The sanctions issued by the CNIL

02 January 2025

The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.

Sanctions issued in 2024
Date	Type of organization	Main breaches/Theme subject	Adopted decision
01/09/2024	WEBSITE PUBLISHER - REVERSE LOOK-UP DIRECTORY (simplified procedure)	Failure to cooperate with the CNIL Failure to respect the right of access Failure to respect the right to object	Fine of €1,500
01/15/2024	LAWYER (simplified procedure)	Failure to cooperate with the CNIL Failure to respect the right of erasure	Fine of €5,000
01/22/2024	LAWYER (simplified procedure)	Failure to cooperate with the CNIL	Fine of €500
01/24/2024	PHARMACEUTICAL WHOLESALE BUSINESS (simplified procedure)	Lack of data security Failure to cooperate with the CNIL Register of processing activities Obligation for processors to offer sufficient guarantees, recruited after authorization by the controller	Fine of €20,000
01/25/2024	POLITICAL ASSOCIATION (simplified procedure)	Information of individuals and transparency (political canvassing)	Fine of €20,000
01/31/2024	PUBLISHER OF A WEBSITE OFFERING INDIVIDUALS THE OPPORTUNITY TO PUBLISH OR CONSULT REAL ESTATE ADS AND OTHER SERVICES	Lack of data security Framework for relations between the controller and the processor Information of individuals and transparency Data retention periods	Fine of €100,000
01/31/2024	INDIVIDUAL (simplified procedure)	Failure to cooperate with the CNIL	Fine of €500
01/31/2024	DENTAL SURGEON (simplified procedure)	Lack of data security Failure to respect the right of access (health data)	Fine of €5,000
01/31/2024	WEBSITE PUBLISHER - NEWS IN THE FIELD OF NEW TECHNOLOGIES (simplified procedure)	Lack of data security	Fine of €20,000
01/31/2024	COMPANY ENGAGED IN THE MARKETING AND MANAGEMENT OF LOYALTY PROGRAMS AND CARDS (simplified procedure	Obligation to process data lawfully (commercial prospecting by phone)	Fine of €310,000
01/31/2024	BUSINESS SUPPORT COMPANY (simplified procedure)	Lack of data security	Fine of €10,000
02/29/2024	SCIENTIFIC RESEARCH AND DEVELOPMENT COMPANY (simplified procedure)	Obligation to process data lawfully	Fine of €10,000
02/29/2024	DENTAL SURGEON (simplified procedure)	Failure to cooperate with the CNIL Failure to respect the right of access (health data)	Fine of €4,000
04/04/2024	RETAIL SALE OF TELECOMMUNICATIONS EQUIPMENT	Consent of individuals (commercial prospecting by phone - Article L. 34-5 of the French Postal and Electronic Communications Code) Lack of legal basis Information of individuals and transparency (art. 14)	Fine of €525,000
04/04/2024	COMPANY ENGAGED IN COMMERCIAL PROSPECTING BY E-MAIL ON BEHALF OF ADVERTISERS	No response to injunction	Liquidation of the penalty payment of €25,000
04/25/2024	COMPANY OPERATING SHOE AND SPORTSWEAR STORES (simplified procedure)	Information of individuals and consent (cookies)	Fine of €15,000
04/25/2024	ASSOCIATION PARTICIPATING IN THE ACTIVITIES OF POLITICAL ORGANIZATIONS (simplified procedure)	Lack of legal basis	Fine of €16,000 euros and injunction
04/25/2024	FRENCH LITERARY REVIEW (simplified procedure)	Late compliance for erasure requests (injunction procedure)	Liquidation of the penalty payment of €3,000
05/23/2024	NATIONAL PUBLIC ESTABLISHMENT (TEACHING) (simplified procedure)	Data minimization Information of individuals and consent	Fine of €6,000
05/23/2024	COMPANY ENGAGED IN OPTICAL RETAILING (simplified procedure)	Late response to compliance order (injunction procedure)	Liquidation of the penalty payment of €4,000
05/23/2024	COMPANY MANAGING A CALL PLATFORM FOR PROFESSIONAL SECRETARIAT (simplified procedure)	Data minimization Information of individuals and consent Lack of data security	Fine of €15,000
05/23/2024	COMPANY MANAGING A CALL PLATFORM FOR PROFESSIONAL SECRETARIAT (simplified procedure)	Data minimization Information of individuals and consent Lack of data security	Fine of €10,000
06/10/2024	BAKERY (simplified procedure)	Information of individuals Obligation to process data lawfully (CCTV) Data minimization (CCTV)	Fine of €5,000
06/10/2024	COMPANY DISTRIBUTING JOURNALISTIC CONTENT (simplified procedure)	Information of individuals and consent (cookies)	Fine of €3,000 and injunction
06/10/2024	GENERAL PRACTITIONER (simplified procedure)	Failure to respect the right of access (medical records) Lack of cooperation with the CNIL	Fine of €4,000 and injunction
06/27/2024	COMPANY SPECIALIZING IN PROPERTY MANAGEMENT AND COMMERCIAL OPERATIONS COMPANY BROADCASTING JOURNALISTIC CONTENT (procédure simplifiée)	Information of individuals and consent (cookies)	Fine of €12,000
07/09/2024	FRENCH MINISTRY	Data retention Obligation to process data lawfully	Reprimand and injunction
07/22/2024	MUNICIPALITY	Failure to respond to injunction and non-compliance	Liquidation of the penalty payment of €6,900
07/25/2024	PRIVATE HIGHER EDUCATION ESTABLISHMENT (simplified procedure)	Data minimization Data retention Lack of data security	Fine of €20,000
