Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

France: CNIL announces nine enforcement decisions totaling €83,000

On June 5, 2024, the French data protection authority (CNIL) announced that it had imposed nine enforcement decisions as part of its simplified enforcement procedure implemented in 2022. In particular, CNIL, which did not publish the enforcement decision, highlighted that the simplified procedure concerns processing activities that do not present a particular difficulty and for which a maximum fine of €20,000 can be imposed.

Specifically, CNIL highlighted that the sanctions totaling €83,000 were imposed since March 2024 for unlawful processing of sensitive data, failure to minimize data processing, lack of cooperation with CNIL, data security failures, failure to allow users to refuse cookies, and failure to facilitate user rights.

Data minimization

CNIL outlined that one sanction concerned the retention of data by a call center, which recorded all conversations on incoming and outgoing calls for training, evaluation, and possible litigation purposes. However, CNIL considered that the implementation of random recordings is sufficient for employee training purposes and that systematic recording and retention are not necessary for the evaluation of company procedures and legal protection. Accordingly, CNIL imposed a fine on the call center.

Sensitive data

Regarding the unlawful processing of sensitive data, CNIL provided that a company operating artificial intelligence (AI) broadcast a promotional video using images of patient files, which included the name, gender, address, and telephone number of the patients, without first obtaining the consent of the individuals concerned. CNIL noted that the dissemination of medical information requires the explicit consent of the individuals concerned in accordance with Article 9 of the General Data Protection Regulation (GDPR), and therefore constitutes unlawful data processing in violation of Article 5(1) of the GDPR.

Cookies

Finally, regarding the use of cookies, CNIL detailed that a website did not allow users to refuse cookies with the same degree of simplicity as accepting them. Specifically, CNIL outlined that users were required to click on settings and then access an interface before selecting which cookies to activate or deactivate. The website did not allow users to refuse cookies with a single action.

You can read the press release, only available in French, here.