The sanctions issued by the CNIL

22 December 2020

The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.

Sanctions issued in 2023
Date	Type of organization	Main breaches/Theme subject	Adopted decision
01/23/2023	COMPUTER SYSTEMS AND SOFTWARE CONSULTING COMPANY (simplified procedure)	Failure to cooperate with the CNIL Consent of individuals Information of the persons Failure to respect the right of erasure Register of processing activities Lack of data security	Fine of €5,000 and injunction
02/08/2023	MUNICIPALITY (simplified procedure)	Obligation to appoint a data protection officer Failure to cooperate with the CNIL	Fine of €5,000 and injunction
02/08/2023	GENERAL PRACTITIONER (simplified procedure)	Failure to respect the right of access Failure to cooperate with the CNIL	Fine of €3,000 and injunction
02/08/2023	COMPANY EXERCISING A RETAIL CLOTHING ACTIVITY IN SPECIALIZED STORES (simplified procedure)	Failure to cooperate with the CNIL	Fine of €10,000 and injunction
03/03/2023	COMPANY EXERCISING PRIVATE SECURITY ACTIVITY (simplified procedure)	Failure to comply with the principle of data minimization Information to individuals Register of processing activities	Fine of €15,000
03/16/2023	SELF-SERVICE ELECTRIC SCOOTER RENTAL COMPANY	Failure to comply with the principle of data minimization Information to individuals Supervision of the relationship between the controller and the processor	Fine of €125,000
03/28/2023	COMPUTER PROGRAMMING COMPANY (simplified procedure)	Framework for the relationship between the controller and the processor Failure to maintain data security	Fine of €20,000
03/28/2023	MARKETING COMPANY (simplified procedure)	Failure to cooperate with the CNIL	Fine of €10,000 and injunction
04/17/2023	HOME CARE COMPANY FOR THE ELDERLY AND DISABLED	Late compliance with data anonymization (injunction procedure)	Liquidation of the penalty payment of €10,000
04/17/2023	COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE	Failure to respond to the injunction	Liquidation of the fine of 5,200,000 euros
05/11/2023	COMPANY PUBLISHING A WEBSITE OFFERING ARTICLES, TESTS, QUIZES AND DISCUSSION FORUMS RELATED TO HEALTH AND WELL-BEING	Retention period Consent of individuals (health data) Relationship between data controller and data processor Lack of data security Consent of individuals (cookies and trackers)	Amende de 380 000 euros
05/12/2023	DENTIST SURGEON (simplified procedure)	Failure to respect right of access Failure to cooperate with the CNIL	Fine of €4,500 and injunction
06/08/2023	ONLINE CLEARVOYANCE	Failure to comply with data minimisation principle Retention period Obligation to process data lawfully Consent of individuals (sensitive data) Informing individuals and transparency Regulation of the relationship between the controller and the processor Lack of data security Obligation to document a data breach Consent of individuals (cookies)	150,000 euro fine
06/15/2023	COMPANY SPECIALISING IN THE DISPLAY OF TARGETED ADVERTISING ON THE WEB	Consent of individuals Information and transparency Failure to respect the right of access Withdrawal of consent and deletion of data Supervision of relations between joint data controllers	Fine of 40 million euros

