Overview of the CNIL’s enforcement actions in 2024: the simplified procedure generates an increase in sanctions

Chapter 1 - Breaches to key principles of GDPR

CNIL’s decisions adopted in 2024 traditionally sanction non-compliance with key principles of GDPR such as the principle of (a) minimization, (b) proportionality of data retention, (c) or the lawfulness of processing.

a. Data minimization principle

In accordance with the data minimization principle, personal data collected shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

Failure to comply with this principle was one of the grievances upheld by the CNIL, against the company COSMOSPACE² . The latter offers online clairvoyance services and systematically and fully records phone conversations between clairvoyants and customers, between clairvoyants and switchboard operators, as well as between switchboard operators and customers/prospects. The company had determined that the conversations between the switchboard and the customers/prospects to prove that the latter had subscribed to the service contract.

According to COSMOSPACE, full recording is necessary as the entire phone conversation is used to reach an agreement with the customer. The CNIL disagrees with this approach, stating that phone conversations may only be recorded if necessary and if no other form of proof, such as written confirmation, exists. In this respect, the CNIL considers that the recording cannot be integral and should only cover the part of the conversation clearly relating to the subscription to the contract, i.e. the part where the customer agrees, after having received the relevant information (price of the service, duration, terms and conditions etc.) to use the company’s services.

Regarding the conversations between the switchboard and the clairvoyants, as well as those between the clairvoyants and the customers, the company claimed that they were recorded for training purposes and for the purposes of monitoring and ensuring the quality of its service. The CNIL reaffirms its previous ruling³ and reiterates that the full and systematic recording of the phone conversations of a company’s employees is not justified with regard to the training purpose of the latter, other less intrusive means, such as occasional and random recording, being more appropriate.

Furthermore, the CNIL has also addressed the issue of employee surveillance with regard to the minimization principle. Such surveillance can be set up at the initiative of employers through video surveillance. However, an employer cannot set up a video surveillance system that results in the permanent surveillance of its employees without justifying particular circumstances with regard to the purpose for which such a system is set up.

On this matter, both the Cour de cassation⁴ and the Conseil d’Etat⁵ consider that constant surveillance of employees for the purpose of preventing property damage is an infringement and disproportionate. Furthermore, to be proportionate, video should not record sound except under exceptional circumstances.

As such, the CNIL sanctioned a company in the real estate sector⁶, which had set up a high-definition video surveillance system accessible in real time and permanently capturing image and sound in its employees’ place of work and rest areas, for the purpose of preventing property damages.

The company also measured employee productivity using software installed on their computers. The software counted the time spent on certain websites that the company had previously set up as productive or non-productive. This software also regularly took screenshots of employees’ computer. According to the CNIL, such a system is also contrary to the minimization principle as it leads to the quasi-permanent surveillance of employees, even though there are less intrusive tools for assessing employee productivity.

b. Personal data retention

Respect of the principle of storage limitation of personal data according to which personal data should be kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are processed, remains a major issue for companies’ compliance with GDPR.

During its inspections in 2024, the CNIL noted breaches of this obligation for various reasons.

Firstly, with regard to the retention periods based on a legal obligation. During an inspection initially focusing on data subjects’ information and user journey of the company DE PARTICULIER A PARTICULIER⁷ , the CNIL found that the latter followed a legal data retention period even though the obligation in question was not applicable.

The said legal obligation, which stems from French consumer law, mandates a 10-years retention period for information relating to a contract worth more than 120 euros. However, this retention period was applied by the company regardless of the amount of the subscription in question, even when the 120-euro threshold was not reached. As the legal obligation did not apply, the CNIL ruled that retaining data for 10 years was therefore disproportionate.

Furthermore, vigilance is also required regarding the effective application of a retention period policy. The aforementioned company retained its website’s users data, who did not use its paid services, for a period of 5 years as of the last connection to the user account for litigation and anti-fraud purposes. While the CNIL considered this period to be justified, the inspections showed that, in practice, the company kept the data of certain accounts for more than 5 years, and for more than 10 years for others, constituting a breach to the storage limitation principle.

The CNIL has also taken an interest on data retention for direct marketing. The authority is particularly mindful of this matter, as it adopted a standard for processing carried out for the purposes of managing commercial activities in 2021⁸. Within this framework, the CNIL recommends keeping data related to this processing for a maximum period of 3 years as of the end of the commercial relationship.

