CNIL (France) - SAN-2021-019

From GDPRhub
CNIL (France) - SAN-2021-019
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 5(2) GDPR
Article 32 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 29.10.2021
Published: 04.11.2021
Fine: 400000 EUR
Parties: RATP
National Case Number/Name: SAN-2021-019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: JulesO3

The French DPA (CNIL) imposed a fine of €400,000 on the state-owned public transport operator 'RATP' for collecting and storing data on how many days its agents were on strike in files normally used to determine promotions. The CNIL also found a breach of the principle of storage limitation and data security.

English Summary

Facts

The CNIL received a complaint from several unions in May 2020 regarding the collection and storage of data on the number of days that RATP's agents had been on strike days. These data were kept in files normally used for careers advancement procedures. The RATP recognized that four bus transport units were concerned by this practice. The investigation conducted by the CNIL confirmed that this practice had been commonplace in at least three bus transport units of the RATP. During the investigation, the CNIL also found other breaches regarding storage limitation and data security.

Holding

The CNIL held that it was unlawful to process information on the number of days an agent had been on strike in the context of career advancement procedures because such information was unnecessary for the purpose of the processing. In particular, the RATP should have limited such information to the number of days of absence of each agent, regardless of the reason behind such absence(s). As a consequence, the CNL found that the RATP had been processing these data in breach of the principle of data minimization (Article 5(1)(c) GDPR).

The investigation also revealed other breaches with respect to the principle of storage limitation (Article 5(1)(e) GDPR). Indeed, the app used to monitor the work of RATP's agents was storing personal data for an excessive period of time. Moreover, agents' files were kept for more than three years after the commission on careers advancement had taken a decision. In the opinion of the CNIL, the RATP should have kept such files for 18 months maximum.

Finally, the investigation also revealed severe security flaws. In particular, it was found that authorized agents could access an excessive amount of data (including human resources files) regardless of their role, from all bus transport units, and could also extract all the data from the app, without any restriction. Because of this, the CNIL considered that the RATP had violated Article 32 GDPR.

Taking into account the scope and severity of these violations, the CNIL decided to impose a fine of 400,000 EUR on the RATP.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted formation n ° SAN-2021-019 of October 29, 2021 concerning the Autonomous Paris transport authority

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs. Christine MAUGÜÉ and Mr. Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Considering Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms;

Having regard to deliberation no 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Informatics and Freedoms;

Having regard to referral no.20009228 of May 13, 2020;

Considering the decision n ° 2020-101C of June 23, 2020 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the treatments implemented by the Régie Parisian transport authority (RATP);

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated February 12, 2021;

Having regard to the report by Mrs. Albane GAILLOT, rapporteur commissioner, notified to RATP on May 12, 2021;

Having regard to the written observations made by the RATP on June 11, 2021;

Having regard to the other documents in the file;

The following were present during the restricted training session on July 1, 2021:

- Madame Albane GAILLOT, commissioner, heard in her report;

As representatives of RATP:

- […];

- […];

- […];

The RATP having had the floor last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. RATP, whose head office is located at 54 quai de la Rapée in Paris (75012), is a public industrial and commercial establishment created by the law of March 21, 1948. RATP is the parent entity of the RATP group. , which employed around 65,000 people in 2019. In 2020, its turnover was […] euros and its net income was […] euros.

2. Operations related to the RATP bus network are managed by the BUS department, within the RATP transport and maintenance operations department. The BUS department has around 16,000 machinist-receivers (who are the bus drivers), divided into sixteen operational units, each of which covers several bus lines. The social management and innovation department (GIS) is in charge of the group's human resources.

3. On May 13, 2020, the National Commission for Informatics and Freedoms (hereinafter the "CNIL" or the "Commission") received a complaint from the CGT-RATP trade union organization (referral no. 20009228) relating to an assessment file for RATP agents, compiled as part of the career advancement procedure for agents in the Bords de Marne bus center. The trade union organization argued that the file in question contained a number of categories of personal data which would make it unlawful and even discriminatory. This complaint was supplemented by a letter dated June 5, 2020, relating to a similar file concerning the agents of the Quais de Seine bus center.