08/08/2024	ENERGY BROKERAGE COMPANY (simplified procedure)	Data minimization Information of individuals and transparency (commercial prospection) Recording of processing activities	Fine of €20,000 and injunction
08/20/2024	WEBSITE HOST (simplified procedure)	Failure to respect the right to object Lack of cooperation with the CNIL	Fine of €8,000
08/28/2024	COMPANY SPECIALIZING IN STATISTICAL STUDIES OF HEALTH DATA	Authorization from the CNIL unrequested (health data wahehouse)	Fine of €800,000
08/28/2024	COMPANY SPECIALIZING IN THE MANAGEMENT OF HEALTH DATA FLOWS	Authorization from the CNIL unrequested (health data wahehouse)	Fine of €200,000
08/29/2024	WEB PUBLISHER IN THE TRANSPORT SECTOR	Obligation to perform a data protection impact assessment Information of individuals and consent Obligation to process data lawfully	Fine of €300,000
09/05/2024	CLOTHING RETAILING COMPANY (simplified procedure)	Obligation to process data lawfully Data minimization Information of individuals and transparency (CCTV) Lack of cooperation with the CNIL	Fine of €15,000
09/05/2024	FENCE MANUFACTURING AND INSTALLATION COMPANY (simplified procedure)	Failure to respect the right to access Lack of cooperation with the CNIL	Fine of €10,000
09/05/2024	PUBLICATION AND SALE OF MANAGEMENT SOFTWARES FOR PHYSICIANS	Failure to apply for a CNIL authorization (health data warehouse) Obligation to process data lawfully	Fine of €800,000
09/12/2024	COMPANY OPERATING A CASINO AND A HOTEL (simplified procedure)	Information of individuals (CCTV) Failure to respect the right of access	Fine of €12,000
09/13/2024	MUNICIPALITY (simplified procedure)	Unlawful processing of data Data retention period Record of processing activities Obligation to appoint a Privacy Officer Lack of cooperation with the CNIL	Fine of €20,000
09/19/2024	ARMOURY SELLING ONLINE AND IN-STORE (simplified procedure)	Data retention period Information of individuals and transparency Failure to respect the right of erasure Lack of data security Obligation to document a data breach	Fine of €20,000
09/26/2024	COMPANY OFFERING IT SYSTEMS AND SOFTWARE CONSULTANCY SERVICES, SOFTWARE PUBLISHING AND PRODUCTION	Lack of cooperation with the CNIL Failure to respect the right of erasure	Fine of €15,000 and injunction
09/26/2024	TRAINING ORGANISATION FOR HEALTHCARE PROFESSIONALS	Information of individuals and consent (cookies) Failure to respect the right of erasure Framework for relations between the controller and the processor Lack of data security	Fine of €15,000 and injunction
09/26/2024	COMPANY OFFERING REMOTE DIVINATION SERVICES	Consent of individuals (online commercial prospection) Consent of individuals (special data category) Data retention period Minimisation of data	Fine of €250,000
09/26/2024	COMPANY ENGAGED IN THE DEVELOPMENT AND PROVISION OF IT AND DIGITAL SERVICES	Consent of individuals (online commercial prospection) Consent of individuals (special data category) Data retention period	Fine of €150,000
09/26/2024	MARKETING COMPANY (simplified procedure)	Failure to respond to the injunction and non-compliance (injunction procedure)	Liquidation of penalty of €3,000
09/30/2024	ASSOCIATION FOR THE CREATION OF A PSYCHIATRIC HEALTH NETWORK (simplified procedure)	Lack of cooperation with the CNIL Failure to respect the right of access	Fine of €3,000
10/10/2024	COMPANY MARKETING CRYPTOCURRENCY WALLETS	Lack of data security Data retention period	Fine of €750,000
10/11/2024	ORTHOPHONIST (simplified procedure)	Failure to respond to the injunction and non-compliance	Liquidation of penalty of €4,000
10/17/2024	MINISTRY	Obligation to process accurate data Information of individuals Failure to respect the right of access Failure to respect the right of rectification Failure to respect the right of erasure	Reprimand and injunction
10/17/2024	MINISTRY	Obligation to process accurate data Information of people Failure to respect the right of access Failure to respect the right of rectification Failure to respect the right of erasure	Reprimand and injunction
10/17/2024	COMPANY ENGAGED IN THE PROVISION OF SERVICES (MANAGEMENT OF TELEPHONE CALLS) (simplified procedure)	Information of individuals (CCTV and phone recording) Failure to respect the right to object Lack of data security	Fine of €20,000
10/17/2024	DENTIST SURGEON (simplified procedure)	Failure to respect the right of access (medical file) Lack of cooperation with the CNIL	Fine of €3,000 and injunction
10/23/2024	ASSOCIATION PARTICIPATING IN THE ACTIVITIES OF POLITICAL ORGANISATIONS (simplified procedure)	Failure to respond to an injunction and non-compliance (injunction procedure)	Liquidation of penalty of €4,000
11/14/2024	TELECOMMUNICATIONS OPERATOR	Information of individuals (cookies) Commercial prospecting (article L. 34-5 CPCE)	Fine of €50 million and injunction
11/26/2024	IT FACILITIES MANAGEMENT COMPANY (simplified procedure)	Failure to cooperate with the CNIL	Fine of €15,000
