CNIL's ten new sanctions

The French data protection authority (DPA), known as the CNIL (Commission Nationale de l’Informatique et des Libertés), has issued ten sanctions under its new simplified procedure.

The sanctions covered GDPR violations in areas such as the geolocation of company vehicles, employee video surveillance, data minimization, and the right to object.

This article explains what the CNIL’s “simplified procedure” is and provide some key insights from the French regulator’s ten new sanctions.

What is the CNIL’s simplified procedure?

The simplified sanction procedure was introduced in April 2022 when France modified its Law no. 78-17 of January 6, 1978 (which implements certain parts of the GDPR).

The CNIL can use the simplified procedure for cases that appear relatively straightforward. The maximum monetary penalty available to the CNIL under the simplified is €20,000. More complex investigations will continue to take place under the ordinary GDPR enforcement procedure.

The CNIL justifies the use of its simplified procedure in its press release:

• The regulator is handling an increasing number of complaints each year
• The number of GDPR complaints received by the CNIL increased by 72% between 2018 and 2022
• The CNIL received more than 12,000 complaints in 2022

As such, the simplified procedure provides a way to deal with the CNIL’s backlog of GDPR complaints.

Which companies received a sanction?

The CNIL has not named any of the ten organizations subject to sanction under its simplified procedure. We only know that the organizations come from both the private and public sector.

Across the ten sanctions, the CNIL imposed fines totaling €97,000. However, the regulator did not reveal whether every organization sanctioned received a fine, or the amount of any individual organization’s fine.

What were the reasons behind the sanctions?

The CNIL identified the following issues across the ten sanctions:

• Cooperation with the DPA
• Data minimization
• Monitoring of geolocation
• Video surveillance of employees
• Transparency (specifically in relation to data processing purposes)
• Data subject rights (specifically in relation to responding to a request under the “right to object)

Two issues were highlighted in particular across the ten decisions: geolocation of employee vehicles and employee video surveillance.

Geolocation tracking of employees

At least one of the sanctions issued under the simplified procedure related to the monitoring of employees’ location.

The CNIL investigated a company alleged to be engaged in the continuous tracking of the location of its employees’ vehicles.

The employees were unable to stop the collection of their vehicles’ geolocation even during break times. The organization seemingly did not provide a reasonable justification for this continuous geolocation monitoring.

The organization’s actions were deemed to violate the GDPR’s principle of data minimization at Article 5 (1) (c), which requires that the process of personal data must be limited to what is “adequate, relevant, and limited to what is necessary” for a specific purpose.

In conclusion, the CNIL found that:

“…the continuous recording of geolocation data, with no possibility for employees to stop or suspend the system during break times, is, unless there is special justification, an excessive infringement of employees’ freedom to come and go and right to privacy.”

Video surveillance of employees

Another of the CNIL’s “simplified procedure” sanctions related to the video recording of employees.

The CNIL investigated a company that continuous filmed its employees at their workstations. The regulator found that the organization could not justify this policy, in particular on health and safety grounds.

“…the prevention of accidents in the workplace and the gathering of evidence do not justify the implementation of continuous video surveillance of workstations. Under these conditions, the personal data generated by the video surveillance system is neither appropriate nor relevant.”

The CNIL concluded that, “with few exceptions”, the “permanent surveillance of employees is disproportionate…”

Lessons from the first round of sanctions under the CNIL’s simplified procedure

• The simplified procedure is used in cases that the CNIL deems straightforward
• The CNIL has used its simplified procedure ten times in its first 18 months
• The average fine imposed in this first round of sanctions was €9,700
• The sanctions focused on non-cooperation with the DPA, failure to respect data subject rights, and data minimization
• Employees must be able to pause geolocation tracking of their vehicles during the breaks under almost all circumstances
• Employers should not continuously monitor their employees at their workstations via video unless there is a valid justification. The prevention of accidents and the gathering of evidence are not valid justifications for such monitoring activities.