Enforcement

€5,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5,000,000 on FRANCE TRAVAIL. The controller suffered a successful cyber attack due to insufficient technical and organisational measures, resulting in the leak of personal and special category data concerning 38,820,828 individuals. The attack was carried out using the 'social engineering' method, meaning that the attacker obtained goods or information by exploiting the trust, ignorance or credulity of third parties.

27 miljoen euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

€15,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 15,000,000 on FREE. The controller suffered a data breach due to insufficient technical and organisational measures. This was caused by using an inadequate authentication procedure to connect to their VPN for remote working. Additionally, the controller failed to adequately inform the affected data subjects due to necessary information being missing from the information email.

€27,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 27,000,000 on FREE MOBILE. The controller suffered a data breach due to insufficient technical and organisational measures. This was caused by using an inadequate authentication procedure to connect to their VPN for remote working. Additionally, the controller failed to adequately inform the affected data subjects due to necessary information being missing from the information email. Lastly, the controller failed to adequately sort data and retain persona

De Franse autoriteit voor gegevensbescherming (CNIL) heeft FREE een boete van 15.000.000 euro opgelegd. Het bedrijf heeft een datalek geleden als gevolg van onvoldoende technische en organisatorische maatregelen. Dit werd veroorzaakt door het gebruik van een ontoereikende authenticatiemethode om verbinding te maken met hun VPN voor thuiswerken. Bovendien heeft het bedrijf de betrokken personen niet voldoende geïnformeerd, omdat essentiële informatie ontbrak in de e-mail waarin de datalek werd gemeld.

€3,500,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 3,500,000 on a company. The controller operated a loyalty program in France and 16 other EU countries, using customer data obtained through the program to transfer it to a third party for marketing purposes. The controller had no sufficient legal basis for this transfer and also failed to inform the data subjects. Furthermore, the controller used an inadequate method to store passwords. Finally, the controller failed to conduct a data protection impact as

€1,700,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 1,700,000 on NEXPUBLICA FRANCE. The controller, who was a software developer, created and offered a software package designed to manage user relations in the social action sector. Insufficient technical and organisational measures resulted in a cyber incident affecting the software.

1.700.000 euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming (CNIL) heeft NEXPUBLICA FRANCE een boete van 1.700.000 euro opgelegd. De verantwoordelijke, die een softwareontwikkelaar was, heeft een softwarepakket ontwikkeld en aangeboden dat bedoeld is om de relaties met gebruikers te beheren in de sector van maatschappelijke activiteiten. Onvoldoende technische en organisatorische maatregelen hebben geleid tot een cyberincident dat de software heeft getroffen.

1.000.000 euro boete - Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming (CNIL) heeft MOBIUS SOLUTIONS LTD. een boete van 1.000.000 euro opgelegd. Het bedrijf was voorheen verantwoordelijk voor de gegevensverwerking voor Deezer, dat in 2022 een datalek heeft ervaren. Het bedrijf is tekortgeschoten in de nakoming van haar verplichtingen als gegevensverwerker, wat heeft geleid tot een datalek.

€1,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 1,000,000 on MOBIUS SOLUTIONS LTD. The fined entity had been the former data processor for Deezer, which suffered a data breach in 2022. The processor failed to fulfil its duties as a data processor, which resulted in a data breach.

1.500.000 euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming heeft AMERICAN EXPRESS CARTE FRANCE een boete van 1.500.000 euro opgelegd. De verantwoordelijke partij gebruikte een buitensporig aantal cookies op haar website en heeft de betrokkenen niet voldoende geïnformeerd over deze cookies.

€1,500,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 1,500,000 on AMERICAN EXPRESS CARTE FRANCE. The controller used excessive cookies on its website and failed to adequately inform data subjects about them.

€750,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 750,000 on LES PUBLICATIONS CONDE NAST. The controller used multiple cookies on its website but failed to adequately implement them.

