Overview of Sanctions Issued by the CNIL in 2024

Overview of Sanctions Issued by the CNIL in 2024

Key Takeaways

In its 2024 annual report, the CNIL highlights a significant increase in sanctions and other corrective measures imposed for non-compliance with the GDPR.


Each year, the CNIL publishes a report on its activities for the previous year. On February 5, 2025, the Commission released its overview of sanctions and corrective measures issued in 2024. (1) These have seen a sharp increase compared to the previous year.


1. A Sharp Increase in Sanctions and Corrective Measures

The CNIL's enforcement actions against organizations (i.e. businesses, public administrations, associations) that fail to comply with the GDPR include, on one hand, sanctions often accompanied by fines, and on the other hand, formal notices and legal warnings.

In 2024, the CNIL issued 331 corrective measures, including:

     - 87 sanctions, totaling €55,212,400 in fines (including a €50 million fine against ORANGE, imposed in November 2024).

A total of 69 sanctions were issued under the simplified procedure, amounting to €715,000 in fines. The simplified procedure is a new enforcement mechanism introduced in 2022.

     - 180 formal notices and 64 legal warnings were issued. In most cases, organizations comply with these measures following their issuance.

Most sanctions and formal notices issued by the CNIL are not publicly disclosed. Only a limited number of sanctions are made public.

2. Key GDPR Violations Leading to Sanctions

The CNIL has also identified the main areas where organizations have failed to comply with the GDPR, including:

     - Consent collection requirements in commercial prospecting. Companies using databases for marketing purposes (advertisers, data brokers, email marketing companies, etc.) must ensure that the original data collectors (2) have properly obtained opt-in consent from individuals to receive promotional messages, in accordance with GDPR requirements.

     - Pseudonymization is not the same as anonymization. Several rulings were issued against organizations storing health data. Although these organizations did not have direct access to the identities of the data subjects, the data was stored under pseudonyms. While anonymized data is permanently non-identifiable (and therefore no longer subject to the GDPR), pseudonymized data (linked to an identifier) poses a risk of re-identification and remains subject to the GDPR.

     - Failure to comply with individuals' rights was sanctioned 23 times, as organizations failed to honor requests for access to personal data (i.e. data stored in their user account or file), objection to data processing, or data deletion requests. Sanctions were also imposed on organizations that used complex mechanisms for cookie refusal.

     - Violation of the data minimization principle. The principle of minimization requires that personal data collected must be relevant and limited to what is necessary for the purposes for which it is processed. Ten sanctions were issued for excessive data collection, including unjustified commentary, the systematic or full recording of phone conversations, and the continuous video surveillance of employees at their workstations.

     - Multiple violations of data security obligations were identified, such as weak passwords or storing them in plain text, the absence of an access authorization policy, inadequate access controls for electronic health records (EHRs) by healthcare professionals, and the use of outdated TLS encryption protocols.

     - Finally, 27 organizations were sanctioned for failing to cooperate with the CNIL following requests for information or during compliance audit procedures.

* * * * * * * * * * *


(1) "Sanctions and Corrective Measures: CNIL's 2024 Enforcement Report” (in French), February 5, 2025

(2) A "primary data collector" is an organization that collects data directly from data subjects. This  may be a company organizing sweepstakes or an e-commerce website, for example.


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

February 2025

Retourner à la page des Actualités et Publications

Mots clés :

accessibilité numérique (7) adwords (1) ai (15) arcep (3) arcom (7) audiovisuel (3) base de données (3) bitcoin (1) blockchain (5) cbpr (3) cgv (1) chine (1) cloud computing (2) cnil (14) commerce (2) communication (8) compliance (14) confidentialité (2) conformité (8) consommateurs (3) contrat (8) contrefaçon (9) cookies (4) copyright (3) csa (1) cybercriminalité (5) data (1) data privacy framework (2) dma (4) données à caractère personnel (15) données personnelles (27) dpf (2) droit d'auteur (9) dsa (2) e-commerce (9) e-consommateurs (1) enfance (4) etats-unis (4) eu (8) europe (6) formation (1) fraude (2) gdpr (24) google (4) hébergeur (3) ia (11) ico (1) informatique (10) informatique et libertés (3) intelligence artificielle (10) internet (27) jeu vidéo (2) liberté d'expression (2) logiciel (7) loi informatique et libertés (4) loi sren (5) marque (3) métavers (2) méthode agile (2) monnaie électronique (1) moteur de recherche (5) nft (3) nom de domaine (1) numérique (6) originalité (4) privacy shield (2) propriété intellectuelle (11) protection des données (5) publicité (6) référencement (4) réglementation (10) réseau (1) réseaux sociaux (8) responsabilité (8) responsable du traitement (9) rgpd (18) robotique (5) rpa (2) salariés (4) santé publique (1) sécurité (7) singapour (3) site web (1) us (2) vie privée (18)