The sanctions issued by the CNIL
22 December 2020
The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.
Date | Type of organization | Main breaches/Theme subject | Adopted decision |
---|---|---|---|
01/23/2023 | COMPUTER SYSTEMS AND SOFTWARE CONSULTING COMPANY (simplified procedure) |
Failure to cooperate with the CNIL |
Fine of €5,000 and injunction |
02/08/2023 | MUNICIPALITY (simplified procedure) |
Obligation to appoint a data protection officer |
Fine of €5,000 and injunction |
02/08/2023 | GENERAL PRACTITIONER (simplified procedure) | Failure to respect the right of access Failure to cooperate with the CNIL |
Fine of €3,000 and injunction |
02/08/2023 | COMPANY EXERCISING A RETAIL CLOTHING ACTIVITY IN SPECIALIZED STORES (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injunction |
03/03/2023 | COMPANY EXERCISING PRIVATE SECURITY ACTIVITY (simplified procedure) |
Failure to comply with the principle of data minimization |
Fine of €15,000 |
03/16/2023 | SELF-SERVICE ELECTRIC SCOOTER RENTAL COMPANY | Failure to comply with the principle of data minimization Information to individuals Supervision of the relationship between the controller and the processor |
Fine of €125,000 |
03/28/2023 | COMPUTER PROGRAMMING COMPANY (simplified procedure) | Framework for the relationship between the controller and the processor Failure to maintain data security |
Fine of €20,000 |
03/28/2023 | MARKETING COMPANY (simplified procedure) | Failure to cooperate with the CNIL | Fine of €10,000 and injunction |
04/17/2023 | HOME CARE COMPANY FOR THE ELDERLY AND DISABLED |
Late compliance with data anonymization (injunction procedure) |
Liquidation of the penalty payment of €10,000 |
04/17/2023 | COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE | Failure to respond to the injunction | Liquidation of the fine of 5,200,000 euros |
05/11/2023 | COMPANY PUBLISHING A WEBSITE OFFERING ARTICLES, TESTS, QUIZES AND DISCUSSION FORUMS RELATED TO HEALTH AND WELL-BEING | Retention period Consent of individuals (health data) Relationship between data controller and data processor Lack of data security Consent of individuals (cookies and trackers) |
Amende de 380 000 euros |
05/12/2023 | DENTIST SURGEON (simplified procedure) | Failure to respect right of access Failure to cooperate with the CNIL |
Fine of €4,500 and injunction |
06/08/2023 | ONLINE CLEARVOYANCE | Failure to comply with data minimisation principle Retention period Obligation to process data lawfully Consent of individuals (sensitive data) Informing individuals and transparency Regulation of the relationship between the controller and the processor Lack of data security Obligation to document a data breach Consent of individuals (cookies) |
150,000 euro fine |
06/15/2023 | COMPANY SPECIALISING IN THE DISPLAY OF TARGETED ADVERTISING ON THE WEB | Consent of individuals Information and transparency Failure to respect the right of access Withdrawal of consent and deletion of data Supervision of relations between joint data controllers |
Fine of 40 million euros |