FrEnCookies manager
  1. Home
  2. Sanctions and corrective measures: CNIL’s actions in 2024

Sanctions and corrective measures: CNIL’s actions in 2024

05 February 2025

2024 was marked by a sharp increase in the total number of corrective measures pronounced by the CNIL: the number of sanctions has doubled, while the number of compliance orders and reprimands has kept increasing.

Key figures

A total of 331 decisions of which :

87 sanctions

€55,212,400 in cumulative fines

180 compliance orders

64 reprimands

In 2024, repressive action was characterized by an increase in the number of measures adopted: the total number of sanctions issued rose from 21 in 2022 to 42 in 2023 and 87 in 2024. The CNIL also issued 180 compliance orders and 64 reprimands of legal obligations, an unprecedented number for this type of measure.

Overall, CNIL issued 331 corrective measures.

Sanctions as varied as ever

In 2024, 87 sanctions were handed down by CNIL, for a total amount of 55,212,400 euros. Among them, 18 were issued under the ordinary procedure and 69 under the simplified procedure introduced in 2022.

These sanctions include 72 fines (including 14 with injunctions under penalty), 8 decisions to liquidate an injunction (i.e. the payment of a fine due to non-compliance with an order given by the CNIL in its sanction decision) and 4 reminders of the law. 12 of these decisions were made public.

Overview of penalties imposed by the restricted committee

Recurring infringements in commercial prospecting

Commercial canvassing is one of the main themes addressed in 2024 sanction decisions. The restricted committee - the CNIL body responsible for issuing sanctions - has thus reiterated on several occasions that organizations that use personal data transmitted by partners who collected them first (e.g. for the running of a competition) or data brokers for electronic commercial prospecting purposes must ensure that the conditions under which the data has been collected comply with the GDPR (if necessary, with the consent of the individual and after the provision of clear and concise information).

The CNIL also reminded that an e-mail provider who inserts advertisements among e-mails received by its users in their inboxes must first obtain their consent.

Health data special protection requirements

The CNIL also issued a number of decisions on the anonymization of health data. In particular, the restricted committee ruled on the qualification of data processed in health data warehouses. It recalled that, even when data is collected on a large scale by an organization that is unaware of the identity of the individuals concerned, such data remains pseudonymous and non-anonymous when linked through an identifier, which thereby presents a risk of re-identification. Therefore, these data remain personal data to which the law applies.

Lastly, the restriceted committee issued 3 warnings to government departments, notably for failing to ensure the accuracy of the data contained in their databases, in the context of several separate processing operations. In particular, with regard to the processing of criminal records, the restricted committee noted that many files drawn up by police departments had not been updated to take account of acquittal decisions regarding individuals.

European cooperation on certain issues

Among these decisions, 7 were adopted in cooperation with the CNIL's European counterparts, as part of the one-stop shop provided for by the GDPR.

At the same time, the CNIL examined 12 draft decisions from European counterparts relating to processing operations involving people living in France.

The simplified sanction procedure

In 2024, the simplified sanction procedure was further developed: the chair of the restricted committee (or a member of the latter) issued 69 sanctions, almost three times as many as in 2023. These resulted in 50 fines, 12 fines with injunctions and 6 liquidations of injunctions, for a total of 715,500 euros, as well as one call to order.

In 2024, as in the previous year, the main failure to comply in the simplified procedure cases related to the cooperation with the CNIL. 27 organizations (companies, self-employed professionals) were sanctioned for failing to respond to CNIL’s requests.

The second most sanctionned infringement was the failure to respond to individuals’ exercise of rights, with 23 decisions concerning a failure to comply with a request for deletion, opposition or access, the latter alone accounting for 16 decisions.

The failure to minimize data, whether in the form of excessive comments, the systematic recording of phone conversations in their entirety, or the permanent video surveillance of employees at their workstations, is sanctioned in 10 decisions.

The breach of personal data security was found against 11 organizations that had not implemented all the necessary measures to ensure data security, such as the use of insufficiently robust passwords, the storage of passwords in clear text, the absence of an authorization policy, or the use of an obsolete version of the TLS protocol, which ensures the confidentiality and integrity of information circulating between the server and the user's browser.

Lastly, 11 organizations were penalized for not allowing users to refuse cookies as easily as to accept them, notably by making the cookie refusal mechanism more complex.

CNIL's sanctions in 2024. 87 sanctions totalling €55,212,400. 27 sanctions address a lack of cooperation with the CNIL. 12 european decisions examined by the CNIL. 7 CNIL decisions in cooperation with its counterparts.

An increase of compliance orders

In 2024, the CNIL issued 180 compliance orders (a decision by the CNIL’s chair ordering an organization to comply within a set deadline).

The major themes addressed in these formal notices include :

  • Access to the digital patient record (dossier patient informatisé or DPI in French): this record centralizes all the health data of patients cared for within a healthcare establishment. It gives healthcare professionals easy access to their medical information. The CNIL has served formal notice on several healthcare establishments to take measures to ensure the security of the computerized patient file, reminding them that patient data should only be accessible to those with a justified need to know.
     
  • Failure to respond to a request to exercise a right : CNIL receives numerous complaints concerning an organization's failure to respond to a request to exercise a right (right of access to data, right of opposition or right to data deletion). The CNIL has given dozens of organizations compliance orders to respond to these requests and, in the event of inaction, initiated a simplified sanction procedure against several of them.
     
  • Other issues were also dealt with under the simplified sanction procedure: video surveillance of employees at their workstations, and inadequate security measures to protect data.
CNIL's compliance orderd by year : 2020 = 49. 2021 = 135. 2022 = 147. 2023 = 168. 2024 = 180.
Texte reference

Read more

This can also interest you ...

The sanctions issued by the CNIL
The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR....
02 January 2025
Sanctions
Data scraping: KASPR fined €240,000
19 December 2024
Sanctions
Advertisements inserted among emails: ORANGE fined €50 million
10 December 2024
Sanctions