Een boete van 750.000 euro - van de Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse gegevensbeschermingsautoriteit heeft LES PUBLICATIONS CONDE NAST een boete van 750.000 euro opgelegd. De verantwoordelijke partij gebruikte meerdere cookies op haar website, maar heeft deze niet op een adequate manier geïmplementeerd.

€100,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 100,000 on SAMARITAINE SAS. After multiple theft incidents, the controller installed security cameras disguised as smoke detectors to monitor its employees. The cameras were installed without consulting the DPO and outside the existing surveillance system. After dismantling the 'test cameras', employees kept SD cards containing recordings, which constitutes a data breach that the controller did not report to the DPA.

Een boete van 100.000 euro - van de Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming (CNIL) heeft SAMARITAINE SAS een boete van 100.000 euro opgelegd. Na meerdere gevallen van diefstal heeft de verantwoordelijke partij beveiligingscamera's geïnstalleerd, vermomd als rookmelders, om haar werknemers te controleren. Deze camera's werden geïnstalleerd zonder overleg met de functionaris voor gegevensbescherming (FG) en buiten het bestaande bewakingssysteem. Nadat de "testcamera's" waren verwijderd, hebben werknemers SD-kaarten bewaard waarop de beelden waren opgeslagen, wat een datalek vormde. Deze datalek is niet gemeld aan de autoriteit voor gegevensbescherming.

150 miljoen euro boete - Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse gegevensbeschermingsautoriteit heeft INFINITE STYLES SERVICES CO. LIMITED, dat opereert onder de naam 'SHEIN', een boete van 150.000.000 euro opgelegd. De verantwoordelijke partij heeft op haar website op onrechtmatige wijze cookies gebruikt. Ten eerste heeft de verantwoordelijke partij de toestemming van de betrokkene niet verkregen voordat cookies werden geplaatst. Ten tweede heeft de verantwoordelijke partij onvolledige cookiebanners gebruikt. Ten derde heeft de verantwoordelijke partij onvoldoende informatie op een tweede niveau verstrekt. Ten slotte waren de mechanismen van de verantwoordelijke partij om toestemming te weigeren of in te trekken ontoereikend.

€125,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 125,000,000 on GOOGLE IRELAND LIMITED. While creating an account for the controller's services, the controller designed the cookie consent process in such a way that free, informed consent could not be given. The data subject could only choose between the free service with personalised marketing or a paid-for version without it. The controller also designed its email service so that advertisements could be displayed in areas where data subjects usually fo

200 miljoen euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

De Franse gegevensbeschermingsautoriteit heeft GOOGLE LLC een boete van 200 miljoen euro opgelegd. Bij het aanmaken van een account voor de diensten van de verantwoordelijke, heeft deze de procedure voor het verkrijgen van toestemming voor cookies zodanig ontworpen dat een vrije, geïnformeerde toestemming niet mogelijk was. De betrokkene kon alleen kiezen tussen de gratis dienst met gepersonaliseerde marketing of een betaalde versie zonder dit. De verantwoordelijke heeft ook haar e-maildienst zo ontworpen dat advertenties konden worden weergegeven in gebieden waar betrokkene normaal gesproken berichten ontving.

125.000.000 euro boete - Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming heeft GOOGLE IRELAND LIMITED een boete van 125.000.000 euro opgelegd. Bij het aanmaken van een account voor de diensten van de verantwoordelijke, heeft deze de procedure voor toestemming voor cookies zodanig ontworpen dat een vrije, geïnformeerde toestemming niet mogelijk was. De betrokkene kon alleen kiezen tussen de gratis dienst met gepersonaliseerde marketing of een betaalde versie zonder dit. De verantwoordelijke heeft ook haar e-maildienst zo ontworpen dat advertenties getoond konden worden in gebieden waar betrokkene normaal gesproken...