4. On May 18, 2020, RATP notified the Commission of a personal data breach. This notification was supplemented by an additional notification dated June 4, 2020, which developed in particular the description of the violation and the circumstances of its discovery. By these notifications, the RATP reported a violation which would have consisted in the use of a file contrary to the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the " RGPD "or the" Rules ") within the framework of the commissions for classification of agents of the BUS department (joint commissions composed of representatives of trade unions and management, aiming to establish which agents benefit from a promotion), resulting in the loss of confidentiality of personal data. This violation would have lasted from April 9 to May 11, 2020. The RATP also qualified the files in question as contrary to RATP's policy and operating rules. The notifications were supplemented by information provided by the RATP by emails to the CNIL dated June 11 and August 5, 2020. This information related to the number of bus centers affected by the violation and, consequently, to the number of persons concerned.

5. Pursuant to decision n ° 2020-101C of 23 June 2020 of the President of the CNIL, a documentary control mission was carried out with the RATP, in order to verify that the latter complies with the all the provisions of the RGPD and of the amended law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms (hereinafter the "law of January 6, 1978 amended"). More specifically, this involved following up on referral no. 20009228 relating to the advancement procedure and the implementation of preparatory files for classification committees held in bus centers. This mission was carried out by sending a questionnaire, sent by registered letter of June 26, 2020, to which the RATP responded by letter of July 9, 2020.

6. Pursuant to the same decision, a Commission delegation carried out on 21 July 2020 an on-site inspection mission in three bus centers: the Bords de Marne bus center, that of Aubervilliers and that of Vitry. -on the Seine. These three missions focused on the organization and preparation of the advancement procedure for bus drivers and on the distribution of skills in connection with human resources management between the RATP headquarters and the bus centers. By email dated July 31, 2020, RATP provided the additional information requested by the delegation during on-site inspections.

7. In response to additional requests from the control delegation sent by email on August 11 and September 23, 2020, RATP provided additional information by email on August 31, October 6 and November 2, 2020. These elements related in particular to the various processing of personal data showing days of strikes per employee, on the retention period policy for personal data processed by RATP as well as on the DORA application, which is a tool for viewing and extracting data. data from five computer applications for the processing and management of human resources in the BUS department (particularly for the purpose of "exploring operational data" and relating to operating data, quality of service and data relating to human and economic resources).

8. During these checks, the RATP informed the CNIL delegation that classification committees are held annually at the level of each operational unit. In view of these commissions, the management of the operational units makes proposals concerning the agents who should, in their opinion, benefit from a promotion. These proposals are debated during the said committees. At the end of these commissions, a list of the agents benefiting from the promotion is published by the management of the department.

9. With regard to the organization and preparation of classification committees, the delegation was informed that the social management and innovation department is drawing up a list of so-called "nominative" agents (agents eligible for promotion, depending on of the date of seniority in their grade) and forwards this list to the bus centers. A preparatory meeting is then organized in each operational unit, upstream of the committees, which allows managers to carry out arbitration and during which a list of agents proposed for advancement is drawn up. The management of the bus center, human resources managers and line team managers (managers, in charge of a team of bus drivers) participate in this arbitration meeting. In preparation for this meeting, a decision support file is created by the staff assigned to the human resources departments of the operational units, at the request of the management of the bus centers. The RATP indicated that these were files in Excel format listing objective data specific to the profession exercised, such as the number of days of driving, for example. These data are in principle those listed in the corresponding sheet of the register kept in application of the provisions of Article 30 of the GDPR. The advancement proposals established during the arbitration meeting are sent to the members of the classification commission before the commission is held, but not the preparatory files.

10. For the purposes of examining these elements, the President of the Commission appointed, on February 12, 2021, Mrs. Albane GAILLOT as rapporteur, on the basis of article 22 of the law of January 6, 1978 as amended.

