Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
France: CNIL announces 15 enforcement decisions totaling €98,500
On March 12, 2024, the French data protection authority (CNIL) announced that it had imposed 15 enforcement decisions as part of its simplified enforcement procedure implemented in 2022. In particular, CNIL, which did not publish the enforcement decisions, highlighted that the simplified enforcement procedure concerns processing activities that do not present a particular difficulty and for which a maximum fine of €20,000 can be imposed.
Specifically, CNIL provided that sanctions totaling €98,500 were imposed since January 2024, for lack of cooperation with CNIL, data security failures, failures relating to the exercise of data subject rights, and breach of subprocessors' obligations.
Data protection officer
CNIL outlined that one sanction concerned the failure of an organization to include its data protection officer (DPO) in meetings concerning data protection and information security. In addition, the DPO's contact details had not been communicated to employees for several years and did not have access to the organization's website messaging allowing the exercise of data subject rights. Accordingly, CNIL determined that the DPO was not able to properly exercise their mission pursuant to Article 39 of the General Data Protection Regulation (GDPR).
Political prospecting
CNIL also detailed that a sanction was imposed for electoral canvassing operations, owing to the use of SMS, post, and emails sent, which did not systematically contain information relating to the exercise of data subjects' rights. Specifically, CNIL found that the failure to correctly inform data subjects, in accordance with Articles 12, 13, and 14 of the GDPR, meant that the political communication was not transparent.
Data security
CNIL further held that several organizations failed to implement the most recent TLS protocol free of vulnerabilities or cryptographic technology that was still state of the art. Notably, CNIL detailed that the TLS 1.0 or 1.1 protocol is prohibited according to the National Agency for Security and Information Systems (ANSSI), while the SHA-1 hash function is also no longer considered to guarantee the integrity and confidentiality of data during transmission.
You can read the press release, only available in French, here.