€200,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 200,000,000 on GOOGLE LLC. While creating an account for the controller's services, the controller designed the cookie consent process in such a way that free, informed consent could not be given. The data subject could only choose between the free service with personalised marketing or a paid-for version without it. The controller also designed its email service so that advertisements could be displayed in areas where data subjects usually found received

€150,000,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 150,000,000 on INFINITE STYLES SERVICES CO. LIMITED, which operates under the name 'SHEIN'. The controller used cookies unlawfully on its website. Firstly, the controller failed to obtain the data subject's consent before placing cookies. Second, the controller used incomplete cookie banners. Third, the controller failed to provide adequate second-level information. Finally, the controller's mechanisms for refusing or withdrawing consent were inadequate.

€900,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 900,000 on SOLOCAL MARKETING SERVICES. The controller, a company that also engages in direct marketing activities for its clients, ist using direct messages to contact potential customers for its clients. The company also transfers data of potential customers to their clients. The controller obtained the data through data brokers and was unable to prove that the potential customers (data subjects) had given consent for the described use of their data. In addi

Een boete van 80.000 euro - van de Franse Autoriteit voor Gegevensbescherming (CNIL).

De Franse gegevensbeschermingsautoriteit (DPA) heeft CALOGA een boete van 80.000 euro opgelegd. De verantwoordelijke is een bedrijf dat gegevens verzamelt bij databrokers om deze te gebruiken voor marketingdoeleinden. De DPA heeft vastgesteld dat er sprake was van meerdere overtredingen van de AVG (Algemene Verordening Gegevensbescherming) en de Franse wet op de post- en elektronische communicatie. De verantwoordelijke had geen voldoende juridische basis om gegevens over te dragen aan derden voor reclamedoeleinden. Bovendien bewaarde de verantwoordelijke de gegevens langer dan noodzakelijk was.

900.000 euro boete - Frans Nationaal Instituut voor Gegevensbescherming (CNIL).

De Franse autoriteit voor gegevensbescherming heeft SOLOCAL MARKETING SERVICES een boete van 900.000 euro opgelegd. De verantwoordelijke, een bedrijf dat ook direct marketingactiviteiten uitvoert voor haar klanten, gebruikt direct contact om potentiële klanten voor haar klanten te benaderen. Het bedrijf draagt ook gegevens van potentiële klanten door aan haar klanten. De verantwoordelijke heeft de gegevens verkregen via databrokers en kon niet bewijzen dat de potentiële klanten (betrokkenen) toestemming hadden gegeven voor het beschreven gebruik van hun gegevens. Bovendien...

€80,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 80,000 on CALOGA. The controller is a company obtaining data from data brokers to use those for marketing purposes. The DPA found multiple infingements against the GDPR and the French Post and Electronic Communications Code. The controller failed to have sufficient legal basis for transferring data to third parties for advertising purposes. Additionally, the controller retained data longer than necessary.

€40,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 40,000 on a real estate company for inappropriately monitoring its employees. A software program recorded “periods of inactivity” and regularly took screenshots of the computers of employees working from home. The program automatically detected when an employee made no keyboard or mouse movements for a period of 3 to 15 minutes. In addition, the employees in the offices were continuously filmed. These measures were deemed disproportionate and were considered

€250,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 250,000 on COSMOSPACE. The controller is a company that offers personalized clairvoyance consultations by telephone. As part of its services, the controller regularly processed multiple categories of sensitive data (Art. 9 GDPR) without obtaining prior consent. The controller also stored customer data for six years after the end of the business relationship for marketing purposes. According to the French DPA, a maximum of three years would have been admissibl

€150,000 fine - French Data Protection Authority (CNIL)

The French DPA imposed a fine of EUR 150,000 on TELEMAQUE. The controller is a company that offers digital services in the field of divinatory arts, including fortune telling by SMS, VAS or online chat. As part of its services, the controller regularly processed multiple categories of sensitive data (Art. 9 GDPR) without obtaining prior consent. The controller also stored customer data for six years after the end of the business relationship for marketing purposes. According to the French DPA, t

€800,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 800,000 on CEGEDIM SANTÉ. The company, which provides software for medical practices, had transferred customer data for research purposes. However, the DPA found that this data was not anonymous but only pseudonymized, making re-identification possible.