11. At the end of her investigation, the rapporteur notified the RATP, on 12 May 2021, of a report detailing the breaches of the provisions of the GDPR that she considered to be in the present case. This report proposed to the restricted formation of the Commission to pronounce an administrative fine against the RATP and that this decision be made public but no longer allow the public establishment to be identified by name after the expiration of a period of two years from its publication.

12. Also attached to the report was a notice to attend the restricted training session on July 1, 2021, indicating to RATP that it had one month to communicate its written observations in application of the provisions of article 40. of decree n ° 2019-536 of May 29, 2019.

13. The RATP responded to the sanction report with written observations dated 11 June 2021.

14. On June 22, 2021, the RATP made a request that the session before the restricted panel be held in camera. By letter of June 24, 2021, the president of the restricted party rejected this request.

15. The RATP and the rapporteur presented oral observations during the restricted formation session.

III. Reasons for the decision

A. On the status of RATP data controller and the accountability of the processing operations in question

16. The data controller is defined, under article 4, point 7 of the GDPR, as "the natural or legal person, public authority, service or other body which, alone or jointly with others , determines the purposes and means of processing ".

17. The rapporteur considers that RATP is responsible for the processing operations in question, within the meaning of Article 4.7 of the GDPR, in particular to the extent that it determines the purposes and means of processing relating to classification commissions. The rapporteur also notes that the RATP made the notifications of data breaches as data controller. Finally, the rapporteur considers that the breaches in question are attributable to her in that they do not stem from an isolated incident but from a practice observed in at least six operational units and in that the RATP did not bring into question implementation of sufficient means to prevent these breaches.

18. In defense, RATP does not dispute its status as data controller. However, it specifies that while it determines the purposes of processing related to classification commissions, each department determines the organizational arrangements. RATP also stresses that this is not a generalized practice. In addition, it avails itself of having implemented sufficient means to prevent the occurrence of facts such as those which are the subject of this procedure, and highlights several actions carried out, such as the training of agents, designation of "GDPR referents / correspondents", the documentation made available.

19. First, with regard to the responsibility for processing, the Restricted Committee considers that RATP is the entity which determines the purposes and means of processing relating to the preparation of classification committees and, therefore, is responsible for the processing. treatments involved. Indeed, the restricted committee notes that the central services of the RATP determine the general rules relating to the holding of classification committees and advancement and, thus, the purposes of processing relating to the preparation of classification committees, which do not are not specific to the different departments that carry them out but are common to RATP. It can be noted in this regard that this processing results in part from the collective agreements negotiated between the trade unions and the RATP. It also provides its various departments with the means that allow them to carry out processing relating to classification commissions, such as the DORA application. The restricted committee also underlines that the RATP proceeded to the notification of the data breach in its own name, without attributing the responsibility for the processing operations implicated in this notification to another entity and that it indicated in this notification to have acted to end the violation. In addition, it notes that the RATP data protection officer, attached to the services of the RATP general management, responded to requests from the CNIL services, as a representative of the public establishment and not of different departments in particular.

20. Second, the restricted panel considers that the breaches, the existence of which is being examined in the context of this procedure, are attributable to the RATP. In that regard, it observes, admittedly, that RATP argues that the acts identified do not comply with its operating rules. However, first of all, the panel notes that the files in question do not relate to an isolated incident in a bus center. On the contrary, the control delegation was able to observe that this practice was established not only in the Bords de Marne bus center, targeted by a complaint, but also in the Aubervilliers and Vitry-sur-Seine bus centers, which had not been the subject of a report before their control by the delegation.

21. Next, the restricted committee considers that it is up to the data controller to ensure the implementation of the regulations relating to data protection within his services, in particular by the establishment of adequate procedures and staff training. In this case, the RATP is criticized for not having implemented sufficient means to prevent such breaches of the protection of the personal data of its agents in the context of processing relating to classification commissions.

B. On the breach relating to the obligation to ensure the adequacy, relevance and non-excessive nature of personal data processed in application of Articles 5.1.c and 5.2 of the GDPR

22. Article 5, paragraph 1, c) of the GDPR provides that personal data must be "adequate, relevant and limited to what is necessary for the purposes for which they are processed (data minimization)".

