Political canvassing, missions and resources of data protection officers, data security, cooperation with the CNIL or respect for people’s rights: the CNIL is continuing to develop its repressive actions with fifteen new sanctions under its simplified procedure.
Since January 2024, the CNIL has issued fifteen new penalty decisions under its simplified procedure for a total of 98,500 euros. In comparison, over the whole of 2023, the CNIL issued 24 decisions of this type.
The main breaches were as follows
- a breach relating to the tasks and resources of the Data Protection Officer ;
- failure to cooperate with the CNIL
- failure to ensure data security (use of the TLS protocol and cryptographic suites);
- failure to respect the rights of individuals (exercise of the rights to erasure and objection and the right of access to a medical file);
- failure to provide information on political canvassing;
- failure by the subcontractor to fulfil its obligations.
What is the simplified procedure?
Unlike the ordinary procedure, the simplified procedure is lighter: the chairman of the restricted panel (or a member appointed by him) decides alone and no public hearing is held, unless the body asks to be heard.
The penalties that may be imposed are a fine of up to €20,000, an injunction with a fine of up to €100 per day’s delay or a call to order. The names of the organisations concerned may not be made public.
This procedure enables the CNIL to take rapid action in cases that do not present any particular difficulties.
Failure to comply with the Data Protection Officer’s duties and resources
An organisation had not involved its Data Protection Officer (DPO) in meetings concerning data protection and information systems security.
DPOs are responsible for informing and advising data controllers on their legal obligations and monitoring compliance with them (Article 39 of the General Data Protection Regulation). They must therefore be involved in discussions concerning the protection of personal data.
In addition, the DPO’s contact details and duties had not been communicated to employees for several years. Finally, the DPO did not have access to the messaging system on the organisation’s website, enabling data subjects to exercise their rights. He was therefore unable to carry out his duties properly, which led the CNIL to impose a fine on the organisation.
Failure to provide information on political canvassing
As part of an electoral canvassing campaign conducted during the 2022 presidential and legislative elections, a political association failed to meet its obligations to inform individuals.
In particular, the information required by Articles 12, 13 and 14 of the GDPR to appear on the various political communication websites published by the association was not transparent: it was either absent from most of the sites or incomplete.
In addition, in the context of electoral canvassing, political canvassing voice messages and SMS, postal or electronic mail sent did not systematically contain information on the exercise of people’s rights, and in particular the possibility of exercising their right to object. Candidates in an election or political parties are required to inform people properly, and can draw inspiration from the model proposed by the CNIL.
The CNIL has fined this political association.
Lack of personal data security
A number of organisations had received formal notice to bring their websites into compliance because they were not using recent versions of the TLS protocol that were free of vulnerabilities or state-of-the-art cryptographic suites.
At the end of the compliance period indicated in the formal notices, the CNIL carried out checks on the organisations’ websites, some of which were still not compliant.
A simplified penalty procedure was initiated and the CNIL imposed fines on those organisations that continued to use :
- the TLS 1.0 or 1.1 protocol, although these two versions are to be avoided according to the guide to the TLS protocol issued by the French National Agency for Information Systems and Security (ANSSI),
- the SHA-1 hash function, which is no longer considered secure, as it cannot guarantee the integrity and confidentiality of data during transmission between the server and the user’s browser.