11/26/2024	ASSOCIATION PROVIDING SOCIAL SERVICES WITHOUT ACCOMMODATION AND MANAGING MEDICAL, SOCIAL AND HEALTH ESTABLISHMENTS (simplified procedure)	Failure to respect the right of access Failure to cooperate with the CNIL	Fine of €10,000
12/05/2024	COMPANY OFFERING PRIVATE SECURITY SERVICES (simplified procedure)	Minimisation of data Information of individuals and transparency Register of processing activities	Fine of €20,000 and injunction
12/05/2024	COMPANY SPECIALISING IN THE DEVELOPMENT AND ORGANISATION OF ADVERTISING CAMPAIGNS (simplified procedure)	Commercial prospecting (article L. 34-5 CPCE) Data retention period Information of individuals and transparency	Fine of €20,000
12/05/2024	COMPANY SELLING COSMETIC PRODUCTS (simplified procedure)	Obligation to process data lawfully (CCTV) Limitation of purpose (CCTV) Minimisation of data (CCTV) Information of individuals	Fine of €3,000
12/05/2024	CLINIC (simplified procedure)	Failure to cooperate with the CNIL	Fine of €15,000
12/05/2024	COMPANY DEVELOPING AND MARKETING A BROWSER EXTENSION (simplified procedure)	Lack of legal basis Data retention period Information of individuals and transparency Failure to respect the right of access	Fine of €240,000 and injunction
12/12/2024	COMMUNICATION AND AUDIOVISUAL PRODUCTION AGENCY (simplified procedure)	Transparency and information (exercise of rights) Failure to respect the right of access	Fine of €6,000
12/12/2024	RETAIL SALES COMPANY (simplified procedure)	Failure to respect the right of access	Fine of €18,000
12/12/2024	COMPANY CARRYING ON THE BUSINESS OF COMPARING DRIVING SCHOOLS (simplified procedure)	Transparency and information (exercise of rights) Failure to respect the right of access	Fine of €10,000
12/12/2024	TWO COMPANIES OPERATING AS PRESS AGENCIES (simplified procedure)	Consent of individuals (cookies)	Fine of €5,000 and Fine of €5,000
12/12/2024	CLOTHING RETAIL COMPANY (simplified procedure)	Consent of individuals (cookies)	Fine of €5,000
12/12/2024	CLOTHING RETAIL COMPANY (simplified procedure)	Consent of individuals (cookies)	Fine of €3,000
12/12/2024	CLOTHING RETAIL COMPANY (simplified procedure)	Consent of individuals (cookies)	Fine of €20,000
12/12/2024	CLOTHING RETAIL COMPANY (simplified procedure)	Consent of individuals (cookies)	Fine of €10,000
12/12/2024	SOFTWARE DEVELOPMENT TOOLS AND LANGUAGES COMPANY (simplified procedure)	Consent of individuals (cookies)	Fine of €20,000 and injunction
12/12/2024	COMPANY OPERATING INTERNET PORTALS (simplified procedure)	Consent of individuals (cookies)	Fine of €20,000 and injunction
12/19/2024	PUBLIC ADMINISTRATIVE ESTABLISHMENT (simplified procedure)	Failure to respect the right of access Failure to cooperate with the CNIL	Reprimand
12/19/2024	CALL CENTER (simplified procedure)	Obligation to process data lawfully and with transparency Lack of data security Failure to cooperate with the CNIL	Fine of €20,000
12/19/2024	COMPANY PROVIDING PRIVATE SECURITY, CLOSE PROTECTION, HOTESSARIAT AND LOGISTICS MANAGEMENT SERVICES (simplified procedure)	Failure to cooperate with the CNIL	Fine of €8,000
12/19/2024	STOMATOLOGIST (simplified procedure)	Failure to respect the right of access (medical records) Failure to cooperate with the CNIL	Fine of €5,000
12/19/2024	COMPANY PUBLISHING A DEMATERIALISED GAMES WEBSITE (simplified procedure)	Failure to respect the right of access	Fine of €15,000
12/19/2024	COMPANY RUNNING A GYM (simplified procedure)	Failure to cooperate with the CNIL	Fine of €3,000
12/19/2024	COMPANY SPECIALISING IN INTERNET PORTALS (simplified procedure)	Failure to respect the right of opposition Failure to cooperate with the CNIL	Fine of €5,000
12/19/2024	IT SYSTEMS AND SOFTWARE CONSULTANCY COMPANY (simplified procedure)	Failure to respect the right of access	Fine of €8,000
12/19/2024	COMPANY CARRYING ON ESTATE AGENCY BUSINESS	Minimisation of data (CCTV) Obligation to process data lawfully (CCTV) Information of individuals Lack of data security Obligation to perform a data protection impact assessment	Fine of €40,000
12/19/2024	ACCESS TO HEALTHCARE (simplified procedure)	Failure to cooperate with the CNIL	Fine of €5,000
12/19/2024	REGIONAL SUPPORT GROUP FOR THE DEVELOPMENT OF E-HEALTH (simplified procedure)	Obligations relating to data processing in health sector Framework for relations between the controller and the processor	Fine of €20,000
12/19/2024	GENERAL PRACTITIONER (simplified procedure)	No response to injunction	Liquidation of the penalty payment of €2,000
12/26/2024	COMPANY OPERATING SUPERMARKETS (simplified procedure)	Minimisation of data Register of processing activities Obligation to carry out a data protection impact assessment	Fine of €18,000
12/31/2024	AMBULANCE TRANSPORT COMPANY (simplified procedure)	Failure to cooperate with the CNIL	Fine of €10,000
12/31/2024	INDIVIDUALS (simplified procedure)	Failure to cooperate with the CNIL	Fine of €5,000
12/31/2024	COMPANY MANAGING A CONVERSATIONAL ROBOT USING ARTIFICIAL INTELLIGENCE (simplified procedure)	Failure to cooperate with the CNIL	Fine of €5,000