23. Article 5 (2) of the GDPR provides: "The controller is responsible for complying with paragraph 1 and is able to demonstrate that it is complied with (liability)".

24. The rapporteur notes that, in the context of the investigation, the CNIL control delegation noted that the register sheet relating to the preparation of the classification commissions, drawn up in May 2018, provides for the categories of data personnel which are considered necessary for processing and which may therefore appear in the preparatory files for commissions according to the RATP. These data categories are as follows: "the name, first name of the agent, name of the team manager", "the registration number, date of hiring, date of qualification", "the old level with date, the level proposed, any bonuses "," the date of the appraisal and progress interviews, if applicable of the progress plans "," the professional evaluation criteria "," the presence at work "," the unavailability (without distinction between the reasons) "," accidentology "," any customer complaints, information reports, penalties ". The human resources manager of the BUS department also reminded all the human resources manager staff of the bus centers, in an email sent on May 5, 2020, that the categories of personal data that may be contained in these files preparatory work were exhaustively listed in the corresponding register file and that the files could not contain other data.

25. The rapporteur also notes that it has been observed that the practice of preparing classification committees in the controlled bus centers consisted of including in the preparatory files, in addition to the number of days of absence during the years assessed, data relating to the reasons for the unavailability of agents, including, in particular, the number of days of strike action per agent during the period assessed (ie three years).

26. In view of these findings, the rapporteur considers that the purpose of the processing constituted by the preparation of the classification committees is the evaluation of staff with a view to taking decisions relating to their promotion and that the processing for this purpose of data relating to the number of days of strike action per employee appears excessive, in that they do not constitute adequate, relevant and necessary data to achieve this purpose.

27. In addition, the rapporteur notes that the RATP informed the delegation that, in order to put an end to the data breach notified to the CNIL on May 18, 2020 and before the delegation's checks, it brought all of the data into compliance. preparatory files established for the 2019 and 2020 classification committees in each of the bus centers with the corresponding record of the BUS department processing activity register. The rapporteur notes that the findings do not confirm this assertion insofar as the breach continued on the date of the on-the-spot checks in at least two bus centers (Bords de Marne and Vitry-sur-Seine).

28. In defense, the RATP does not dispute the creation of files containing data relating to the number of days of strikes by agents but stresses that this practice is contrary to its internal rules, that this only concerns a few operational units and that the duration such a practice cannot be established. As for the persistence of the non-compliance with the on-site inspections, the RATP maintains that it is a technical error due to the poor mastery of the Excel tool and provides statements from the directors of the operational units concerned attesting that they were unaware of the existence of these tabs, which therefore could not, a fortiori, be used.

29. In the first place, with regard to the relevance of the processing of data relating to the number of days of strike action, the restricted committee notes first of all that the RATP argued, in particular during the inspections, that the rules in career development and advancement were determined by collective agreements negotiated with trade unions. These agreements do not provide for automatic advancement but take into account the assessment of individual performance. The RATP has specified the categories of data that may appear in the preparatory files for the classification committees and, among these, are the data relating to "presence at work" and "unavailability (without distinction between the reasons)". The restricted committee notes that these criteria are reflected in particular, in the preparatory files in question, by columns relating to the number of working days, the "driving" time, the number of days of rest and the number of days of absence. . With regard to this last column, it is not provided by the applicable rules for it to contain the reason for absences.

30. The restricted training thus notes that the number of days of absence, as well as, for example, the number of working days and the number of days of rest, is a datum which can be taken into account in the context of collective agreements.

31. It notes that the collective agreements provide that certain absences, such as absence linked to maternity leave, must appear separately so that this data is not taken into account unfavorably in the evaluation of the performance of the employee. agent concerned. On the other hand, apart from these exceptions defined in the agreements, it does not emerge from this set of rules that the reasons for the absence of employees can be taken into account for their evaluation.

