GDPR Sanction

Any organization, which collects and processes personal data, is concerned by a control from the CNIL (National Commission for Information Technology and Civil Liberties), and therefore likely to have a GDPR sanction and pay a GDPR fine to the CNIL (National Commission for Information Technology and Civil Liberties)

Whether you're a data controller or processor, you risk GDPR penalties from the CNIL (National Commission for Information Technology and Civil Liberties), for your lack of knowledge of GDPR provisions. Indeed, in the event of an audit or complaints, the CNIL (National Commission for Information Technology and Civil Liberties) could fine you GDPR fines of up to millions of euros.

It could also depend on the size of your company, so that you pay a fine of 4% of your annual sales. Worse than that, sanctions can be made public! The impact on your image can be very significant. Several start-ups, such as Nestor, have been hard hit.

Since it came into force in 2018, the GDPR has provided for sanctions as well as measures that organizations, both public and private, must put in place in order to comply with this new regulation, which concerns the processing of personal data.

Otherwise, many French and multinational companies have had to pay fines to the CNIL (National Commission for Information Technology and Civil Liberties), running into the hundreds of millions of euros.

Points to lose before getting a GDPR sanction

Before talking about GDPR sanctions, it's worth pointing out that one of the key points for an organization, regardless of its size, is its GDPR compliance. Beyond the GDPR sanctions it risks, an organization that isn't compliant is above all exposed to risks that primarily affect its Business. Today, companies are increasingly savvy when it comes to GDPR.

In addition, the CNIL (National Commission for Information Technology and Civil Liberties) requires companies to work only with compliant organizations.

Organizations that are able to protect the personal data they process. This is such a sensitive subject, that if you work with a provider who isn't compliant, there's nothing you can do in the event of personal data loss.

This will, quite simply, be due to your lack of vigilance when signing the contract.

To remember: the risk of being inspected by the CNIL (National Commission for Information Technology and Civil Liberties) ) or of receiving complaints from clients and employees depends on your business. But above all, you are exposed to business risks, insofar as transforming leads into clients will not be an easy task.

GDPR Sanction vs Requirements

To avoid paying GDPR penalties to the CNIL (National Commission for Information Technology and Civil Liberties), the points to GDPR compliance are not as numerous as they seem. To be compliant, GDPR requires certain documents to be put in place and maintained, as well as certain conditions to be met.

In this regard, the GDPR includes various key elements such as HR practices, commercial prospecting, employee awareness...

Firstly, with regard to employee awareness of GDPR best practicespractices, it's important to remember that you can't control all your employees. However, you can choose to raise their awareness. To do so, share our article on GDPR best practices best practices with them.

You'll make life easier for them!

Then, a second point to be compliant concerns GDPR rules in relation to human resources. The subject is so sensitive that companies are receiving more and more complaints from their employees. All the more reason for the GDPR to require a privacy policy, which involves informing employees of the processing carried out, as well as their rights. As you can see, the employee information aspect is key.

Respect for consent is another point not to be forgotten. According to the CNIL (National Commission for Information Technology and Civil Liberties), in B-to-B, the only requirement is an unsubscribe button enabling the person contacted to object. On the other hand, in B-to-C, consent must be sought before the actual act of prospecting takes place. Consent must be clear, free and comprehensible.

For more details on this point, you can also consult our article on 11 tips for better commercial prospecting in compliance with the GDPR.

Last but not least, we must not forget that compliance with Data retention periods is imperative. In other words, to be compliant, the CNIL (National Commission for Information Technology and Civil Liberties) has defined Data retention periods that any organization processing personal data must not exceed. Here again, if you want to go further, our article on Data retention retention periods will give you a better understanding of the subject.

To find out more about any or all of these topics, you can book a APPOINTMENT with one of our experts. It's free! 

The nature of GDPR sanctions

Depending on what it hasn't complied with in terms of GDPR, any organization contravening these rules is going to be exposed to sanctions of various kinds, namely: administrative, criminal, corrective and payment of damages.

Administrative penalties

The GDPR has provided for corrective measures, when it comes to administrative sanctions.

It is Article 58 of the GDPR that provides for this type of sanction, and offers the power to supervisory authorities to issue corrective measures. These measures can be taken even before fines are issued, and this is in addition to administrative sanctions.

So it can be a warning or a formal notice to the organization contravening the rules imposed by the GDPR, as it can be a temporary suspension of personal data processing.

Criminal penalties

Article 84 of the GDPR provides for additional sanctions if there had been a breach of the GDPR.

In France, in the event of misuse of Purpose when processing personal data, Article 226-21 of the Penal Code provides for a GDPR penalty of up to 5 years' imprisonment and a fine of 300,000 euros.

