The sanctions issued by the CNIL

22 December 2020

The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.

Sanctions issued in 2023

Date Type of organization Main breaches/Theme subject Adopted decision
01/23/2023 COMPUTER SYSTEMS AND SOFTWARE CONSULTING COMPANY (simplified procedure)

Failure to cooperate with the CNIL
Consent of individuals
Information of the persons
Failure to respect the right of erasure
Register of processing activities
Lack of data security

Fine of  €5,000 and injunction

02/08/2023 MUNICIPALITY (simplified procedure)

Obligation to appoint a data protection officer
Failure to cooperate with the CNIL

Fine of  €5,000 and injunction
02/08/2023 GENERAL PRACTITIONER (simplified procedure) Failure to respect the right of access
Failure to cooperate with the CNIL
Fine of  €3,000 and injunction
02/08/2023 COMPANY EXERCISING A RETAIL CLOTHING ACTIVITY IN SPECIALIZED STORES (simplified procedure) Failure to cooperate with the CNIL Fine of  €10,000 and injunction
03/03/2023 COMPANY EXERCISING PRIVATE SECURITY ACTIVITY (simplified procedure)

Failure to comply with the principle of data minimization
Information to individuals
Register of processing activities

Fine of  €15,000
03/16/2023 SELF-SERVICE ELECTRIC SCOOTER RENTAL COMPANY Failure to comply with the principle of data minimization
Information to individuals
Supervision of the relationship between the controller and the processor
Fine of  €125,000
03/28/2023 COMPUTER PROGRAMMING COMPANY (simplified procedure) Framework for the relationship between the controller and the processor
Failure to maintain data security
Fine of €20,000
03/28/2023 MARKETING COMPANY (simplified procedure) Failure to cooperate with the CNIL Fine of €10,000 and injunction
04/17/2023 HOME CARE COMPANY FOR THE ELDERLY AND DISABLED

Late compliance with data anonymization (injunction procedure)

Liquidation of the penalty payment of €10,000
04/17/2023 COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE Failure to respond to the injunction Liquidation of the fine of 5,200,000 euros
05/11/2023 COMPANY PUBLISHING A WEBSITE OFFERING ARTICLES, TESTS, QUIZES AND DISCUSSION FORUMS RELATED TO HEALTH AND WELL-BEING Retention period
Consent of individuals (health data)
Relationship between data controller and data processor
Lack of data security
Consent of individuals (cookies and trackers)
Amende de 380 000 euros
05/12/2023 DENTIST SURGEON (simplified procedure) Failure to respect right of access
Failure to cooperate with the CNIL
Fine of €4,500 and injunction
06/08/2023 ONLINE CLEARVOYANCE Failure to comply with data minimisation principle
Retention period
Obligation to process data lawfully
Consent of individuals (sensitive data)
Informing individuals and transparency
Regulation of the relationship between the controller and the processor
Lack of data security
Obligation to document a data breach
Consent of individuals (cookies)
150,000 euro fine
06/15/2023 COMPANY SPECIALISING IN THE DISPLAY OF TARGETED ADVERTISING ON THE WEB Consent of individuals
Information and transparency
Failure to respect the right of access
Withdrawal of consent and deletion of data
Supervision of relations between joint data controllers
Fine of 40 million euros
09/18/2023 AIR FREIGHT Data minimisation
Prohibition on processing special categories of personal data
Collection and processing of data relating to offences, convictions and security mesures
Lack of cooperation with the CNIL
Fine of 200,000 euros
09/28/2023 FRENCH LITERARY MAGAZINE (simplified procedure) Information of individuals
Lack of cooperation with the CNIL
Fine of 10,000 euros and order to comply with periodic penalty payment
09/28/2023 MANUFACTURE OF PLASTIC GOODS FOR COMMON USE (simplified procedure) Data minimisation
Information of individuals and transparency
Lack of data security
Fine of 20,000 euros
09/28/2023 B2B RETAILING OF FROZEN FOOD(simplified procedure) Data minimisation
Data retention periods
Collection and processing of data relating to offences, convictions and security mesures
Information of individuals and transparency
Record of processing activities
Lack of data security
Fine of 20,000 euros
09/28/2023 OPTICAL RETAILING (simplified procedure) Lack of cooperation with the CNIL Fine of 20,000 euros and order to comply with periodic penalty payment
09/28/2023 COMPUTER SYSTEMS AND SOFTWARE CONSULTING (simplified procedure) Lack of cooperation with the CNIL Fine of 20,000 euros and order to comply with periodic penalty payment
10/12/2023 CHANNELS EDITING AND PAY TELEVISION DISTRIBUTION Consent of individuals (B2C prospecting purposes)
Failure to respect the right of access
Contractual framework between controllers and processors
Data breach documentation
Fine of 600,000 euros
10/23/2023 PRESS WEBSITE PUBLISHER (simplified procedure)