The companies COSMOSPACE⁹ and TELEMAQUE¹⁰ were sanctioned for retaining their customer’s data for direct marketing purposes for a period of 6 years from the last service.

In terms of unlimited storage, a practice of the company KASPR¹¹ has been called into question by the CNIL. KASPR publishes a chrome extension allowing its users to obtain professional contact details of target individuals consulting their LinkedIn profile. To do this, KASPR collects the contact details of the target individuals on the professional social network. Whereas the company previously kept this data for an indefinite period, it introduced a new policy in 2021, as well as a storage system with automatic dynamic renewal.

More specifically, the data of the target individuals are kept for 5 years from the time they are collected, and in the event of an update of these data, which may occur due to a change of position or employer, the newly updated data are kept again for a 5-year period.

The CNIL considers this automatic renewal to result in a disproportionate retention period, and has ordered the company to put an end to this practice and adopt a fixed retention period of 5 years.

c. Lawfulness of processing

i. The use of legitimate interest as legal basis

The processing of personal data shall rely on an appropriate legal basis in according with Article 6 of the GDPR. This year, the CNIL identified several breaches to processing relying on legitimate interest, one of the legal basis of Article 6.

The CNIL sanctioned HUBSIDE STORE¹², KASPR¹³, and a company in the real estate sector¹⁴ for processing data that the data subjects could not reasonably expect, thus disqualifying the applicability of the legal basis of legitimate interest.

HUBSIDE STORE carried out direct marketing operations by phone calls using contact details obtained from data brokers. The latter collected prospect data through online game-competition forms, and HUBSIDE STORE was not systematically mentioned in the list of partners likely to canvass the individuals concerned.

While the CNIL has reiterated that direct marketing through phone calls may be based on the legitimate interest of the controller, it has also indicated that the data subjects should legitimately expect to be subject of such a processing. However, as they were not informed of the possibility of being canvassed by the organization in question, the data subjects could not legitimately expect it. Therefore, the processing could not rely on legitimate interest.

Regarding KASPR, the CNIL focused on whether the target individuals consulting the LinkedIn profile of the users of the KASPR chrome extension could legitimately expect their data to be collected. On LinkedIn, users can set their privacy settings of their profile so that their contact details are or are not publicly available. The CNIL considered that, for the LinkedIn users who have chosen to restrict access to their contact details, the collection of these contact details cannot be based on the legitimate interest. Indeed, having chosen to not made public their data, the users cannot reasonably expect their contact details to be collected, as the CNIL sees here a form of opposition to the use of their data. Therefore, KASPR could not rely on the legitimate interest for this processing of data.

The use of the legal basis of the legitimate interest by a company in the real estate sector¹⁵ for the processing carried out by its software for monitoring the working time and the productivity of its employees has also been examined by the CNIL.

With regard to the measurement of working time, the soft, integrated within the employees’ computers, counted the employees’ idle time by analyzing mouse movements and keyboard activity. Idle time, if not justified or made up by the employee, was deducted from his/her salary. The CNIL considered that these automated and permanent surveillance tools are, except under exceptional circumstances not proven in this case, disproportionate to the legitimate interest of the employer. According to the CNIL, the system disproportionally affects the employees’ rights, who could not reasonably expect to this permanent surveillance. The processing could there not be based on legitimate interest.

Regarding productivity measurement, the software counted the time spend on certain websites that the company had previously sets as productive or non-productive. It also regularly took screenshots of employees’ computers. Such a system is also disproportionate to the interest and fundamental rights of the employees, in particular their right to privacy, so that the processing could not be based on legitimate interest.

ii. Prior consent to the reading of trackers

Under Article 82 of French data protection law, any subscriber or user of an electronic communication service should give their consent prior to the deposit and reading of certain trackers on their terminal (e.g. computer, phone, tablet etc.). Other trackers are exempt from consent.

The CNIL looked into the case where the internet user had given and then withdrawn its consent to the deposit and reading of trackers submitted to consent. At issue the company ORANGE¹⁶ which, despite the withdrawal of consent by internet users, continued to read the trackers on their terminals using dozen of cookies. ORANGE argued that no text or case law specified the procedures for taking into account the withdrawal of consent, nor did it impose an obligation to cease all reading operations. The company also argued that if the trackers were read, they were no longer exploited after the withdrawal of consent.

