Fine of 200,000 euros for SAF Logistics
The National Commission for Information Technology and Liberties (CNIL) has ordered the company SAF Logistics to fine of 200,000 euros for having collected an excessive quantity of personal data from its employees, violating their privacy and not having cooperated sufficiently with the CNIL services.
The CNIL noted that SAF Logistics collected a large amount of information on the employees' family members, in particular their identity, contact details, position, employer and marital status. This data was collected as part of internal recruitment for a position within the parent company of SAF Logistics, based in China.
The CNIL considered that this collection was excessive and caused a disproportionate attack on the privacy of employees. The authority also noted that SAF Logistics had not put in place sufficient security measures to protect this data.
Here are the specific shortcomings noted by the CNIL:
Article 5.1.c GDPR – Minimization of collection: SAF Logistics collected a large number of personal data on family members of employees, data that was excessive in relation to the purpose of the processing announced. This information was collected to list the emergency contacts of each employee.
Article 9 GDPR – Processing of sensitive data: The company collected sensitive data such as blood type, ethnicity and political affiliation without the exceptions in Article 9.2 of the GDPR applying.
Article 10 GDPR – Processing of data relating to offenses: SAF Logistics kept extracts from employees' criminal records without justification for some of them.
Article 31 – Cooperation with the CNIL: There was an incomplete translation of the data collection form, with the deletion of certain fields when communicating to the CNIL.
The sanction imposed on SAF Logistics by the CNIL underlines the importance of respecting the principles of protection of personal data, in particular the principle of data minimization, and how the Data Comply One platform (formerly Mission RGPD) could have helped avoid these sanctions by providing specific solutions to each breach.
Source of control
Control by the CNIL was initiated following two complaints submitted after communication of a form to all SAF Logistics employees, in which information about their private lives, including sensitive data, was requested.
Control type
It was a on-site inspection from the CNIL.
How Data Comply One (formerly Mission RGPD) could have avoided these sanctions
- Article 5.1.c GDPR – Minimization of collection : With Data Comply One (formerly Mission RGPD), SAF Logistics could have documented in the register of purposes, carried out an automatic analysis of the risks associated with data processing, and used integrated impact analyzes to assess the relevance of the collection of data.
- Article 9 GDPR – Processing of sensitive data : The Data Comply One platform (formerly Mission RGPD) offers documentation in the register of collected data, automatic analysis of risks associated with the processing of sensitive data, and impact analyzes for the collection of sensitive data.
- Article 10 GDPR – Processing of data relating to offenses : Data Comply One (formerly Mission RGPD) would have made it possible to document the register of data collected, to carry out an automatic analysis of the risks associated with the processing, and to integrate impact analyzes for the collection of sensitive data.
- Article 31 – Cooperation with the CNIL : With Data Comply One (formerly Mission RGPD), SAF Logistics could have prepared for an inspection by the CNIL thanks to a practical sheet dedicated to this subject and to control simulations carried out during expert support.
In summary, Data Comply One (formerly Mission RGPD) is one all-in-one solution who could have helped SAF Logistics avoid these sanctions by ensuring compliance with GDPR principles and facilitating cooperation with competent authorities.
This would have allowed the company to maintain the tranquility and there serenity necessary to comply with constantly evolving rules.
