The sanctions issued by the CNIL

22 December 2020

The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.

Sanctions issued in 2024

Date Type of organization Main breaches/Theme subject Adopted decision
01/09/2024 WEBSITE PUBLISHER -  REVERSE LOOK-UP DIRECTORY (simplified procedure)

Failure to cooperate with the CNIL
Failure to respect the right of access
Failure to respect the right to object

Fine of €1,500

01/15/2024 LAWYER (simplified procedure) Failure to cooperate with the CNIL
Failure to respect the right of erasure
Fine of €5,000
01/22/2024 LAWYER (simplified procedure)

Failure to cooperate with the CNIL

Fine of €500

01/24/2024 PHARMACEUTICAL WHOLESALE BUSINESS (simplified procedure) Lack of data security
Failure to cooperate with the CNIL
Register of processing activities
Obligation for processors to offer sufficient guarantees, recruited after authorization by the controller
Fine of €20,000
01/25/2024 POLITICAL ASSOCIATION (simplified procedure)

Information of individuals and transparency (political canvassing)

Fine of €20,000
01/31/2024 PUBLISHER OF A WEBSITE OFFERING INDIVIDUALS THE OPPORTUNITY TO PUBLISH OR CONSULT REAL ESTATE ADS AND OTHER SERVICES

Lack of data security
Framework for relations between the controller and the processor
Information of individuals and transparency
Data retention periods

Fine of €100,000
01/31/2024 INDIVIDUAL (simplified procedure)

Failure to cooperate with the CNIL

Fine of €500
01/31/2024 DENTAL SURGEON  (simplified procedure) Lack of data security
Failure to respect the right of access (health data)
Fine of €5,000
01/31/2024 WEBSITE PUBLISHER - NEWS IN THE FIELD OF NEW TECHNOLOGIES  (simplified procedure) Lack of data security Fine of €20,000
01/31/2024 COMPANY ENGAGED IN THE MARKETING AND MANAGEMENT OF LOYALTY PROGRAMS AND CARDS (simplified procedure Obligation to process data lawfully
(commercial prospecting by phone)
Fine of €310,000
01/31/2024 BUSINESS SUPPORT COMPANY  (simplified procedure) Lack of data security Fine of €10,000
02/29/2024 SCIENTIFIC RESEARCH AND DEVELOPMENT COMPANY (simplified procedure) Obligation to process data lawfully Fine of €10,000
02/29/2024 DENTAL SURGEON  (procédure simplifiée) Lack of data security
Failure to respect the right of access (health data)
Fine of €4,000
04/04/2024 RETAIL SALE OF TELECOMMUNICATIONS EQUIPMENT Consent of individuals (commercial prospecting by phone - Article L. 34-5 of the French Postal and Electronic Communications Code)
Défaut de base légale
Information des personnes (art. 14) et transparence
Fine of €525,000
04/04/2024 COMPANY ENGAGED IN COMMERCIAL PROSPECTING BY E-MAIL ON BEHALF OF ADVERTISERS No response to injunction Liquidation of the penalty payment of €25,000
04/25/2024 COMPANY OPERATING SHOE AND SPORTSWEAR STORES (simplified procedure) Information of individuals and consent (cookies)

Fine of €15,000

04/25/2024 ASSOCIATION PARTICIPATING IN THE ACTIVITIES OF POLITICAL ORGANIZATIONS (simplified procedure) Lack of legal basis Fine of €16,000 euros and injunction
04/25/2024 FRENCH LITERARY REVIEW (simplified procedure) Late compliance for erasure requests (injunction procedure) Liquidation of the penalty payment of €3,000
05/23/2024 NATIONAL PUBLIC ESTABLISHMENT (TEACHING) (simplified procedure) Data minimization
Information of individuals and consent
Fine of €6,000
05/23/2024 COMPANY ENGAGED IN OPTICAL RETAILING (simplified procedure) Late response to formal notice (injunction procedure) Liquidation of the penalty payment of €4,000
05/23/2024 COMPANY MANAGING A CALL PLATFORM FOR PROFESSIONAL SECRETARIAT (simplified procedure) Data minimization
Information of individuals and consent
Lack of data security
Fine of €15,000
05/23/2024 COMPANY MANAGING A CALL PLATFORM FOR PROFESSIONAL SECRETARIAT (simplified procedure) Data minimization
Information of individuals and consent
Lack of data security
Fine of €10,000
06/10/2024 BAKERY (simplified procedure) Information of individuals
Obligation to process data lawfully (CCTV)
Data minimization (CCTV)

Fine of €5,000

06/10/2024 COMPANY DISTRIBUTING JOURNALISTIC CONTENT  (simplified procedure)

Information of individuals and consent (cookies)

Fine of €3,000 and injunction
06/10/2024 GENERAL PRACTITIONER (simplified procedure) Failure to respect the right of access (medical records)
Lack of cooperation with the CNIL
Fine of €4,000 and injunction
06/27/2024 COMPANY SPECIALIZING IN PROPERTY MANAGEMENT AND COMMERCIAL OPERATIONS COMPANY BROADCASTING JOURNALISTIC CONTENT  (procédure simplifiée)

Information of individuals and consent (cookies)