The CNIL, reiterating its doctrine, states that if the deposit and reading of a tracker is subject to consent, if necessarily offers, correlatively, the right to withdraw consent and to reverse one’s choice¹⁷. The restricted committee then recalled the distinction between, on the one hand, the deposit and reading of trackers, which are operations subject to consent under French data protection law, et, on the other hand, the subsequent exploitation of the data generated by these trackers, which is subject to the provisions of the GDPR. Therefore, according to the CNIL, the absence of exploitation of these data has no incidence on ORANGE compliance when reading trackers after consent withdrawal.

Consequently, by continuing to read trackers after its website users’ consent withdrawal, the company failed to comply with its obligations.

iii. Prior consent to direct marketing

Under Article 13 of ePrivacy Directive, an user or subscriber may not, with certain exceptions, be the subject of direct marketing by means of automated electronic communications system, or even e-mails using their contact details, without having obtained the prior consent of this user or subscriber. This provision is transposed into French law under Article L34-5 of the French Post and Electronic Communications Code (“PECC”). The CNIL has particularly monitored controllers in this area. In particular, the CNIL imposed a fine of 50 million euros on ORANGE¹⁸ for breaches related to direct marketing practices through it electronic messaging service.

When users of the messaging service “Mail Orange” accessed to their inbox, advertisements appeared among e-mails received by the user. These advertisements looked very similar to real e-mails. The only disparities were, on the one hand, the background color used for advertisements, which was slightly gray, and on the other hand the word “annonce” (“ad”) displayed instead of the data of receipt of an e-mail.

The appearance of these advertisements is of the utmost importance here in terms of their classification and the applicable legal framework: if these advertisements are considered to be e-mail direct marketing, the prior consent of users is required. The CNIL, based on a ruling of the Court of Justice of the European Union¹⁹ that had ruled on a similar case, considered that in view of this appearance of “real e-mails”, consent should be obtained, which was not the case here.

Furthermore, the liability lay on ORANGE and not on the advertisers, since the company had control over the display on these advertising spaces, which it marketed to advertisers.

Moreover, following on the sanction against TAGADAMEDIA²⁰ in December 2023, the CNIL has turned its attention to data collected by data brokers and used by companies for direct marketing purposes. FORIOU²¹ and HUBDSIDE STORE²² were sanctioned by the CNIL for carrying out direct marketing operations based on data purchased from data brokers and collected without the valid consent of the data subjects. These partners obtained data through online game-competition forms which, by their design, did not allow to collect a valid consent for direct marketing operations.

The two companies emphasized the contractual commitments made with their data brokers aimed at regulating responsibility for the collection of valid consent. However, the CNIL reiterates here that, as stated in its previous case law²³, it is the controller responsibility to verify that the conditions allowing it to carry out these commercial prospecting operations are met, and that a simple contractual commitment from the partner collecting the data to comply with the GDPR and the applicable on direct marketing does not constitute a sufficient measure for this verification. The two companies therefore violated Article L34-5 of the PECC, and at the same time Article 6 of the GDPR, as the processing relied on the legal basis of unlawful consent.

As for the data brokers, the CNIL, in addition to imposing a fine, had issued a compliance order against TAGADAMEDIA to implement a data collection form allowing to collect a valid consent, finally closed this procedure after noting that the company had been brought into compliance²⁴.

Finally, the CNIL also looked into the direct marketing carried out using a database shared by two joint controllers. The companies COSMOSPACE²⁵ and TELEMAQUE²⁶, both of which provide online clairvoyance services and are partners of each other, were sanctioned for having carried out direct marketing campaigns without obtaining valid consent of data subjects.

Each of the companies obtained user data through a form on their website, collecting their consent for the direct marketing operations of their partners, but without mentioning the identity of the latter in an easily accessible manner.

The CNIL therefore considered that the consent of the data was not informed and as such was not validly obtained.