€6,900 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 6,900 on the municipality of Korou for failing to appoint a data protection officer.

€5,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5,000 on a bakery. The DPA found that the controller had violated its information obligations and the principle of data minimization in the context of data processing involving video surveillance.

French Data Protection Authority (CNIL)

The French DPA has imposed a fine on a company operating a call center. The controller had systematically recorded all incoming and outgoing calls for training, evaluation and dispute purposes. The CNIL found that such comprehensive recording violated the principle of data minimization and that random and selective recording for training purposes was sufficient.

French Data Protection Authority (CNIL)

The French DPA has imposed a fine on a company. The company published a promotional video on its website and social networks in which images of patient files of one of its customers were shown. The images, which made personal data such as the name of the data subject visible, were used without their consent.

French Data Protection Authority (CNIL)

The French DPA has imposed a fine on a controller for not sufficiently respecting data subjects' rights (exercising the right of access to a medical file).

French Data Protection Authority (CNIL)

The French DPA has imposed a fine on a data controller for failing to cooperate sufficiently with the DPA.

€15,000 fine - French Data Protection Authority (CNIL)

The French DPA has fined an association EUR 15,000 due to a lack of data security, non-compliance with the principle of data minimisation and a failure to comply with its information obligations under the GDPR.

€10,000 fine - French Data Protection Authority (CNIL)

The French DPA has fined an association EUR 10,000 due to a lack of data security, non-compliance with the principle of data minimisation and a failure to comply with its information obligations under the GDPR.

€6,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 6,000 on a public educational institution for violating the principle of data minimization and its information obligations unter the GDPR.

€16,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 16,000 on an association for processing personal data without a sufficient legal basis.

€525,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 525,000 on HUBSIDE.STORE. The company had used data from data brokers for commercial acquisition campaigns without ensuring that the data subjects had given their valid consent. The investigations revealed that the data brokers' forms were designed in a misleading way, which prevented valid consent. Furthermore, HUBSIDE.STORE did not provide the contacted individuals with sufficient information about the use of their data.

€10,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 10,000 on a data controller due to data security vulnerabilities.

€20,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 20,000 on a website editor for data security vulnerabilities.

€5,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5,000 on a dentist due to a lack of data security and a failure to respect the right of access of a data subject.

€20,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 20,000 on a pharmaceutical wholesaler due to violations of several regulations, including a lack of data security and insufficient cooperation with the DPA. Additionally, deficiencies were found regarding the maintenance of the record of processing activities, and the obligation to use only processors providing sufficient guarantees and assigned after authorization by the controller was not met.

€32,000,000 fine - French Data Protection Authority (CNIL)

The French DPA (CNIL) has imposed a fine of EUR 32 million on AMAZON FRANCE LOGISTIQUE for unlawful surveillance of employees. CNIL found that Amazon France equips its warehouse employees with a scanner to document certain tasks. Each scan records data that is stored and can be used to calculate a series of indicators that provide information on the productivity of each employee. The CNIL considered the establishment of a system that measures interruptions in activity with precision and potentia

€500 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 500 on an attorney. The fine was imposed due to a lack of cooperation with the DPA.

€5,000 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 5000 on an attorney. The fine was imposed due to a lack of cooperation with the DPA and a lack of fulfillment of a request of erasure of personal data.

€1,500 fine - French Data Protection Authority (CNIL)

The French DPA has imposed a fine of EUR 1,500 on a website operator. The fine was imposed due to a lack of cooperation with the DPA and a lack of fulfillment of data subject rights.

French Data Protection Authority (CNIL)

The French DPA has imposed a fine on a candidate for parliamentary elections. The candidate had sent the data subject election advertising by email despite the data subject's objection.