction |
| 06/03/2021 | APPLICATION SOFTWARE PUBLISHING COMPANY |
Lack of data securityillegality of |
Financial penalty of €10,000 |
| 06/14/2021 | COMPANY PUBLISHING A PRIVATE SALES WEBSITE DEDICATED TO DIY, GARDENING AND HOME IMPROVEMENT |
Retention periods |
Financial penalty of €500,000 and injunctions |
| 07/20/2020 | INSURANCE |
Duration of retention lack of |
Financial penalty of €1,750,000 |
| 07/26/2021 | COMPANY SPECIALISED IN AGRICULTURAL BIOTECHNOLOGY |
Failure to inform individuals - obligation to |
Financial penalty of €400,000 |
| 07/27/2021 | PRESS | Consent of individuals (cookies) |
Financial penalty of €50,000 |
| 09/15/2021 | ADVERTISING COMPANY |
Failure to comply with requests to rectify data |
Financial penalty of €3,000 |
| 09/24/2021 | MINISTRY |
Lawfulness of the processing - retention period - |
Call to order and injunction |
| 10/21/2021 | NOTARY | Cooperation with the CNIL | Financial penalty of 3,000 euros and injunction |
| 10/28/2021 | PRIVATE ORGANIZATION | Failure to comply with injunction issued | Liquidation of the penalty payment of €65,000 |
| 10/29/2021 | PUBLIC ESTABLISHMENT OF AN INDUSTRIAL AND COMMERCIAL NATURE |
Failure to comply with the principles of data minimization and responsibility for data retention |
Financial penalty of €400,000 |
| 12/28/2021 | PAYMENT INSTITUTION |
Obligation to regulate relationships with subcontractors |
Financial penalty of €180,000 |
| 12/28/2021 | TELEPHONE OPERATOR |
Failure to respect the right of access |
Financial penalty of €300,000 |
| 12/30/2021 | SALE OF FURNITURE ON THE INTERNET AND IN STORES |
Retention period |
Financial penalty of €120,000 |
| 12/31/2021 | INTERNET SERVICES (SEARCH ENGINE, VIDEO PLATFORM, ETC.) | Cookie refusal mechanism | Financial penalty of €150,000,000 and injunction |
| 12/31/2021 | SOCIAL NETWORK |
Cookie refusal mechanism |
Financial penalty of €60,000,000 and injunction |
Sanctions issued in 2020
| Date | Type of organization | Main breaches/ Theme subject | Adopted decision |
|---|---|---|---|
| 07/28/2020 | E-BUSINESS | Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to inform individuals; failure to ensure data security and confidentiality |
250,000 financial penalty and injunction under penalty payment |
| 09/03/2020 | POLITICAL ASSOCIATION | Failure to cooperate with the CNIL services | Dismissal |
| 09/03/2020 | POLITICAL FIGURE | Breach of the obligation to process data lawfully | Reprimand |
| 09/03/2020 | ADMINISTRATION | Breach of the obligation to process data lawfully | Reprimand |
| 11/18/2020 | LARGE RETAILING | Failure to retain data; failure to exercise rights; failure to inform individuals; failure to provide access, erasure and objection rights; failure to ensure data security and confidentiality; failure to use cookies | Financial penalty of €2,250,000 |
| 11/18/2020 | BANK |
Failure to process data fairly; failure to inform individuals; failure to use cookies |
Financial penalty of €800,000 |
| 11/18/2020 | COOPERATIVE OF RETAIL TRADERS | Failure to ensure data security | Financial penalty of €150,000 |
| 12/03/2020 | TAXI COMPANY | Failure to cooperate with the CNIL services | Financial penalty of €3,000 |
| 12/07/2020 | TECHNOLOGY SERVICES COMPANY | Failure to comply with cookies; failure to inform individuals; failure to obtain consent; failure to exercise the right to object | Financial penalties of €60 million and €40 million and injunctions under penalty |
| 12/07/2020 | E-COMMERCE COMPANY | Failure to comply with cookies; failure to inform individuals | €35 million fine and injunction under penalty |
| 12/07/2020 | PHYSICIAN | Breach of the obligation to ensure data security; breach of the obligation to notify a data breach | Financial penalty of €3,000 |
| 12/07/2020 | PHYSICIAN | Breach of the obligation to ensure data security; breach of the obligation to notify a data breach | Financial penalty of €6,000 |