Chapter 2 - Processing of sensible data

The processing of sensible data is subject to additional requirements under the GDPR, particularly with regard to the basis on which this processing is carried out. This year, the CNIL sanctioned organizations (a) processing sensible data without obtaining the explicit consent of data subjects and (b) processing health data without prior authorization.

a. The absence of explicit consent to the processing of sensitive data

During the inspections of the two companies offering online clairvoyance services, COSMOSPACE²⁷ and TELEMAQUE²⁸, the CNIL found that sensitive data was being processed without the explicit consent of the data subjects, as such consent is required.

The CNIL had already ruled in 2023²⁹, that the processing of sensible data collected during clairvoyance consultations could only take place with the explicit consent of the data subjects. In the case of the two aforementioned companies, sensitive data was collected in two ways.

On the one hand, people using clairvoyance services revealed sensitive information (sexual life, health, religious beliefs, etc.). During the services, the data subjects were not informed of the processing of their data so that they could give their consent.

On the other hand, the two companies offered a romantic compatibility test on their website. The data subjects had to fill a form with certain information, including their gender and that of their partner. On this point, the CNIL reiterated a ruling of the Court of Justice of the European Union³⁰, explaining that, if the data in question (information on the sex of the individuals) are not, by nature, sensible data, they should be considered as such since they are likely to indirectly reveal the sexual orientation of the data subject. Therefore, the explicit consent of data subjects is also necessary for this processing.

b. The absence of authorization for the processing of health data

In accordance with the French data protection law, some processing of health data can rely on the explicit consent of the data subjects. In the absence of explicit consent, such processing is only lawful if it is based on a prior formality of the CNIL, namely (1) the compliance with a CNIL standard accompanied by a declaration of conformity with the said standard, or (2) a CNIL authorization when the processing does not comply with a standard.

The CNIL has sanctioned the health software publisher CEGEDIM SANTE³¹ for unlawful processing of health data. The company has set up a health data warehouse based on pseudonymized data from patient records transmitted by doctors. The processing of health data by this company was based neither on the explicit consent of the patients nor on any of the CNIL’s prior formalities.

Chapter 3 - Breaches for non-compliance with the rights of data subjects

Chapter III of the GDPR sets out the various rights available to data subjects which controllers are required to guarantee. The CNIL has noted breaches regarding (a) access right and (b) information to data subjects.

a. Access right

Each year, the CNIL defines priority themes regarding its policy. For the year 2024, one of the priority themes was the right of access of data subjects. This choice is part of a coordinated action of the EDPB on the right of access³².

The CNIL has only made one decision to the right of access public. The company KASPR was sanctioned for not providing sufficiently precise information about its data collection sources. When the company received requests for information about the sources from which the data of the data subjects was collected, it replied that the data was collected from publicly available sources, without further clarification.

However, although KASPR was not able to indicate the precise source of the data collection for each data subject, it was able to identify certain sources of data collection in its database. The CNIL considers that the company should have cited the possible sources of collection to inform the data subjects.

b. Information of data subjects

The controller is required, under Articles 13 (information to be provided in case of direct data collection) and 14 (information to be provided in case of indirect data collection) of the GDPR to provide certain information relating to the data processing of the data subjects. In 2024, the CNIL noted various breaches, both when the controller collects data directly or indirectly.

On the one hand, under Article 13 of the GDPR, the CNIL sanctioned DE PARTICULIER A PARTICULIER³⁴ for providing inaccurate and insufficient information to its users. The company’s privacy policy did not provide information on the legal basis for the processing, the recipients of the data, or the right of the data subject to lodge a complaint with the CNIL. In addition, the policy stated inaccurate data retention periods. Similarly, a company in the real estate sector³⁵ failed to inform its employees of their rights and on the retention periods for data processed in the context of using software to measure working time and monitor productivity.

On the other hand, under Article 14 of the GDPR, companies KASPR³⁶ and HUBSIDE STORE³⁷ were sanctioned by the CNIL for not providing information to the data subjects.

HUBSIDE STORE, when conducting phone direct marketing operations, did not provide information on data processing, apart from an indication on the recording of the phone conversation and the possibility of registering on Bloctel. While it is not required to provide all the information listed in Article 14 of the GDPR during the phone conversation, the controller is required to provide means for data subjects to obtain more complete information at a later stage, as recalled in the WP29 guidelines on transparency within the meaning of the GDPR³⁸.

