The CNIL Issues Ten Sanctions Under Simplified Procedure, Fines Total €97,000

The French data protection authority, known as the CNIL, has been actively enforcing its new simplified sanction procedure, which was introduced in 2022. Over the past two months, the CNIL has issued ten new decisions under this streamlined approach, imposing fines totaling €97,000 on both private and public-sector entities. These sanctions were a result of violations of various data protection requirements, highlighting the authority's commitment to upholding privacy and data protection regulations.

The fines were imposed due to breaches of the following obligations:

1. Failure to Respond to CNIL Requests: Entities were penalized for not complying with the obligation to respond to requests from the CNIL, which plays a crucial role in ensuring transparency and accountability.
2. Data Minimization: Violations related to the excessive use of geolocation and continuous video surveillance of employees, raising concerns about privacy and individual rights.
3. Lack of Information on Data Processing: Entities were found lacking in providing adequate information about the data processing activities they were involved in and the purposes behind them.
4. Failure to Respect Individual Rights: In particular, entities were penalized for not responding appropriately to requests for objection, which is a fundamental aspect of data protection.

The simplified procedure, implemented in 2022, is designed to handle cases that do not present significant complexities. It allows the CNIL to impose fines of up to €20,000 on entities found in violation. This procedure is particularly valuable in addressing a growing number of complaints, with more than 12,000 filed in 2022, marking a substantial increase of 72% since the General Data Protection Regulation (GDPR) came into effect in 2018.

Notably, in cases where violations warrant more substantial penalties, the CNIL resorts to its ordinary procedure.

Two specific issues were highlighted in the ten recent decisions issued by the CNIL. First, the continuous geolocation tracking of employee vehicles without the option for employees to pause or suspend the system during breaks was deemed an excessive infringement on employees' freedom of movement and right to privacy, unless justified by specific reasons.

The second issue pertained to the deployment of video surveillance systems that constantly monitor employees at their workstations without valid reasons. The CNIL emphasized that accident prevention and evidence gathering do not suffice as justifications for continuous video surveillance. Under such circumstances, the personal data collected through these surveillance systems becomes inappropriate and irrelevant. Continuous surveillance of employees, with few exceptions, was deemed disproportionate to the intended objectives.

In line with its commitment to a deterrent and proportionate enforcement policy, the CNIL will continue to issue sanctions under the simplified procedure within tighter timelines. It will also provide regular updates on these sanctions on its website. These actions reflect the CNIL's determination to safeguard individuals' privacy and data protection rights while encouraging compliance with data protection regulations.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.