🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

GDPR: Sanction from the CNIL for a French microenterprise to the tune of 3000 €

Home News GDPR: Sanction from the CNIL for a French microenterprise to the tune of 3000 €

On September 15, 2021, the restricted formation of the CNIL (National Commission for Information Technology and Liberties) imposed a public administrative fine of 3,000 € against a micro-company SNAF (the Société nouvelle de l' French directory) by deliberation n° SAN-2021-014.

The said company, composed solely of its president, has as its main activity the online publication of ’ a directory containing data from the SIRENE directory, including personal data and in particular the surnames, first names and addresses of the managers.

The CNIL noted four breaches of the GDPR against the company SNAF, which it explains in its press release as follows:

  • "a failure to comply with the obligation to grant requests for rectification of data (art. 16 GDPR), to the extent that the company did not fully respond to the request for rectification it received, within the time limit set by the formal notice. However, the company made the rectification during the procedure;
  • a failure to comply with requests for data erasure (art. 17 GDPR), to the extent that the company has not deleted the data of all complainants who requested it;
  • lack of implementation of a register of processing activities (art. 30 GDPR), the main activity of the company being to process personal data;
  •  a lack of cooperation with the CNIL (art. 31 GDPR). "

A company in the crosshairs of the CNIL    

The CNIL received sixteen complaints between 2018 and 2019, reporting difficulties encountered by Internet users when requesting erasure and rectification of their personal data.

An online check and a hearing check revealed breaches of the rights of the persons concerned.

The president of the CNIL then gave formal notice to the company SNAF to comply with the GDPR within two months, which the company did not do.

Consequently, the restricted panel – sanctioning body of the CNIL – sentenced the company to a fine of 3,000€, in particular for non-compliance with the rights of rectification and erasure and for lack of cooperation.

This sanction was taken taking into account the size and financial situation of the company. The CNIL adapts the amount of fines imposed according to the specific situations of the entities inspected. The good faith of the company also comes into play to the extent that the CNIL first gives the company formal notice before entering into the process of conviction.

Once again, it was complaints from the people concerned which led the CNIL to initiate a remote control and then by hearing. This is why it remains imperative and strategic to respond in a timely manner to requests to exercise rights. Satisfying such requests, beyond regulatory obligations, also means protecting yourself from possible control.

 

A published decision, the issue of image damage

The CNIL has decided to publish its decision in particular on its website. This advertising is justified by the need:

  • to warn all players in the field,
  • to recall the importance of respecting the obligations relating to the processing of requests for rectification and erasure,
  • to insist on the need to cooperate in all circumstances with the CNIL.

Beyond the financial penalty, the SNAF company suffers significant image damage due to the publication of this conviction which will not fail to make headlines, particularly given the size of the company condemned.

This decision highlights the CNIL's desire to ensure compliance with the regulations by all the organizations concerned, whatever their size or financial strength.

Contrary to what one might believe, the CNIL is not only capable of controlling GAFA and other multinationals, but also structures of more modest size.

This decision will undoubtedly be likely to change the minds of managers of small structures who did not think they were affected by the GDPR.

While it is true that the stakes may seem disproportionate for this type of company and the actions to be implemented too complex and time-consuming, the subject of compliance should not be put aside.

This is why Data Comply One (formerly Mission RGPD) designed its GDPR software to make life easier for VSE/SME managers. Thanks to easy-to-use SaaS software, you can now carry out your compliance without difficulty thanks in particular to numerous legal models.

Don't waste any more time, it's so simple!

Request a demo

Other articles
on the same subject