Sanctions issued in 2023

Date	Type of organization	Main breaches/Theme subject	Adopted decision
01/23/2023	COMPUTER SYSTEMS AND SOFTWARE CONSULTING COMPANY (simplified procedure)	Failure to cooperate with the CNIL Consent of individuals Information of the persons Failure to respect the right of erasure Register of processing activities Lack of data security	Fine of €5,000 and injunction
02/08/2023	MUNICIPALITY (simplified procedure)	Obligation to appoint a data protection officer Failure to cooperate with the CNIL	Fine of €5,000 and injunction
02/08/2023	GENERAL PRACTITIONER (simplified procedure)	Failure to respect the right of access Failure to cooperate with the CNIL	Fine of €3,000 and injunction
02/08/2023	COMPANY EXERCISING A RETAIL CLOTHING ACTIVITY IN SPECIALIZED STORES (simplified procedure)	Failure to cooperate with the CNIL	Fine of €10,000 and injunction
03/03/2023	COMPANY EXERCISING PRIVATE SECURITY ACTIVITY (simplified procedure)	Failure to comply with the principle of data minimization Information to individuals Register of processing activities	Fine of €15,000
03/16/2023	SELF-SERVICE ELECTRIC SCOOTER RENTAL COMPANY	Failure to comply with the principle of data minimization Information to individuals Supervision of the relationship between the controller and the processor	Fine of €125,000
03/28/2023	COMPUTER PROGRAMMING COMPANY (simplified procedure)	Framework for the relationship between the controller and the processor Failure to maintain data security	Fine of €20,000
03/28/2023	MARKETING COMPANY (simplified procedure)	Failure to cooperate with the CNIL	Fine of €10,000 and injunction
04/17/2023	HOME CARE COMPANY FOR THE ELDERLY AND DISABLED	Late compliance with data anonymization (injunction procedure)	Liquidation of the penalty payment of €10,000
04/17/2023	COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE	Failure to respond to the injunction	Liquidation of the fine of 5,200,000 euros
05/11/2023	COMPANY PUBLISHING A WEBSITE OFFERING ARTICLES, TESTS, QUIZES AND DISCUSSION FORUMS RELATED TO HEALTH AND WELL-BEING	Retention period Consent of individuals (health data) Relationship between data controller and data processor Lack of data security Consent of individuals (cookies and trackers)	Amende de 380 000 euros
05/12/2023	DENTIST SURGEON (simplified procedure)	Failure to respect right of access Failure to cooperate with the CNIL	Fine of €4,500 and injunction
06/08/2023	ONLINE CLEARVOYANCE	Failure to comply with data minimisation principle Retention period Obligation to process data lawfully Consent of individuals (sensitive data) Informing individuals and transparency Regulation of the relationship between the controller and the processor Lack of data security Obligation to document a data breach Consent of individuals (cookies)	150,000 euro fine
06/15/2023	COMPANY SPECIALISING IN THE DISPLAY OF TARGETED ADVERTISING ON THE WEB	Consent of individuals Information and transparency Failure to respect the right of access Withdrawal of consent and deletion of data Supervision of relations between joint data controllers	Fine of 40 million euros
09/18/2023	AIR FREIGHT	Data minimisation Prohibition on processing special categories of personal data Collection and processing of data relating to offences, convictions and security mesures Lack of cooperation with the CNIL	Fine of 200,000 euros
09/28/2023	FRENCH LITERARY MAGAZINE (simplified procedure)	Information of individuals Lack of cooperation with the CNIL	Fine of 10,000 euros and order to comply with periodic penalty payment
09/28/2023	MANUFACTURE OF PLASTIC GOODS FOR COMMON USE (simplified procedure)	Data minimisation Information of individuals and transparency Lack of data security	Fine of 20,000 euros
09/28/2023	B2B RETAILING OF FROZEN FOOD(simplified procedure)	Data minimisation Data retention periods Collection and processing of data relating to offences, convictions and security mesures Information of individuals and transparency Record of processing activities Lack of data security	Fine of 20,000 euros
