Unjustified collection of data from a candidate for employment, right to object to political prospecting by email, right of access to medical records, lack of data security and insufficiently robust passwords: since November, the CNIL imposed six new sanctions as part of its simplified procedure.
Since November 2023, the CNIL has issued six new sanction decisions as part of its simplified procedure for a total amount of 44,000 euros.
The main shortcomings identified are:
- a lack of cooperation with the CNIL;
- excessive collection of data from a candidate for employment;
- non-respect of people’s rights (exercise of the right to object to political prospecting by email);
- non-compliance with the right of access to medical records;
- a lack of data security (robustness and storage of passwords).
Failure to respect the right of access to medical records
A healthcare professional did not comply with requests for communication of health data that he had received.
However, health professionals must grant these requests, under article 64 of the Data Protection Act. Indeed, the non-communication of the medical file violates people’s rights and the fundamental principles of the protection of personal data. This failure is all the more serious that it concerns the medical monitoring of a child and may harm their medical care.
As a result, the CNIL fined this healthcare professional.
Unjustified collection of data from job candidates
A company collected the locations, countries of birth, and social security numbers of applicants for jobs as extras or hosts for television events.
Yet, the collection of this data does not present a direct and necessary link with the job offered and with the evaluation of professional skillswhich constitutes a breach of the principle of collecting data for specific, explicit and legitimate purposes (article 5.1.b of the GDPR).
The fact that this data would facilitate management operations during the phase of concluding the employment contract does not justify their collection from the application selection phase.
The CNIL thus sentenced the company to a financial fine. The latter had, in the meantime, modified its form in order to no longer collect these three types of data: such an action does not exempt it from its responsibility for past facts.
Failure to respect the right to object to political prospecting by email
A candidate in the June 2022 legislative elections sent political prospecting emails to a person. This person objected to the candidate receiving these messages, to no avail.
The CNIL reminds that, when personal data is processed for prospecting purposes, the person concerned has the right to object at any time to the use of its data for these purposes (article 21.2 of the GDPR).
The data controller to whom a request to exercise the right of opposition is addressed must, as soon as possible and in any event within one month from receipt of the request, inform the person concerned of the measures taken following this request.
The CNIL issued a fine against this candidate.
A lack of security of personal data of administrators
A municipality had not implemented all the necessary measures to ensure the security of the personal data of its citizens. Indeed, the measures implemented to ensure data security were insufficient, with minimum precautions in terms of robustness and password storage not being respected.
In its recommendation on passwords, the CNIL recommends, in order to ensure that a password cannot be disclosed, that the latter “ must never be stored unencrypted by the data controller. When retained, any password useful for verifying authentication must be first transformed using a specialized cryptographic function » whose characters are defined.
In addition, the restricted training of the CNIL had already sanctioned data controllers keeping personal data in plain text.
It considers that the security defect relating to the robustness and storage of passwords constitutes a breach that is all the more serious as the municipality, as a public authority, processes numerous data of its citizens. Some of this data being – moreover – sensitive, it must set an example in terms of data security.
As a result, the CNIL issued a fine against the municipality.
2023-12-22 12:35:03
#CNIL #issues #sanctions #part #simplified #procedure
