Privacy News 12/11/2021

Nov 15, 2021

National Authorities

CNIL publishes guide to aid organisations with GDPR awareness

The CNIL published, on 10 November 2021, a guide on awareness for organisations on compliance with the GDPR.

The guide aims to recall the statutory requirements regarding data protection and provide best practices for organisations processing personal data.

It outlines key GDPR principles, defines key concepts, provides a plan of action for compliance with the GDPR, and responds to FAQs.

You can read the press release here and the guide here, both only available in French.



CNPD imposes €5,300 fine against public retail company

The CNPD published, on 2 November 2021, its deliberation No. 35/FR/2021 whereby it imposed a fine of €5,300  against an unnamed public retail company, for its violation of Articles 5 and 13 of the GDPR, following its investigation of the company’s use of CCTV and geolocation systems.

The deliberation cites a failure to inform third parties and employees in a clear and precise manner about the use of CCTV, the legal basis of its use, the right to request the restriction of processing, the right to object to the processing, and the right to lodge a complaint with the CNPD.

According to the CNPD, the company had also failed to inform employees of the same regarding the use of geolocation systems. The CCTV’s field of vision was also disproportionate to the company’s stated purposes and was in violation of the data minimisation principle of the GDPR.

You can read the deliberation, only available in French, here.


AP fines Transavia €400,000 following data breach

The AP published, on 12 November 2021, its decision in which it imposed a fine of €400,000 to Transavia Airlines CV, for violation of Article 32 of the GDPR following a data breach.

The AP had received a breach notification from Transavia notifying that a malicious third party had gained unauthorised access to its systems (the hacker had downloaded personal data of approximately 83,000 people).

The hacker broke into Transavia’s systems in September 2019, using two accounts of the company’s IT department.

For the AP, this breach of the GDPR is very serious.

The hack was too easy due to

  • The easy to guess password;
  • The multi-factor authentication was not used;
  • The hacker had access to many of Transavia’s systems once it took control of the two accounts.

You can read the press release here and the decision here, both only available in Dutch.