09/28/2023	OPTICAL RETAILING (simplified procedure)	Lack of cooperation with the CNIL	Fine of 20,000 euros and order to comply with periodic penalty payment
09/28/2023	COMPUTER SYSTEMS AND SOFTWARE CONSULTING (simplified procedure)	Lack of cooperation with the CNIL	Fine of 20,000 euros and order to comply with periodic penalty payment
10/12/2023	CHANNELS EDITING AND PAY TELEVISION DISTRIBUTION	Consent of individuals (B2C prospecting purposes) Failure to respect the right of access Contractual framework between controllers and processors Data breach documentation	Fine of 600,000 euros
10/23/2023	PRESS WEBSITE PUBLISHER (simplified procedure)	Right to object Lack of cooperation with the CNIL	Fine of 5,000 euros and order to comply
10/23/2023	CHILD ABUSE PREVENTION BLOG PUBLISHER (simplified procedure)	Lack of cooperation with the CNIL	Fine of 2,000 euros
10/26/2023	COMPANY WHOSE MAIN ACTIVITY IS EVENT MANAGEMENT (simplified procedure)	Data minimisation Information of individuals and transparency Record of processing activities Lack of data security	Fine of 2,000 euros
11/08/2023	COMPANY SPECIALISING IN THE DEVELOPMENT AND THE IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure)	Lack of cooperation with the CNIL	Fine of 20,000 euros
11/09/2023	FRENCH MINISTRY	Purpose diversion	Reprimand
11/09/2023	FRENCH MINISTRY	Purpose diversion	Reprimand
11/08/2023	COMPANY SPECIALISED IN THE DEVELOPMENT AND IMPLEMENTATION OF EMPLOYEE MONITORING SOFTWARES (simplified procedure)	Lack of cooperation with the CNIL	Fine of 20,000 euros
11/15/2023	MUNICIPALITY (simplified procedure)	Lawfulness of the processing Data retention Lack of security of personal data	Fine of 6,000 euros
11/16/2023	COMPANY INVOLVED IN BUSINESS SUPPORT ACTIVITIES, IN PARTICULAR FOR TELEVISED EVENTS (simplified procedure)	Lawfulness of the processing Purpose misuse Lack of security of personal data	Fine of 8,000 euros
11/22/2023	ORTHOPHONIST (simplified procedure)	Lack of cooperation with the CNIL Health data right of access	Fine of 5,000 euros and order to comply
12/11/2023	PUBLIC FIGURE (procédure simplifiée)	Lack of respect of right to object	Fine of 3,000 euros and order to comply
12/11/2023	FRENCH MINISTRY	Lawfulness of the processing Data accuracy principle Lack of security of personal data	Reprimand
12/11/2023	FRENCH MINISTRY	Lawfulness of the processing Data accuracy principle Lack of security of personal data	Reprimand
12/12/2023	MUNICIPALITY	Designation of a data protection officer Lack of cooperation with the CNIL	Fine of 5,000 euros et injonction
12/27/2023	ASSOCIATION PROMOTING ACTIONS WITHIN A CITY (simplified procedure)	Lack of cooperation with the CNIL	Fine of 5,000 euros and order to comply
12/27/2023	PAEDIATRICIAN (simplified procedure)	Lack of cooperation with the CNIL	Fine of 1,000 euros
12/27/2023	COMPANY SOCIAL AND ECONOMIC COMMITTEE (simplified procedure)	Obligation to involve the Data Protection Officer (DPO) in data protection issues Obligation to help the DPO carry out his duties Obligation to allow data subjects to contact the DPO	Fine of 10,000 euros
12/27/2023	LOGISTICS SUPPORT COMPANY	Lack of legal basis Data minimisation Information of individuals and transparency Lack of security of personal data	Fine of 32 million euros
12/29/2023	IT SYSTEMS AND SOFTWARE CONSULTANCY COMPANY	Prohibition on the processor recruiting another processor without the authorisation of the controller Lack of security of personal data	Fine of 100,000 euros
12/29/2023	ONLINE PAYMENT COMPANY	Data retention Information of individuals and transparency Lack of security of personal data Consent of individuals (cookies)	Fine of 105,000 euros
12/29/2023	COMPANY OFFERING TELECOMMUNICATION SERVICES	Information of individuals and transparency Consent of individuals (cookies)	Fine of 10 million euros
12/29/2023	COMPANY PROVIDING ONLINE COMPETITIONS AND PRODUCT TESTS	Lawfulness of the processing (commercial prospecting) Record of processing activities	Fine of 75,000 euros and order to comply

