The French Data Protection Authority (CNIL) has sanctioned with a fine of 3.000 euros the Société nouvelle de l’annuaire français (SNAF), in particular for not having complied the rights of data subjects.
The Société nouvelle de l’annuaire français (SNAF) is managing the website annuairefrancais.fr, which is listing French companies based on data published by INSEE.
Background
The CNIL had six complaints between 2018 and 2019 which shown all the problems revealed in asking the deletion and the rectification of personal data.
An online inspection and an inspection during a session have revealed the breach of rights of data subjects.
The CNIL President has ordered to SNAF to get in compliance to the GDPR within two months, this has not been done by the company.
Consequently, the restricted committee – which is the regulatory body of the CNIL – has sanctioned SANF with a fine of 3.000 euros, in particular for not have complied rights of rectification and deletion and for having not cooperated with the CNIL.
This sanction keeps in mind the dimension and the financial situation of the company. Its advertising is justified by the need to remember the company the importance to process rectification and deletion requests, and to cooperate with the CNIL.
Identified breaches
The CNIL has found four breaches of the GDPR against SNAF:
- An obligiton brech to comply the data retification requests (article 16 of the GDPR), in the measuren which the company has not follow through to the received ractification reques, within the term established by the formal notice.
- Anywya, the company has made the ractification during the procedure;
- The lack of respect of the obligation to comply with the deletion requests of data (article 17 of the GDPR), since the compabyhas not deleted personal data of all the complainant who have made a requests;
- Lack of implementation of a Records of processing activities (article 30 of the GDPR), since the main activity of the company is the personal data processing;
- Lack of cooperation with the CNIL (article 31 of the GDPR).