Fine of €12,000
07/09/2024 FRENCH MINISTRY

Data retention
Obligation to process data lawfully

Call to order and injunction
07/22/2024 MUNICIPALITY Failure to respond to injunction and non-compliance Liquidation of the penalty payment of €6,900
07/25/2024 PRIVATE HIGHER EDUCATION ESTABLISHMENT (simplified procedure) Data minimization
Data retention
Lack of data security
Fine of €20,000
08/08/2024 ENERGY BROKERAGE COMPANY (simplified procedure)

Data minimization
Information of individuals and transparency (commercial prospection)
Recording of processing activities

Fine of €20,000 and injunction
08/20/2024 WEBSITE HOST (simplified procedure) Failure to respect the right to object
Lack of cooperation with the CNIL
Fine of €8,000
08/28/2024 COMPANY SPECIALIZING IN STATISTICAL STUDIES OF HEALTH DATA Authorization from the CNIL unrequested (health data wahehouse) Fine of €800,000
08/28/2024 COMPANY SPECIALIZING IN THE MANAGEMENT OF HEALTH DATA FLOWS Authorization from the CNIL unrequested (health data wahehouse) Fine of €200,000
08/29/2024 WEB PUBLISHER IN THE TRANSPORT SECTOR Obligation to perform a data protection impact assessment
Information of individuals and consent
Obligation to process data lawfully
Fine of €300,000
09/05/2024  CLOTHING RETAILING COMPANY (simplified procedure) Obligation to process data lawfully
Data minimization
Information of individuals and transparency (CCTV)
Lack of cooperation with the CNIL
Fine of €15,000
09/05/2024 FENCE MANUFACTURING AND INSTALLATION COMPANY (simplified procedure) Failure to respect the right to access
Lack of cooperation with the CNIL
Fine of €10,000
09/05/2024 PUBLICATION AND SALE OF MANAGEMENT SOFTWARES FOR PHYSICIANS  Failure to apply for a CNIL authorization (health data warehouse)
Obligation to process data lawfully
Fine of €800,000
09/12/2024 COMPANY OPERATING A CASINO AND A HOTEL (simplified procedure) Information of individuals (CCTV)
Failure to respect the right of access
Fine of €12,000
09/13/2024 MUNICIPALITY (simplified procedure)

Unlawful processing of data
Data retention period
Record of processing activities
Obligation to appoint a Privacy Officer
Lack of cooperation with the CNIL

Fine of €20,000
09/19/2024 ARMOURY SELLING ONLINE AND IN-STORE (simplified procedure) Data retention period
Information of people and transparency
Failure to respect the right of erasure
Lack of data security
Obligation to document a data breach
Fine of €20,000
09/26/2024 COMPANY OFFERING IT SYSTEMS AND SOFTWARE CONSULTANCY SERVICES, SOFTWARE PUBLISHING AND PRODUCTION   Lack of cooperation with the CNIL
Failure to respect the right of erasure
Fine of €15,000 and injunction
09/26/2024 TRAINING ORGANISATION FOR HEALTHCARE PROFESSIONALS 

Information of people and consent (cookies)
Failure to respect the right of erasure
Framework for relations between the controller and the processor
Lack of data security

Fine of €15,000 and injunction
09/26/2024 COMPANY OFFERING REMOTE DIVINATION SERVICES Consent of people (online commercial prospection)
Consent of people (special data category)
Data retention period
Minimisation of data
Fine of €250,000
09/26/2024 COMPANY ENGAGED IN THE DEVELOPMENT AND PROVISION OF IT AND DIGITAL SERVICES Consent of people (online commercial prospection)
Consent of people (special data category)
Data retention period
Fine of €150,000
09/26/2024 MARKETING COMPANY (simplified procedure) Failure to respond to the injunction and non-compliance (injunction procedure) Liquidation of penalty of €3,000
09/30/2024 ASSOCIATION FOR THE CREATION OF A PSYCHIATRIC HEALTH NETWORK  (simplified procedure) Lack of cooperation with the CNIL
Failure to respect the right of access
Fine of €3,000
10/10/2024 COMPANY MARKETING CRYPTOCURRENCY WALLETS  Lack of data security
Data retention period
Fine of €750,000
10/11/2024 ORTHOPHONIST (simplified procedure) Failure to respond to the injunction and non-compliance Liquidation of penalty of €4,000
10/17/2024 MINISTRY

Obligation to process accurate data
Information of people
Failure to respect the right of access
Failure to respect the right of rectification
Failure to respect the right of erasure

Call to order and injunction
10/17/2024 MINISTRY Obligation to process accurate data
Information of people
Failure to respect the right of access
Failure to respect the right of rectification
Failure to respect the right of erasure
Call to order and injunction
10/17/2024 COMPANY ENGAGED IN THE PROVISION OF SERVICES (MANAGEMENT OF TELEPHONE CALLS) (simplified procedure) Information of people (CCTV and phone recording)
Failure to respect the right to object
Lack of data security
Fine of €20,000
10/17/2024 DENTIST SURGEON (simplified procedure) Failure to respect the right of access (medical file)
Lack of cooperation with the CNIL
Fine of €3,000 and injunction
10/23/2024 ASSOCIATION PARTICIPATING IN THE ACTIVITIES OF POLITICAL ORGANISATIONS (simplified procedure) Failure to respond to an injunction and non-compliance (injunction procedure) Liquidation of penalty of €4,000

Sanctions issued in 2023


Sanctions issued in 2022


Sanctions issued in 2021


Sanctions issued in 2020


Sanctions issued in 2019


Sanctions issued in 2018