With regard to KASPR, the CNIL noted that until May 2022, i.e. for almost 4 years, the company did not provide any information regarding the processing of data of “target individuals”. From that date, KASPR sent to the target individuals an e-mail providing information on the processing of their data, but it was written in English. The CNIL considered that this information was not valid because the data subjects did not have a good command of this language and could not be in a position to understand the processing of their data.

The data protection authorities are particularly vigilant about the language used to inform the data subjects. In 2023, the CNIL had already sanctioned a company that provided a privacy policy only in English³⁹. The Dutch data protection authority, which the CNIL cites in its decision against KASPR, had also sanctioned UBER⁴⁰, reminding it that a controller is responsible for translating the information provided to data subjects whose data is processed in a language they understand, and that it is not possible to prejudge the level of English of Data subjects.

Finally, Article 12 of the GDPR sets out the conditions under which the controller should provide the information referred to in Articles 13 and 14 to the data subjects. In particular, the information must be provided in an easily accessible form. This article provides for the possibility of providing this information orally, but only if the data subject requests it. A company in the real estate sector⁴¹ was thus sanctioned for having provided information regarding the processing of its employees’ data orally when the latter had not requested it. In addition, there was no written medium that would allow this information to be consulted at a later data, with the result that the condition of accessibility of the information under Article 12 was not satisfied.

Chapter 4 - Controllers and processors’ obligations

Chapter IV of the GDPR sets out a series of obligations on entities classified as data controllers or processors. The CNIL has imposed several sanctions for breaches relating to (a) the contractual framework for sub-processing or (b) regarding the obligation to appoint a data protection officer.

a. Contractual framework of sub-processing

Under Article 28 (3) of the GDPR, the processing carried out by a processor for the controller must be governed by a contract. Certain clauses must appear in the contract.

On this matter, the CNIL has noted the absence of some information required under Article 28 regarding an agreement conclude between the company DE PARTICULIER A PARTICULIER⁴² and one of its processors. Although the company subsequently concluded an addendum containing all the required information after the CNIL’s inspection, the authority sanctioned the data controller for past non-compliance.

b. Obligation to appoint a data protection officer

Article 37 of the GDPR requires certain controllers and processors to appoint a data protection officer (“DPO”).

This is the case, for example, for processing carried out by a public authority or a public body, with the exception of courts acting in the exercise of their judicial function. A commune in French Guiana, KOUROU⁴³, was subject to several sanctions before appointing a DPO. The municipality was sanctioned twice in 2023 in this sense, with two administrative fines accompanied by an injunction with penalty payments.

In February 2024, the CNIL terminated the penalty payment, as the municipality finally pronounced the closure of the penalty payment procedure in November 2024 after the municipality had finally appointed a DPO.

Chapter 5 - Breaches of the security obligation

Article 32 of the GDPR requires controllers and processors to implement technical and organizational measures to ensure the security of personal data. Such measures are intended, in particular, to prevent access to the data by unauthorized third parties.

These security measures concern, in particular, the protection of access to the areas of a user account of an online service by adopting a sufficiently robust password policy. Since 2017, the CNIL has recommended the use of passwords consisting of at least 12 characters including upper case letters, lower case letters, numbers and special characters. The use of passwords with a minimum of 8 characters with 3 different categories of characters can also provide sufficient protection if the use of these passwords is accompanied by a complementary measure passwords such as the implementation of a captcha mechanism, or even the temporary suspension or blocking of access to the user account after several unsuccessful authentication attempts.

The company DE PARTICULIER A PARTICULIER⁴⁴ was sanctioned by the CNIL for its password policy. On the one hand, users could create a single-character password to access their account. On the other hand, a user had the possibility of placing an offer on the company’s website without creating a user account. In such a case, a reference was assigned to this offer to allow the user to access the offer and the associated space allowing him to make changes or to consult his conversations with the people interested in his offer. This reference consisted of 10 characters, 7 of which were public (corresponding to the public reference of the offer). This reference, which provided access to the space associated with the offer, was equivalent to a password, which therefore only had 3 alphanumeric characters. The CNIL therefore considered that these practices did not constitute measures to ensure the security of personal data. In addition, the passwords and references were stored in clear text in the company’s database, without encryption measures.