| 12/07/2020 | COLD CALLING COMPANY | Failure to obtain consent; failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company; failure to comply with the retention period; failure to inform individuals; failure to comply with the right to object; failure to provide a contractual framework for the processor | Financial penalty of €7,300 and injunction under penalty payment |
| 12/07/2020 | HOME-BASED CHILDCARE COMPANY | Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to comply with the obligation to ensure data security | Injunction under penalty payment |
| 12/08/2020 | MEAL DELIVERY COMPANY | Breach of the obligation to obtain consent; breach of the obligation to inform individuals; breach of the obligation to respect the right of access; breach of the obligation to ensure data security | €20,000 and an injunction under penalty payment |
Sanctions issued in 2019
| Date | Name or type of organization | Main breaches/ Theme subject | Adopted decision |
|---|---|---|---|
|
1/21/2019 |
OS AND SERVICES |
Lack of transparency, unsatisfying information and lack of valid consent |
Monetary penalty of 50 000 000 euros |
|
1/31/2019 |
ONLINE SEARCH ENGINE |
De-listing |
Dropping of charges |
|
1/31/2019 |
PROPERTY MANAGEMENT COMPANY |
Security and personal data retention period |
Dropping of charges |
|
1/31/2019 |
NATIONAL PUBLIC ADMINISTRATION |
Personal data security breach |
Injunction with periodic penalty payment |
|
5/28/2019 |
PROPERTY MANAGEMENT COMPANY |
Personal data security breach and non-compliance with the retention periods |
Monetary penalty of 400 000 euros |
| 6/13/2019 | TRANSLATION COMPANY |
Inadequate and excessive data, irrelevant, unsatisfying information, personal data security breach Video surveillance |
Monetary penalty of 20 000 euros, injunction with periodic penalty payment |
| 7/18/2019 | INSURANCE INTERMEDIARY COMPANY |
Personal data security breach |
Monetary penalty of 180 000 euros |
| 10/10/2019 | EARLY CHILDHOOD PHOTOGRAPHY COMPANY |
Failure to comply with the rights of access and to erasure, data security and confidentiality breach |
Monetary penalty |
| 11/21/2019 | ISOLATION EQUIPMENT INSTALLATION COMPANY | Inadequate, irrelevant and excessive data, lack of individual information, non-compliance with the right to object, lack of cooperation with the supervisory authority, no legal data transfer outside the UE | Monetary penalty of 500 000 euros |
| 30/12/2019 | HELP TO DISABLED AND ELDERLY INDIVIDUALS |
Infringements on data retention limitation principle Unsatisfying information Infringements to the obligation of security by processor |
Monetary penaly, injunction with periodic penalty payment |
Sanctions issued in 2018
| Date | Name or type of organization | Main breaches / Theme subject | Adopted decision |
|---|---|---|---|
|
1/8/2018 |
HOUSEHOLD APPLIANCES RETAIL |
Personal data security breach Website |
Monetary penalty |
|
5/7/2018 |
OPTICAL RETAIL |
Personal data security breach Website |
Monetary penalty |
|
6/21/2018 |
ASSOCIATION |
Personal data security breach Website |
Monetary penalty |
| 6/26/2018 | PROXIMITY FREIGHT TRANSPORT ROAD | Failure to comply with the rights of access (especially on tachograph data) | Injunction with periodic penalty payment |
| 7/24/2018 | PRESS GROUP | Personal data security breach and non-compliance with the retention periods | Monetary penalty of 400 000 euros |
| 7/24/2018 | VIDEO-SHARING PLATFORM |
Personal data security breach Website |
Monetary penalty |
| 7/24/2018 | SOCIAL BUILDING CONSTRUCTION & MANAGEMENT | Personal data misuse | Monetary penalty |
| 7/24/2018 | METAL TREATMENT AND COATING COMPANY | Lack of answer to an order to comply from the CNIL | Monetary penalty |
| 9/6/2018 | ASSOCIATION |
Personal data security breach Website |
Monetary penalty |
| 9/6/2018 | ELEVATORS AND PARKING CCTV |
Excessive data, unsatisfying information, lack of personal data security and confidentiality Phone communication recording/Biometrics |
Monetary penalty |
| 12/19/2018 | PRIVATE TRANSPORTS COMPANY |
Personal data security breach Mobile application |
Monetary penalty |
| 12/26/2018 | TELECOM PROVIDER |
Personal data security breach Website |
Monetary penalty |
