French data pro­tec­tion aut­ho­ri­ty impo­ses fine in the amount of EUR 400,000

The French data pro­tec­tion aut­ho­ri­ty, Com­mis­si­on Natio­na­le de l’Informatique et des Liber­tés (CNIL), has impo­sed a fine in the amount of EUR 400,000 against the state-owned ope­ra­tor of the public tran­sit sys­tem in Paris, Régie auto­no­me des trans­ports Pari­si­ens (RATP).

Among the grounds for this ruling was the prac­ti­ce, dis­co­ver­ed at three RATP sites, of not­ing the num­ber of strike days taken in addi­ti­on to the total num­ber of days absent in the records of employees who were up for pro­mo­ti­on. In CNIL’s view, indi­ca­ting the num­ber of strike days was not neces­sa­ry in order to make a decis­i­on about the pro­mo­ti­on, sin­ce the total num­ber of days absent would have suf­fi­ced for that pur­po­se. Accor­din­gly, CNIL found that lis­ting the num­ber of strike days sepa­ra­te­ly vio­la­ted the prin­ci­ple of data mini­miza­ti­on (Artic­le 5(1)c) of the GDPR).

The checks per­for­med by CNIL also found ina­de­quaci­es in con­nec­tion with data sto­rage, as well as defi­ci­en­ci­es in the secu­ri­ty of data pro­ces­sing. With regard to the sto­rage of per­so­nal data, CNIL found that data were occa­sio­nal­ly stored for lon­ger than neces­sa­ry for the inten­ded pur­po­se: for exam­p­le, RATP retai­ned the docu­ments for employee assess­ment in con­nec­tion with the pro­mo­ti­on pro­cess for more than three years, even though they only had to be kept for 18 months. CNIL found that this prac­ti­ce vio­la­ted the prin­ci­ple of sto­rage limi­ta­ti­on (Artic­le 5(1) e) of the GDPR).

With regard to the secu­ri­ty of pro­ces­sing (Artic­le 32 of the GDPR), CNIL found that RATP fai­led to make ade­qua­te distinc­tions based on employee func­tion and noted that the employees in char­ge in each case

  • had access to all cate­go­ries of data regard­less of their func­tion (par­ti­cu­lar­ly to HR depart­ment data);
  • had access not only to the data for their par­ti­cu­lar site, but to the data of all other RATP sites as well;
  • were in a posi­ti­on to export the enti­re database.

CNIL’s ruling unders­cores once again the par­ti­cu­lar importance of data pro­tec­tion in employ­ment rela­ti­onships and demons­tra­tes that Euro­pean data pro­tec­tion aut­ho­ri­ties are now app­ly­ing strict stan­dards, par­ti­cu­lar­ly with respect to prin­ci­ples for the pro­ces­sing of per­so­nal data.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.