Sanctions issued in 2022

Date	Type of organization	Main breaches/Theme subject	Adopted decision
01/02/2022	VEHICLE MAINTENANCE AND REPAIR COMPANY	Failure to cooperate with the CNIL	Fine of €3,000 and injunction
03/21/2022	RESTAURANT	Failure to respect the principle of data minimization Duration of conservation Information of the persons Register of processing activities Cooperation with CNIL services Lack of data security	Fine of €10,000
03/24/2022	NOTARY	Partial compliance with the injunction issued	Liquidation of the fine of €1,000
04/15/2022	APPLICATION SOFTWARE PUBLISHING COMPANY	Obligation to regulate the relationship between the controller and the processor Obligation for the processor to process data only on the instructions of the controller Failure to maintain data security	Fine of €1,500,000
06/23/2022	ELECTRICITY AND GAZ PRODUCER & PROVIDER	L 34-5 CPCE Failure to provide information Exercise of rights Failure to respect the right of access Failure to respect the right to object	Administrative fine of one million euros
06/13/2022	VEHICLE MAINTENANCE AND REPAIR COMPANY	Failure to cooperate with the CNIL	Liquidation of the fine of €3,900
07/07/2022	VEHICLE RENTAL COMPANY	Inadequacy, irrelevance and excessive nature of data Length of retention Information to individuals	Fine of 175,000 euros
08/03/2022	COMPANY SPECIALIZING IN THE HOTEL SECTOR	L 34-5 CPCE Consent of individuals Failure to inform Failure to respect the right of access Failure to respect the right of opposition Security and confidentiality of data	Fine of 600,000 euros
09/08/2022	ECONOMIC INTEREST GROUPING OF THE CLERKS OF THE COMMERCIAL COURTS OF FRANCE	Data retention periods Failure to secure personal data	Fine of 250,000 euros
10/17/2022	COMPANY DEVELOPING FACIAL RECOGNITION SOFTWARE	Failure to determine a legal basis Failure to respect the right of access Failure to respect the right of erasure	Fine of 20,000,000 euros and injunction
10/11/2022	COMPANY DEVELOPING VOICE OVER IP SOFTWARE AND INSTANT MESSAGING	Data retention periods Transparency Failure to inform Data protection by default Obligation to conduct a privacy impact assessment Failure to secure personal data	Fine of 800,000 euros
11/24/2022	ENERGY, GAZ AND RELATED SERVICES PROVIDER	L 34-5 CPCE - commercial prospecting Failure to inform Transparency Failure to respect the right to object Failure to respect the right of access Failure to secure personal data	Fine of 600,000 euros
11/30/2022	PHONE OPERATOR	Exercice of rights Failure to respect the right of access Failure to respect the right of erasure Obligation to document data	Fine of 300,000 euros and injunction
12/19/2022	COMPANY SELLING OPERATING SYSTEMS, APPLICATION SOFTWARE, HARDWARE AND RELATED SERVICES	Consent of individuals (cookies and tracking devices)	Fine of 60,000,000 euros and injunction
12/20/2022	COMPANY MARKETING A BUSINESS CONTACT EXTENSION	Failure to dermine a legal basis Failure to respect the right of access	Dismissal
12/29/2022	A COMPANY THAT DEVELOPS AND MARKETS CONSUMER ELECTRONICS, PERSONAL COMPUTERS AND SOFTWARE	Failure to respect the right of access Lack of cooperation with the CNIL	Fine of 8,000,000 euros
12/29/2022	PHYSICIAN (simplified procedure)	Failure to respect the right of access Lack of cooperation with the CNIL	Fine of 5,000 euros
12/29/2022	PHYSICIAN (simplified procedure)	Failure to respect the right of access Lack of cooperation with the CNIL	Fine of 5,000 euros
12/29/2022	UNIVERSITY (simplified procedure)	Failure to respect the right of access Lack of cooperation with the CNIL	Fine of 10,000 euros
12/29/2022	COMPANY DEVELOPING MANAGEMENT SOFTWARE AND MARKETING SOFTWARE FOR LOCAL AUTHORITIES (simplified procedure)	Failure to comply with the data minimisation principle Data retention period Failure to inform Failure to secure personal data	Fine of 15,000 euros
12/29/2022	COMPANIES OPERATING A RANGE OF CONTENT DISTRIBUTION PLATFORMS	Consent of individuals (cookies and tracking devices)	Fine of 5,000,000 euros
12/29/2022	MOBILE GAMES DEVELOPMENT COMPANY	Consent of individuals (cookies and tracking devices)	Fine of 3,000,000 euros

