The sanctions issued by the CNIL

01 December 2021

The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.

Sanctions issued in 2021
Date	Type d'organisme	Manquements principaux / Thème	Décision adoptée
01/06/2021	OPTICAL RETAIL TRADE	Failure to respect the exercise of individuals' rightsdata security deficiency	€250,000 financial penalty and injunction under penalty payment
01/11/2021	IT SOLUTIONS DEVELOPMENT COMPANY	Lack of data security	Financial penalty of €75,000
01/12/2021	MINISTRY	Lawfulness of the treatment Lack of impact assessment Lack of information to individuals	Call to order and injunction
06/03/2021	APPLICATION SOFTWARE PUBLISHING COMPANY	Lack of data securityillegality of processed data	Financial penalty of €10,000
06/14/2021	COMPANY PUBLISHING A PRIVATE SALES WEBSITE DEDICATED TO DIY, GARDENING AND HOME IMPROVEMENT	Retention periods Failure to inform individuals Failure to comply with requests for deletion of data Failure to keep data secure Consent for commercial prospecting	Financial penalty of €500,000 and injunctions
07/20/2020	INSURANCE	Duration of retention lack of Information to individuals	Financial penalty of €1,750,000
07/26/2021	COMPANY SPECIALISED IN AGRICULTURAL BIOTECHNOLOGY	Failure to inform individuals - obligation to Regulate relations with a subcontractor	Financial penalty of €400,000
07/27/2021	PRESS	Consent of individuals (cookies)	Financial penalty of €50,000
09/15/2021	ADVERTISING COMPANY	Failure to comply with requests to rectify data Failure to comply with erasure requests lack of a register of processing activities Cooperation with the CNIL	Financial penalty of €3,000
09/24/2021	MINISTRY	Lawfulness of the processing - retention period - accuracy of the data Lack of data security Failure to inform individuals	Call to order and injunction
10/21/2021	NOTARY	Cooperation with the CNIL	Financial penalty of 3,000 euros and injunction
10/28/2021	PRIVATE ORGANIZATION	Failure to comply with injunction issued	Liquidation of the penalty payment of €65,000
10/29/2021	PUBLIC ESTABLISHMENT OF AN INDUSTRIAL AND COMMERCIAL NATURE	Failure to comply with the principles of data minimization and responsibility for data retention Lack of data security	Financial penalty of €400,000
12/28/2021	PAYMENT INSTITUTION	Obligation to regulate relationships with subcontractors Failure to maintain data security Obligation to notify individuals of a data breach	Financial penalty of €180,000
12/28/2021	TELEPHONE OPERATOR	Failure to respect the right of access Failure to respect the right of rectification Failure to respect the right to object Obligation to protect data by design Failure to ensure data security	Financial penalty of €300,000
12/30/2021	SALE OF FURNITURE ON THE INTERNET AND IN STORES	Retention period Failure to inform individuals Failure to comply with deletion requests Obligation to regulate relations with subcontractors Failure to ensure data security	Financial penalty of €120,000
12/31/2021	INTERNET SERVICES (SEARCH ENGINE, VIDEO PLATFORM, ETC.)	Cookie refusal mechanism	Financial penalty of €150,000,000 and injunction
12/31/2021	SOCIAL NETWORK	Cookie refusal mechanism Failure to inform individuals	Financial penalty of €60,000,000 and injunction

Sanctions issued in 2020

Date	Type d'organisme	Manquements principaux / Thème	Décision adoptée
07/28/2020	E-BUSINESS	Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to inform individuals; failure to ensure data security and confidentiality	250,000 financial penalty and injunction under penalty payment
09/03/2020	POLITICAL ASSOCIATION	Failure to cooperate with the CNIL services	Dismissal
09/03/2020	POLITICAL FIGURE	Breach of the obligation to process data lawfully	Call to order
09/03/2020	ADMINISTRATION	Breach of the obligation to process data lawfully	Call to order
11/18/2020	LARGE RETAILING	Failure to retain data; failure to exercise rights; failure to inform individuals; failure to provide access, erasure and objection rights; failure to ensure data security and confidentiality; failure to use cookies	Financial penalty of €2,250,000
11/18/2020	BANK	Failure to process data fairly; failure to inform individuals; failure to use cookies	Financial penalty of €800,000
11/18/2020	COOPERATIVE OF RETAIL TRADERS	Failure to ensure data security	Financial penalty of €150,000
12/03/2020	TAXI COMPANY	Failure to cooperate with the CNIL services	Financial penalty of €3,000
12/07/2020	TECHNOLOGY SERVICES COMPANY	Failure to comply with cookies; failure to inform individuals; failure to obtain consent; failure to exercise the right to object	Financial penalties of €60 million and €40 million and injunctions under penalty
12/07/2020	E-COMMERCE COMPANY	Failure to comply with cookies; failure to inform individuals	€35 million fine and injunction under penalty
12/07/2020	PHYSICIAN	Breach of the obligation to ensure data security; breach of the obligation to notify a data breach	Financial penalty of €3,000
12/07/2020	PHYSICIAN	Breach of the obligation to ensure data security; breach of the obligation to notify a data breach	Financial penalty of €6,000
12/07/2020	COLD CALLING COMPANY	Failure to obtain consent; failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company; failure to comply with the retention period; failure to inform individuals; failure to comply with the right to object; failure to provide a contractual framework for the processor	Financial penalty of €7,300 and injunction under penalty payment
12/07/2020	HOME-BASED CHILDCARE COMPANY	Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to comply with the obligation to ensure data security	Injunction under penalty payment
12/08/2020	MEAL DELIVERY COMPANY	Breach of the obligation to obtain consent; breach of the obligation to inform individuals; breach of the obligation to respect the right of access; breach of the obligation to ensure data security	€20,000 and an injunction under penalty payment

Sanctions issued in 2019

Sanctions issued in 2018

Keywords associated to this article

#Sanction

This can also interest you ...

Commercial prospecting and rights of individuals: EDF fined 600 000 euros

On 24 November 2022, the CNIL issued an administrative fine of 600 000 euros against the company EDF, in particular because it didn't respect its obligations regarding commercial ...

29 November 2022

DISCORD INC. fined 800 000 euros

On 10th November 2022, the CNIL fined DISCORD INC. 800,000 euros for failing to comply with several obligations of the GDPR, in particular with regard to the data retention periods...

17 November 2022

Facial recognition: 20 million euros penalty against CLEARVIEW AI

Following a formal notice which remained unaddressed, the CNIL imposed a penalty of 20 million euros and ordered CLEARVIEW AI to stop collecting and using data on individuals in ...

20 October 2022