Sanctions issued in 2022

Date	Type of organization	Main breaches/Theme subject	Adopted decision
01/02/2022	VEHICLE MAINTENANCE AND REPAIR COMPANY	Failure to cooperate with the CNIL	Fine of €3,000 and injunction
03/21/2022	RESTAURANT	Failure to respect the principle of data minimization Duration of conservation Information of the persons Register of processing activities Cooperation with CNIL services Lack of data security	Fine of €10,000
03/24/2022	NOTARY	Partial compliance with the injunction issued	Liquidation of the fine of €1,000
04/15/2022	APPLICATION SOFTWARE PUBLISHING COMPANY	Obligation to regulate the relationship between the controller and the processor Obligation for the processor to process data only on the instructions of the controller Failure to maintain data security	Fine of €1,500,000
06/23/2022	ELECTRICITY AND GAZ PRODUCER & PROVIDER	L 34-5 CPCE Failure to provide information Exercise of rights Failure to respect the right of access Failure to respect the right to object	Administrative fine of one million euros
06/13/2022	VEHICLE MAINTENANCE AND REPAIR COMPANY	Failure to cooperate with the CNIL	Liquidation of the fine of €3,900
07/07/2022	VEHICLE RENTAL COMPANY	Inadequacy, irrelevance and excessive nature of data Length of retention Information to individuals	Fine of 175,000 euros
08/03/2022	COMPANY SPECIALIZING IN THE HOTEL SECTOR	L 34-5 CPCE Consent of individuals Failure to inform Failure to respect the right of access Failure to respect the right of opposition Security and confidentiality of data	Fine of 600,000 euros
09/08/2022	ECONOMIC INTEREST GROUPING OF THE CLERKS OF THE COMMERCIAL COURTS OF FRANCE	Data retention periods Failure to secure personal data	Fine of 250,000 euros
10/17/2022	COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE	Failure to determine a legal basis Failure to respect the right of access Failure to respect the right of erasure	Fine of 20,000,000 euros and injunction
10/11/2022	COMPANY DEVELOPING VOICE OVER IP SOFTWARE AND INSTANT MESSAGING	Data retention periods Transparency Failure to inform Data protection by default Obligation to conduct a privacy impact assessment Failure to secure personal data	Fine of 800,000 euros
11/24/2022	ENERGY, GAZ AND RELATED SERVICES PROVIDER	L 34-5 CPCE - commercial prospecting Failure to inform Transparency Failure to respect the right to object Failure to respect the right of access Failure to secure personal data	Fine of 600,000 euros
11/30/2022	PHONE OPERATOR	Exercice of rights Failure to respect the right of access Failure to respect the right of erasure Obligation to document data	Fine of 300,000 euros and injunction
12/19/2022	COMPANY SELLING OPERATING SYSTEMS, APPLICATION SOFTWARE, HARDWARE AND RELATED SERVICES	Consent of individuals (cookies and tracking devices)	Fine of 60,000,000 euros and injunction
12/20/2022	COMPANY MARKETING A BUSINESS CONTACT EXTENSION	Failure to dermine a legal basis Failure to respect the right of access	Dismissal
12/29/2022	A COMPANY THAT DEVELOPS AND MARKETS CONSUMER ELECTRONICS, PERSONAL COMPUTERS AND SOFTWARE	Failure to respect the right of access Lack of cooperation with the CNIL	Fine of 8,000,000 euros
12/29/2022	PHYSICIAN (simplified procedure)	Failure to respect the right of access Lack of cooperation with the CNIL	Fine of 5,000 euros
12/29/2022	PHYSICIAN (simplified procedure)	Failure to respect the right of access Lack of cooperation with the CNIL	Fine of 5,000 euros
12/29/2022	UNIVERSITY (simplified procedure)	Failure to respect the right of access Lack of cooperation with the CNIL	Fine of 10,000 euros
12/29/2022	COMPANY DEVELOPING MANAGEMENT SOFTWARE AND MARKETING SOFTWARE FOR LOCAL AUTHORITIES (simplified procedure)	Failure to comply with the data minimisation principle Data retention period Failure to inform Failure to secure personal data	Fine of 15,000 euros
12/29/2022	COMPANIES OPERATING A RANGE OF CONTENT DISTRIBUTION PLATFORMS	Consent of individuals (cookies and tracking devices)	Fine of 5,000,000 euros
12/29/2022	MOBILE GAMES DEVELOPMENT COMPANY	Consent of individuals (cookies and tracking devices)	Fine of 3,000,000 euros

