The French data protection authority, Commission Nationale de l’Informatique et des Libertés (CNIL), has imposed a fine in the amount of EUR 400,000 against the state-owned operator of the public transit system in Paris, Régie autonome des transports Parisiens (RATP).
Among the grounds for this ruling was the practice, discovered at three RATP sites, of noting the number of strike days taken in addition to the total number of days absent in the records of employees who were up for promotion. In CNIL’s view, indicating the number of strike days was not necessary in order to make a decision about the promotion, since the total number of days absent would have sufficed for that purpose. Accordingly, CNIL found that listing the number of strike days separately violated the principle of data minimization (Article 5(1)c) of the GDPR).
The checks performed by CNIL also found inadequacies in connection with data storage, as well as deficiencies in the security of data processing. With regard to the storage of personal data, CNIL found that data were occasionally stored for longer than necessary for the intended purpose: for example, RATP retained the documents for employee assessment in connection with the promotion process for more than three years, even though they only had to be kept for 18 months. CNIL found that this practice violated the principle of storage limitation (Article 5(1) e) of the GDPR).
With regard to the security of processing (Article 32 of the GDPR), CNIL found that RATP failed to make adequate distinctions based on employee function and noted that the employees in charge in each case
- had access to all categories of data regardless of their function (particularly to HR department data);
- had access not only to the data for their particular site, but to the data of all other RATP sites as well;
- were in a position to export the entire database.
CNIL’s ruling underscores once again the particular importance of data protection in employment relationships and demonstrates that European data protection authorities are now applying strict standards, particularly with respect to principles for the processing of personal data.back