Sanctions issued in 2021

Date	Type of organization	Main breaches/ Theme subject	Adopted decision
01/06/2021	OPTICAL RETAIL TRADE	Failure to respect the exercise of individuals' rightsdata security deficiency	€250,000 financial penalty and injunction under penalty payment
01/11/2021	IT SOLUTIONS DEVELOPMENT COMPANY	Lack of data security	Financial penalty of €75,000
01/12/2021	MINISTRY	Lawfulness of the treatment Lack of impact assessment Lack of information to individuals	Call to order and injunction
06/03/2021	APPLICATION SOFTWARE PUBLISHING COMPANY	Lack of data securityillegality of processed data	Financial penalty of €10,000
06/14/2021	COMPANY PUBLISHING A PRIVATE SALES WEBSITE DEDICATED TO DIY, GARDENING AND HOME IMPROVEMENT	Retention periods Failure to inform individuals Failure to comply with requests for deletion of data Failure to keep data secure Consent for commercial prospecting	Financial penalty of €500,000 and injunctions
07/20/2020	INSURANCE	Duration of retention lack of Information to individuals	Financial penalty of €1,750,000
07/26/2021	COMPANY SPECIALISED IN AGRICULTURAL BIOTECHNOLOGY	Failure to inform individuals - obligation to Regulate relations with a subcontractor	Financial penalty of €400,000
07/27/2021	PRESS	Consent of individuals (cookies)	Financial penalty of €50,000
09/15/2021	ADVERTISING COMPANY	Failure to comply with requests to rectify data Failure to comply with erasure requests lack of a register of processing activities Cooperation with the CNIL	Financial penalty of €3,000
09/24/2021	MINISTRY	Lawfulness of the processing - retention period - accuracy of the data Lack of data security Failure to inform individuals	Call to order and injunction
10/21/2021	NOTARY	Cooperation with the CNIL	Financial penalty of 3,000 euros and injunction
10/28/2021	PRIVATE ORGANIZATION	Failure to comply with injunction issued	Liquidation of the penalty payment of €65,000
10/29/2021	PUBLIC ESTABLISHMENT OF AN INDUSTRIAL AND COMMERCIAL NATURE	Failure to comply with the principles of data minimization and responsibility for data retention Lack of data security	Financial penalty of €400,000
12/28/2021	PAYMENT INSTITUTION	Obligation to regulate relationships with subcontractors Failure to maintain data security Obligation to notify individuals of a data breach	Financial penalty of €180,000
12/28/2021	TELEPHONE OPERATOR	Failure to respect the right of access Failure to respect the right of rectification Failure to respect the right to object Obligation to protect data by design Failure to ensure data security	Financial penalty of €300,000
12/30/2021	SALE OF FURNITURE ON THE INTERNET AND IN STORES	Retention period Failure to inform individuals Failure to comply with deletion requests Obligation to regulate relations with subcontractors Failure to ensure data security	Financial penalty of €120,000
12/31/2021	INTERNET SERVICES (SEARCH ENGINE, VIDEO PLATFORM, ETC.)	Cookie refusal mechanism	Financial penalty of €150,000,000 and injunction
12/31/2021	SOCIAL NETWORK	Cookie refusal mechanism Failure to inform individuals	Financial penalty of €60,000,000 and injunction

Sanctions issued in 2020

Date	Type of organization	Main breaches/ Theme subject	Adopted decision
07/28/2020	E-BUSINESS	Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to inform individuals; failure to ensure data security and confidentiality	250,000 financial penalty and injunction under penalty payment
09/03/2020	POLITICAL ASSOCIATION	Failure to cooperate with the CNIL services	Dismissal
09/03/2020	POLITICAL FIGURE	Breach of the obligation to process data lawfully	Call to order
09/03/2020	ADMINISTRATION	Breach of the obligation to process data lawfully	Call to order
11/18/2020	LARGE RETAILING	Failure to retain data; failure to exercise rights; failure to inform individuals; failure to provide access, erasure and objection rights; failure to ensure data security and confidentiality; failure to use cookies	Financial penalty of €2,250,000
11/18/2020	BANK	Failure to process data fairly; failure to inform individuals; failure to use cookies	Financial penalty of €800,000
11/18/2020	COOPERATIVE OF RETAIL TRADERS	Failure to ensure data security	Financial penalty of €150,000
12/03/2020	TAXI COMPANY	Failure to cooperate with the CNIL services	Financial penalty of €3,000
12/07/2020	TECHNOLOGY SERVICES COMPANY	Failure to comply with cookies; failure to inform individuals; failure to obtain consent; failure to exercise the right to object	Financial penalties of €60 million and €40 million and injunctions under penalty
12/07/2020	E-COMMERCE COMPANY	Failure to comply with cookies; failure to inform individuals	€35 million fine and injunction under penalty
12/07/2020	PHYSICIAN	Breach of the obligation to ensure data security; breach of the obligation to notify a data breach	Financial penalty of €3,000
12/07/2020	PHYSICIAN	Breach of the obligation to ensure data security; breach of the obligation to notify a data breach	Financial penalty of €6,000
12/07/2020	COLD CALLING COMPANY	Failure to obtain consent; failure to ensure the adequacy, relevance and non-excessiveness of the personal data processed by the company; failure to comply with the retention period; failure to inform individuals; failure to comply with the right to object; failure to provide a contractual framework for the processor	Financial penalty of €7,300 and injunction under penalty payment
12/07/2020	HOME-BASED CHILDCARE COMPANY	Failure to comply with the data minimisation principle; failure to comply with the retention period; failure to comply with the obligation to ensure data security	Injunction under penalty payment
12/08/2020	MEAL DELIVERY COMPANY	Breach of the obligation to obtain consent; breach of the obligation to inform individuals; breach of the obligation to respect the right of access; breach of the obligation to ensure data security	€20,000 and an injunction under penalty payment