Sanctions issued in 2021

Date	Type of organization	Main breaches/ Theme subject	Adopted decision
01/06/2021	OPTICAL RETAIL TRADE	Failure to respect the exercise of individuals' rightsdata security deficiency	€250,000 financial penalty and injunction under penalty payment
01/11/2021	IT SOLUTIONS DEVELOPMENT COMPANY	Lack of data security	Financial penalty of €75,000
01/12/2021	MINISTRY	Lawfulness of the treatment Lack of impact assessment Lack of information to individuals	Call to order and injunction
06/03/2021	APPLICATION SOFTWARE PUBLISHING COMPANY	Lack of data securityillegality of processed data	Financial penalty of €10,000
06/14/2021	COMPANY PUBLISHING A PRIVATE SALES WEBSITE DEDICATED TO DIY, GARDENING AND HOME IMPROVEMENT	Retention periods Failure to inform individuals Failure to comply with requests for deletion of data Failure to keep data secure Consent for commercial prospecting	Financial penalty of €500,000 and injunctions
07/20/2020	INSURANCE	Duration of retention lack of Information to individuals	Financial penalty of €1,750,000
07/26/2021	COMPANY SPECIALISED IN AGRICULTURAL BIOTECHNOLOGY	Failure to inform individuals - obligation to Regulate relations with a subcontractor	Financial penalty of €400,000
07/27/2021	PRESS	Consent of individuals (cookies)	Financial penalty of €50,000
09/15/2021	ADVERTISING COMPANY	Failure to comply with requests to rectify data Failure to comply with erasure requests lack of a register of processing activities Cooperation with the CNIL	Financial penalty of €3,000
09/24/2021	MINISTRY	Lawfulness of the processing - retention period - accuracy of the data Lack of data security Failure to inform individuals	Call to order and injunction
10/21/2021	NOTARY	Cooperation with the CNIL	Financial penalty of 3,000 euros and injunction
10/28/2021	PRIVATE ORGANIZATION	Failure to comply with injunction issued	Liquidation of the penalty payment of €65,000
10/29/2021	PUBLIC ESTABLISHMENT OF AN INDUSTRIAL AND COMMERCIAL NATURE	Failure to comply with the principles of data minimization and responsibility for data retention Lack of data security	Financial penalty of €400,000
12/28/2021	PAYMENT INSTITUTION	Obligation to regulate relationships with subcontractors Failure to maintain data security Obligation to notify individuals of a data breach	Financial penalty of €180,000
12/28/2021	TELEPHONE OPERATOR	Failure to respect the right of access Failure to respect the right of rectification Failure to respect the right to object Obligation to protect data by design Failure to ensure data security	Financial penalty of €300,000
12/30/2021	SALE OF FURNITURE ON THE INTERNET AND IN STORES	Retention period Failure to inform individuals Failure to comply with deletion requests Obligation to regulate relations with subcontractors Failure to ensure data security	Financial penalty of €120,000
12/31/2021	INTERNET SERVICES (SEARCH ENGINE, VIDEO PLATFORM, ETC.)	Cookie refusal mechanism	Financial penalty of €150,000,000 and injunction
12/31/2021	SOCIAL NETWORK	Cookie refusal mechanism Failure to inform individuals	Financial penalty of €60,000,000 and injunction

