The Commission Nationale de l’Informatique et des Libertés (CNIL) is an independent French administrative regulatory body whose mission is to ensure that the collection, storage, and use of personal data comply with data privacy law. This simplified procedure, established in law since 2022 at the initiative of the CNIL, allows for the imposition of swift penalties for cases that do not present particular difficulties, compared with so-called “ordinary” sanctions.
When a breach of the General Data Protection Regulation (GDPR) or the French Data Protection Act is identified, the CNIL may initiate a simplified sanction procedure against an organization if the case does not pose any particular challenges. Simplified sanctions are not made public, and the amount of fines that can be imposed cannot exceed €20,000.
Since June 2024, under this procedure, the CNIL has issued eleven new sanction decisions, resulting in a total fine amount of €129,000 euros. Beyond financial penalties, formal notices also contribute to ensuring GDPR compliance: In 2023, the CNIL issued 168 formal notices against public and private organizations.
Furthermore, the CNIL actively cooperates with European data protection authorities. This cooperation has led to strengthened corrective measures in recent years, as illustrated by the €290 million fine imposed on Uber by the Dutch authority, in collaboration with the CNIL, on July 22, 2024.
Compliance can also be achieved without formal notices or penalties. During the handling of complaints, interventions by the CNIL’s services with data controllers can lead to compliance, such as during a discussion with the data protection officer aimed at satisfying a request to exercise data subject rights.
The main breaches concern the failure to comply with the principle of data minimization, whether in terms of employee video surveillance or the systematic and full recording of telephone conversations, as well as the absence of a processing-activities register.
Breaches of the Principle of Data Minimization
The principle of minimization requires that personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. This principle is defined in Article 5 of the GDPR.
Several of the sanctions issued relate to breaches of this principle in the context of employee video surveillance or the systematic and complete recording of telephone conversations between call center agents and prospects or customers.
Employee Video Surveillance
The CNIL has repeatedly stated that continuous video surveillance of employees at their workstations, not justified by exceptional circumstances related to security or theft, violates the principle of data minimization.
For video surveillance to comply with data minimization, the following provisions must be taken into account:
- Cameras should be installed at building entrances and exits, emergency exits, and circulation areas. They may also monitor areas where goods or valuable items are stored.
- Cameras cannot film employees at their workstations unless under specific circumstances (e.g., handling money).
- Cameras must not film employee break or rest areas, or bathrooms.
- It is also prohibited to film union premises or employee representative areas, or access to such areas if the access leads only to these premises.
Only individuals authorized by the employer, in the context of their duties, may view the recorded images. Access to the images must be secured to prevent unauthorized viewing.
The employer must define the retention period for camera footage, which should be linked to the cameras’ intended purpose. In principle, this period should not exceed one month. The maximum retention period must not be based solely on the storage capacity of the recording device.
Recording and Listening to Telephone Calls
This system must be proportionate to the objective pursued and must not excessively infringe on the privacy of the individuals being recorded.
For example, the goal of improving sales or employee training does not justify the systematic and complete recording of telephone conversations if a more targeted and random recording of outgoing calls could be implemented.
The same applies if the objective is to collect “evidence.” Outside of cases where recording is mandated by law, systematic recording of telephone conversations is justified, provided it is necessary, only when it serves as evidence of a contract or the performance of a contract concluded with a consumer.
Breaches Related to the Processing Activities Register
Maintaining a processing activities register is required under Article 30 of the GDPR. It helps to track, among other things, what data is collected and for what purpose, and who has access to it. This is a tool for managing and demonstrating the data controller’s compliance with the GDPR and must be regularly updated according to functional and technical changes in data processing activities. This document should accurately identify:
- Stakeholders
- Categories of data processed
- The purpose for which the data is processed, who has access to it, and to whom it is disclosed
- How the data is secured
The CNIL has sanctioned two companies with fewer than 250 employees for failing to maintain a processing-activities register because the processing activities in question were not occasional.Even though the CNIL is the French regulator, under the GDPR, each member state of the European Union is required to have its own regulator to ensure compliance with the principles of this regulation.
[View source.]