Payment of
damages and loss of image

In addition to these penalties, violating the GDPR may involve other consequences such as:

• Make the company's violation public. In other words, the CNIL (National Commission for Information Technology and Civil Liberties) has the power to require the offending organization to publish the sanction.
• Damages: violating the GDPR can impact victims materially or morally. The offending organization may therefore be ordered to pay damages.

GDPR Sanction:
a more simplified corrective procedure

Faced with an ever-increasing number of complaints, the CNIL (National Commission for Information Technology and Civil Liberties) has decided to adopt a new, simpler procedure for less complex cases. While the number of corrective measures pronounced by the CNIL CNIL (National Commission for Information Technology and Civil Liberties) exceeds one hundred in 2021 (18 sanctions and 135 formal notices), the number of complaints continues to rise (14,000 complaints in 2021).

It goes without saying that the files examined by the CNIL (National Commission for Information Technology and Civil Liberties) are as numerous as they are varied.

When we talk about variety, we're talking about seriousness, technology, the various legal issues involved, as well as the impact on people, whether moral or material.

 From now on, the president of the CNIL (National Commission for Information Technology and Civil Liberties), Marie-Laure Denis, could follow a GDPR sanction procedure considered to be simplified. The only difference between the two procedures, ordinary and simplified, is that the latter is more streamlined than the former.

In fact, to pronounce a simplified GDPR sanction, the same steps must be followed as when it comes to the ordinary procedure. On the other hand, no public session will be scheduled, unless the company contravening the rules imposed by the GDPR asks to be heard.

Who does the CNIL (National Commission for Information Technology and Civil Liberties) monitor? - Organizations likely to be fined under the GDPR

As its name suggests, the Commission Nationale de l'Informatique et des Libertés is the regulator of personal data. It is an administrative authority responsible for supervising any organization likely to process personal data.

Whether you're a data controller or processor, note that as soon as you start collecting and processing personal data, you're subject to control by the CNIL (National Commission for Information Technology and Civil Liberties), and therefore liable to a GDPR fine.

In addition, the General Data Protection Regulation empowers the personal data regulator to carry out checks on processors whose job it is to process data on behalf of a controller. The latter may also be liable to pay a GDPR fine. An example of this is the case of maintenance or hosting for a third-party organization.

Am I affected by a GDPR sanction from the CNIL (National Commission for Information Technology and Civil Liberties) if my company is not in France?

The CNIL (National Commission for Information Technology and Civil Liberties) ) also has the power to carry out checks on the activities carried out by an organization on French territory, whether or not the processing is carried out in France. In the event of non-compliance with the regulation, this organization may therefore be fined GDPR. 

In addition, and as part of the GDPR, the personal data regulator also has the power to carry out checks, as soon as the processing essentially affects people residing in France. A control that concerns all organizations, regardless of their size, whether or not they are located in France.

The administrative authority may, moreover, carry out its tasks in cooperation with other personal data protection authorities, should the organization have different establishments in the European Union.

Some GDPR sanctions you need to know about

Needless to say, the most striking GDPR sanctions are those levied against large organizations and institutions, for their amounts, which amount to thousands or even millions of euros. Here, then, are a few examples of these.

Fines imposed by the CNIL (National Commission for Information Technology and Civil Liberties) :

CLEARVIEW AI: 20 million euros / October 20, 2022

Specializing in facial recognition, Clearview offers software that searches for faces in a database of over 20 billion images. On the other hand, this is a method that does not comply with the GDPR so that the company data from any website.

Problems :

• no individual consent ;
• no legal basis ;
• failure to take account of people's rights ;
• non-cooperation with the CNIL (National Commission for Information Technology and Civil Liberties)

EDF: €600,000 / November 29, 2022

Shortcomings observed :

• No request for consent to receive commercial prospecting;
• No security of personal data;
• Failure to provide information.

As well as being fined, the information was made public by the CNIL (National Commission for Information Technology and Civil Liberties).

Nestor: €20,000 / January 05, 2021

Shortcomings observed :

• No individual consent ;
• Failure to inform the public ; 
• Failure to respect people's right of access ; 
• Lack of personal data security.

Carrefour: €3 million / November 26, 2020

Shortcomings observed :

• Providing confusing information about the treatments carried out on websites;
• Requesting identification from individuals to assert their rights;
• No return of requests for access or opposition rights expressed by individuals.

GDPR fines issued by the Irish Data Protection Commission (DPC):

Meta: 275 million euros, November 28, 2022

WhatsApp: 225 million euros, September 2, 2021

GDPR fine issued by the European Data Protection Committee:

Instagram : 405 million euros, September 15, 2022

You can consult the GDPR Enforcement Trackerfor an overview of all the GDPR fines and sanctions imposed by personal data protection authorities. As not all GDPR fines can be made public, this is not a complete list. However, this list is kept up to date, listing any new GDPR fines issued by any of the personal data supervisory authorities.