Sanctions issued in 2019

Date	Name or type of organization	Main breaches/ Theme subject	Adopted decision
1/21/2019	OS AND SERVICES	Lack of transparency, unsatisfying information and lack of valid consent	Monetary penalty of 50 000 000 euros
1/31/2019	ONLINE SEARCH ENGINE	De-listing	Dropping of charges
1/31/2019	PROPERTY MANAGEMENT COMPANY	Security and personal data retention period	Dropping of charges
1/31/2019	NATIONAL PUBLIC ADMINISTRATION	Personal data security breach	Injunction with periodic penalty payment
5/28/2019	PROPERTY MANAGEMENT COMPANY	Personal data security breach and non-compliance with the retention periods	Monetary penalty of 400 000 euros
6/13/2019	TRANSLATION COMPANY	Inadequate and excessive data, irrelevant, unsatisfying information, personal data security breach Video surveillance	Monetary penalty of 20 000 euros, injunction with periodic penalty payment
7/18/2019	INSURANCE INTERMEDIARY COMPANY	Personal data security breach	Monetary penalty of 180 000 euros
10/10/2019	EARLY CHILDHOOD PHOTOGRAPHY COMPANY	Failure to comply with the rights of access and to erasure, data security and confidentiality breach	Monetary penalty
11/21/2019	ISOLATION EQUIPMENT INSTALLATION COMPANY	Inadequate, irrelevant and excessive data, lack of individual information, non-compliance with the right to object, lack of cooperation with the supervisory authority, no legal data transfer outside the UE	Monetary penalty of 500 000 euros
30/12/2019	HELP TO DISABLED AND ELDERLY INDIVIDUALS	Infringements on data retention limitation principle Unsatisfying information Infringements to the obligation of security by processor	Monetary penaly, injunction with periodic penalty payment

Sanctions issued in 2018

Date	Name or type of organization	Main breaches / Theme subject	Adopted decision
1/8/2018	HOUSEHOLD APPLIANCES RETAIL	Personal data security breach Website	Monetary penalty
5/7/2018	OPTICAL RETAIL	Personal data security breach Website	Monetary penalty
6/21/2018	ASSOCIATION	Personal data security breach Website	Monetary penalty
6/26/2018	PROXIMITY FREIGHT TRANSPORT ROAD	Failure to comply with the rights of access (especially on tachograph data)	Injunction with periodic penalty payment
7/24/2018	PRESS GROUP	Personal data security breach and non-compliance with the retention periods	Monetary penalty of 400 000 euros
7/24/2018	VIDEO-SHARING PLATFORM	Personal data security breach Website	Monetary penalty
7/24/2018	SOCIAL BUILDING CONSTRUCTION & MANAGEMENT	Personal data misuse	Monetary penalty
7/24/2018	METAL TREATMENT AND COATING COMPANY	Lack of answer to an order to comply from the CNIL	Monetary penalty
9/6/2018	ASSOCIATION	Personal data security breach Website	Monetary penalty
9/6/2018	ELEVATORS AND PARKING CCTV	Excessive data, unsatisfying information, lack of personal data security and confidentiality Phone communication recording/Biometrics	Monetary penalty
12/19/2018	PRIVATE TRANSPORTS COMPANY	Personal data security breach Mobile application	Monetary penalty
12/26/2018	TELECOM PROVIDER	Personal data security breach Website	Monetary penalty