National Authorities

CNPD publishes guidelines on cookies

The CNPD published, on 26 October 2021, guidelines on cookies and other trackers.

These guidelines aim to help operators of websites or applications to comply with the currently applicable rules (as they emerge from legislation and case law).

They draw the distinction between essential cookies and non-essential cookies and introduce the notion of dark patterns in the context of collecting user consent.

You can read the press release here and the guidelines here, both only available in French. 

  DPC issues guidance on vaccine certificate check

The DPC announced on 2 November 2021, that it had released guidance on vaccine certificate checks.

According to the DPC, it is the responsibility of the owners of a premise as a data controller to establish whether they have an identified legal basis to ask for, and verify, the vaccination status of attendees.

The guidance also provides that vaccination status checking should be determined with reference to the current advice of the public health authorities..

You can access the guidance here.

Fines

CNIL fines RATP €400,000 for unnecessary collection of data on workers’ strikes

The CNIL published, on 4 November 2021, a decision, issued on 29 October 2021, to fine the RATP Group, €400,000 after noting that several bus centres had included the number of days of strikes by workers in evaluation files, in violation of the data minimisation principle under Article 5(1)(c) of the GDPR,

According to the CNIL, files for evaluating performance and promotion prospects should only contain data necessary for the evaluation of workers :  the number of days of strike action by agents doesn’t constitute a useful data to achieve such purposes. 

The CNIL also found that RATP had  violated data retention and security obligations under Article 5(1)(e) and Article 32 of the GDPR.

You can read the press release here and the decision here, both only available in French.