The sanctions issued by the CNIL

01 December 2021

The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.

Sanctions issued in 2021
Date	Type d'organisme	Manquements principaux / Thème	Décision adoptée
01/06/2021	OPTICAL RETAIL TRADE	Failure to respect the exercise of individuals' rightsdata security deficiency	€250,000 financial penalty and injunction under penalty payment
01/11/2021	IT SOLUTIONS DEVELOPMENT COMPANY	Lack of data security	Financial penalty of €75,000
01/12/2021	MINISTRY	Lawfulness of the treatment Lack of impact assessment Lack of information to individuals	Call to order and injunction
06/03/2021	APPLICATION SOFTWARE PUBLISHING COMPANY	Lack of data securityillegality of processed data	Financial penalty of €10,000
06/14/2021	COMPANY PUBLISHING A PRIVATE SALES WEBSITE DEDICATED TO DIY, GARDENING AND HOME IMPROVEMENT	Retention periods Failure to inform individuals Failure to comply with requests for deletion of data Failure to keep data secure Consent for commercial prospecting	Financial penalty of €500,000 and injunctions
07/20/2020	INSURANCE	Duration of retention lack of Information to individuals	Financial penalty of €1,750,000
07/26/2021	COMPANY SPECIALISED IN AGRICULTURAL BIOTECHNOLOGY	Failure to inform individuals - obligation to Regulate relations with a subcontractor	Financial penalty of €400,000
07/27/2021	PRESS	Consent of individuals (cookies)	Financial penalty of €50,000
09/15/2021	ADVERTISING COMPANY	Failure to comply with requests to rectify data Failure to comply with erasure requests lack of a register of processing activities Cooperation with the CNIL	Financial penalty of €3,000
09/24/2021	MINISTRY	Lawfulness of the processing - retention period - accuracy of the data Lack of data security Failure to inform individuals	Call to order and injunction
10/21/2021	NOTARY	Cooperation with the CNIL	Financial penalty of 3,000 euros and injunction
10/28/2021	PRIVATE ORGANIZATION	Failure to comply with injunction issued	Liquidation of the penalty payment of €65,000
10/29/2021	PUBLIC ESTABLISHMENT OF AN INDUSTRIAL AND COMMERCIAL NATURE	Failure to comply with the principles of data minimization and responsibility for data retention Lack of data security	Financial penalty of €400,000
12/28/2021	PAYMENT INSTITUTION	Obligation to regulate relationships with subcontractors Failure to maintain data security Obligation to notify individuals of a data breach	Financial penalty of €180,000
12/28/2021	TELEPHONE OPERATOR	Failure to respect the right of access Failure to respect the right of rectification Failure to respect the right to object Obligation to protect data by design Failure to ensure data security	Financial penalty of €300,000
12/30/2021	SALE OF FURNITURE ON THE INTERNET AND IN STORES	Retention period Failure to inform individuals Failure to comply with deletion requests Obligation to regulate relations with subcontractors Failure to ensure data security	Financial penalty of €120,000
12/31/2021	INTERNET SERVICES (SEARCH ENGINE, VIDEO PLATFORM, ETC.)	Cookie refusal mechanism	Financial penalty of €150,000,000 and injunction
12/31/2021	SOCIAL NETWORK	Cookie refusal mechanism Failure to inform individuals	Financial penalty of €60,000,000 and injunction

Sanctions issued in 2020

Date	Type d'organisme	Manquements principaux / Thème	Décision adoptée
07/28/2020	E-BUSINESS	Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to inform individuals; failure to ensure data security and confidentiality	250,000 financial penalty and injunction under penalty payment
09/03/2020	POLITICAL ASSOCIATION	Failure to cooperate with the CNIL services	Dismissal
09/03/2020	POLITICAL FIGURE	Breach of the obligation to process data lawfully	Call to order
09/03/2020	ADMINISTRATION	Breach of the obligation to process data lawfully	Call to order
11/18/2020	LARGE RETAILING	Failure to retain data; failure to exercise rights; failure to inform individuals; failure to provide access, erasure and objection rights; failure to ensure data security and confidentiality; failure to use cookies	Financial penalty of €2,250,000
11/18/2020	BANK	Failure to process data fairly; failure to inform individuals; failure to use cookies	Financial penalty of €800,000
11/18/2020	COOPERATIVE OF RETAIL TRADERS	Failure to ensure data security	Financial penalty of €150,000
12/03/2020	TAXI COMPANY	Failure to cooperate with the CNIL services	Financial penalty of €3,000
12/07/2020	TECHNOLOGY SERVICES COMPANY	Failure to comply with cookies; failure to inform individuals; failure to obtain consent; failure to exercise the right to object	Financial penalties of €60 million and €40 million and injunctions under penalty
12/07/2020	E-COMMERCE COMPANY	Failure to comply with cookies; failure to inform individuals	€35 million fine and injunction under penalty
12/07/2020	PHYSICIAN	Breach of the obligation to ensure data security; breach of the obligation to notify a data breach	Financial penalty of €3,000
12/07/2020	PHYSICIAN	Breach of the obligation to ensure data security; breach of the obligation to notify a data breach	Financial penalty of €6,000
12/07/2020	COLD CALLING COMPANY	Failure to obtain consent; failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company; failure to comply with the retention period; failure to inform individuals; failure to comply with the right to object; failure to provide a contractual framework for the processor	Financial penalty of €7,300 and injunction under penalty payment
12/07/2020	HOME-BASED CHILDCARE COMPANY	Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to comply with the obligation to ensure data security	Injunction under penalty payment
12/08/2020	MEAL DELIVERY COMPANY	Breach of the obligation to obtain consent; breach of the obligation to inform individuals; breach of the obligation to respect the right of access; breach of the obligation to ensure data security	€20,000 and an injunction under penalty payment

Sanctions issued in 2019

Sanctions issued in 2018

Keywords associated to this article

#Sanction

This can also interest you ...

Health data breach: DEDALUS BIOLOGIE fined 1.5 million euros

On 15th April 2022, the CNIL's restricted committee imposed a sanction of 1.5 million euros on the company DEDALUS BIOLOGIE, in particular because of security weaknesses that led ...

2021 - a year of records for the CNIL

2021, a record year for the CNIL's enforcement action

04 February 2022

Cookies: The Council of State confirms the sanction imposed by the CNIL in 2020 on Google LLC and Google Ireland Limited

In its judgment of 28 January 2022, the Conseil d'État (French Council of State) confirmed the jurisdiction of the CNIL to impose sanctions regarding cookies, outside the ...

28 January 2022

Cookies and tracking devices