Right to object
Lack of cooperation with the CNIL

Fine of 5,000 euros and order to comply
10/23/2023 CHILD ABUSE PREVENTION BLOG PUBLISHER (simplified procedure) Lack of cooperation with the CNIL Fine of 2,000 euros
10/26/2023 COMPANY WHOSE MAIN ACTIVITY IS EVENT MANAGEMENT (simplified procedure)

Data minimisation
Information of individuals and transparency
Record of processing activities
Lack of data security

Fine of 2,000 euros
11/08/2023 COMPANY SPECIALISING IN THE DEVELOPMENT AND THE IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure) Lack of cooperation with the CNIL Fine of 20,000 euros
11/09/2023 FRENCH MINISTRY Purpose diversion Call to order
11/09/2023 FRENCH MINISTRY Purpose diversion Call to order
11/08/2023 COMPANY SPECIALISED IN THE DEVELOPMENT AND IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure) Lack of cooperation with the CNIL Fine of 20,000 euros
11/15/2023 MUNICIPALITY (simplified procedure) Lawfulness of the processing
Data retention
Lack of security of personal data
Fine of 6,000 euros
11/16/2023 COMPANY INVOLVED IN BUSINESS SUPPORT ACTIVITIES, IN PARTICULAR FOR TELEVISED EVENTS (simplified procedure) Lawfulness of the processing
Purpose misuse
Lack of security of personal data
Fine of 8,000 euros
11/22/2023 ORTHOPHONIST (simplified procedure) Lack of cooperation with the CNIL
Health data right of access
Fine of 5,000 euros and order to comply
12/11/2023 PUBLIC FIGURE (procédure simplifiée) Lack of respect of right to object Fine of 3,000 euros and order to comply
12/11/2023 FRENCH MINISTRY Lawfulness of the processing
Data accuracy principle
Lack of security of personal data
Call to order
12/11/2023 FRENCH MINISTRY Lawfulness of the processing
Data accuracy principle
Lack of security of personal data
Call to order
12/12/2023 MUNICIPALITY Designation of a data protection officer
Lack of cooperation with the CNIL
Fine of 5,000 euros et injonction
12/27/2023 ASSOCIATION PROMOTING ACTIONS WITHIN A CITY (simplified procedure) Lack of cooperation with the CNIL Fine of 5,000 euros and order to comply
12/27/2023 PAEDIATRICIAN (simplified procedure) Lack of cooperation with the CNIL Fine of 1,000 euros
12/27/2023 COMPANY SOCIAL AND ECONOMIC COMMITTEE (simplified procedure) Obligation to involve the Data Protection Officer (DPO) in data protection issues
Obligation to help the DPO carry out his duties
Obligation to allow data subjects to contact the DPO
Fine of 10,000 euros
12/27/2023 LOGISTICS SUPPORT COMPANY Lack of legal basis
Data minimisation
Information of individuals and transparency
Lack of security of personal data

Fine of 32 million euros

12/29/2023 IT SYSTEMS AND SOFTWARE CONSULTANCY COMPANY Prohibition on the processor recruiting another processor without the authorisation of the controller
Lack of security of personal data
Fine of 100,000 euros
12/29/2023 ONLINE PAYMENT COMPANY Data retention
Information of individuals and transparency
Lack of security of personal data
Consent of individuals (cookies)

Fine of 105,000 euros

12/29/2023

COMPANY OFFERING TELECOMMUNICATION SERVICES Information of individuals and transparency
Consent of individuals (cookies)
Fine of 10 million euros
12/29/2023 COMPANY PROVIDING ONLINE COMPETITIONS AND PRODUCT TESTS Lawfulness of the processing (commercial prospecting)
Record of processing activities
Fine of 75,000 euros and order to comply

Sanctions issued in 2022


Sanctions issued in 2021


Sanctions issued in 2020


Sanctions issued in 2019


Sanctions issued in 2018