Sanctions issued in 2020

Date	Type of organization	Main breaches/ Theme subject	Adopted decision
07/28/2020	E-BUSINESS	Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to inform individuals; failure to ensure data security and confidentiality	250,000 financial penalty and injunction under penalty payment
09/03/2020	POLITICAL ASSOCIATION	Failure to cooperate with the CNIL services	Dismissal
09/03/2020	POLITICAL FIGURE	Breach of the obligation to process data lawfully	Reprimand
09/03/2020	ADMINISTRATION	Breach of the obligation to process data lawfully	Reprimand
11/18/2020	LARGE RETAILING	Failure to retain data; failure to exercise rights; failure to inform individuals; failure to provide access, erasure and objection rights; failure to ensure data security and confidentiality; failure to use cookies	Financial penalty of €2,250,000
11/18/2020	BANK	Failure to process data fairly; failure to inform individuals; failure to use cookies	Financial penalty of €800,000
11/18/2020	COOPERATIVE OF RETAIL TRADERS	Failure to ensure data security	Financial penalty of €150,000
12/03/2020	TAXI COMPANY	Failure to cooperate with the CNIL services	Financial penalty of €3,000
12/07/2020	TECHNOLOGY SERVICES COMPANY	Failure to comply with cookies; failure to inform individuals; failure to obtain consent; failure to exercise the right to object	Financial penalties of €60 million and €40 million and injunctions under penalty
12/07/2020	E-COMMERCE COMPANY	Failure to comply with cookies; failure to inform individuals	€35 million fine and injunction under penalty
12/07/2020	PHYSICIAN	Breach of the obligation to ensure data security; breach of the obligation to notify a data breach	Financial penalty of €3,000
12/07/2020	PHYSICIAN	Breach of the obligation to ensure data security; breach of the obligation to notify a data breach	Financial penalty of €6,000
12/07/2020	COLD CALLING COMPANY	Failure to obtain consent; failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company; failure to comply with the retention period; failure to inform individuals; failure to comply with the right to object; failure to provide a contractual framework for the processor	Financial penalty of €7,300 and injunction under penalty payment
12/07/2020	HOME-BASED CHILDCARE COMPANY	Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to comply with the obligation to ensure data security	Injunction under penalty payment
12/08/2020	MEAL DELIVERY COMPANY	Breach of the obligation to obtain consent; breach of the obligation to inform individuals; breach of the obligation to respect the right of access; breach of the obligation to ensure data security	€20,000 and an injunction under penalty payment

Sanctions issued in 2019

Date	Name or type of organization	Main breaches/ Theme subject	Adopted decision
1/21/2019	OS AND SERVICES	Lack of transparency, unsatisfying information and lack of valid consent	Monetary penalty of 50 000 000 euros
1/31/2019	ONLINE SEARCH ENGINE	De-listing	Dropping of charges
1/31/2019	PROPERTY MANAGEMENT COMPANY	Security and personal data retention period	Dropping of charges
1/31/2019	NATIONAL PUBLIC ADMINISTRATION	Personal data security breach	Injunction with periodic penalty payment
5/28/2019	PROPERTY MANAGEMENT COMPANY	Personal data security breach and non-compliance with the retention periods	Monetary penalty of 400 000 euros
6/13/2019	TRANSLATION COMPANY	Inadequate and excessive data, irrelevant, unsatisfying information, personal data security breach Video surveillance	Monetary penalty of 20 000 euros, injunction with periodic penalty payment
7/18/2019	INSURANCE INTERMEDIARY COMPANY	Personal data security breach	Monetary penalty of 180 000 euros
10/10/2019	EARLY CHILDHOOD PHOTOGRAPHY COMPANY	Failure to comply with the rights of access and to erasure, data security and confidentiality breach	Monetary penalty
11/21/2019	ISOLATION EQUIPMENT INSTALLATION COMPANY	Inadequate, irrelevant and excessive data, lack of individual information, non-compliance with the right to object, lack of cooperation with the supervisory authority, no legal data transfer outside the UE	Monetary penalty of 500 000 euros
30/12/2019	HELP TO DISABLED AND ELDERLY INDIVIDUALS	Infringements on data retention limitation principle Unsatisfying information Infringements to the obligation of security by processor	Monetary penaly, injunction with periodic penalty payment

Sanctions issued in 2018

Date	Name or type of organization	Main breaches / Theme subject	Adopted decision
1/8/2018	HOUSEHOLD APPLIANCES RETAIL	Personal data security breach Website	Monetary penalty
5/7/2018	OPTICAL RETAIL	Personal data security breach Website	Monetary penalty
6/21/2018	ASSOCIATION	Personal data security breach Website	Monetary penalty
6/26/2018	PROXIMITY FREIGHT TRANSPORT ROAD	Failure to comply with the rights of access (especially on tachograph data)	Injunction with periodic penalty payment
7/24/2018	PRESS GROUP	Personal data security breach and non-compliance with the retention periods	Monetary penalty of 400 000 euros
7/24/2018	VIDEO-SHARING PLATFORM	Personal data security breach Website	Monetary penalty
7/24/2018	SOCIAL BUILDING CONSTRUCTION & MANAGEMENT	Personal data misuse	Monetary penalty
7/24/2018	METAL TREATMENT AND COATING COMPANY	Lack of answer to an order to comply from the CNIL	Monetary penalty
9/6/2018	ASSOCIATION	Personal data security breach Website	Monetary penalty
9/6/2018	ELEVATORS AND PARKING CCTV	Excessive data, unsatisfying information, lack of personal data security and confidentiality Phone communication recording/Biometrics	Monetary penalty
12/19/2018	PRIVATE TRANSPORTS COMPANY	Personal data security breach Mobile application	Monetary penalty
12/26/2018	TELECOM PROVIDER	Personal data security breach Website	Monetary penalty