32. Consequently, if the restricted committee does not call into question the relevance of the treatment of the number of days of absence with regard to the rules set, in particular by collective agreements, it considers that it is not relevant, in view of in the evaluation of agents, to treat data relating to the number of days of strike action as a separate category from the total number of days of absence. Indeed, knowing the reason for the absence is not necessary. The restricted training also notes that the dedicated file of the processing register specifies that, among the categories of data envisaged as being able to appear in these files, appear only "unavailability (without distinction between the reasons)". Therefore, it appears excessive and contrary to the principle of minimization to individualize the category of the number of days of strike among the absences recorded and thus to process this data for these purposes.

33. The RATP did not deny the illegal nature of the files produced in certain bus centers as part of the preparation of the classification commissions and argued that such a practice was contrary to its general policy.

34. The restricted committee considers that, insofar as the files in question constitute decision support files, they can only be composed of the personal data necessary for making decisions relating to the assessment, which have been determined beforehand.

35. The restricted committee finally underlines the specificity of the data relating to the exercise of the right to strike by an agent and notes that the processing of this personal data is not neutral. Indeed, the processing of this particular category of data by an employer must be limited to certain legitimate purposes and must fit into the legal framework resulting in particular from Article L. 1324-7 of the Transport Code and the article R. 3243-4 of the labor code.

36. Secondly, with regard to the number of people affected by this processing, the restricted committee notes that the RATP reported, through the data breach notifications as well as the subsequent emails sent to the CNIL on June 11 and 5 August 2020, the existence of files containing data relating to strike days in four operational units (Bords de Marne, Quai de Seine, Paris Sud-Ouest and Rives-Nord). CNIL checks in two other operational units, selected at random, also revealed the existence of these progress files. Six operational units out of the existing sixteen are therefore concerned, the others not having been the subject of controls. The restricted training therefore notes that these are not isolated facts.

37. Thirdly, with regard to the persistence of the practice in question, the restricted committee notes that the RATP argued during the check that, following its discovery of the file at the Bords de Marne bus center, on May 11 and 12, 2020, it analyzed all the preparatory files established for the classification committees for the years 2019 and 2020 in each of the bus centers and brought all of these files into conformity with the file. correspondent in the register of processing activities of the BUS department. The restricted committee underlines that it was however noted, during the checks in the bus centers of the edges of Marne and Vitry-sur-Seine, that the files relating to the year 2020, presented by the RATP as purged of any data not necessary, contained tabs in which were the details of the unavailability of agents and in particular data relating to days of strike action.

38. In this regard, if, in order to justify that this failure continued, the RATP argued that it was a technical error and provided statements from the directors of the operational units concerned attesting that they were unaware of the existence of these "hidden" tabs, which could not therefore be used, the restricted committee considers that the RATP cannot take advantage of its repeated poor mastery of the Excel tool to justify the presence of certain data in the files in question. In addition, even in the event that the directors of the operational units concerned have ignored the presence of the tabs in question in the files concerned, this does not call into question the materiality of the breach observed.

39. Lastly, the restricted committee recalls that the obligation to process only adequate, relevant and necessary data implies not only that of defining the data that must be processed but also of putting in place the relevant measures, particularly organizational ones. to ensure that only these data necessary for the purposes are actually processed. However, the Restricted Committee observes that this was not the case in the present case, as evidenced by the occurrence of the facts in question.

40. Indeed, it must be noted that, although contrary to the general policy of the RATP, the practice in question does not constitute an isolated act, which only concerned a small group of agents. On the contrary, first of all, this practice results in particular from the lack of rigor in the supervision of the organization of advancement procedures as well as of the tools made available to the various departments in this context. In this regard, in particular, the configuration of the DORA tool, which only allows the extraction of all the data relating to an agent or even to all the agents of a bus center, without it either possible to sort between the categories of data to be selected in order to extract them, was likely to contribute to the constitution of classification commission files containing inadequate data with regard to the purpose pursued. In addition, the restricted committee noted that certain organizational measures, such as the one mentioned by RATP during the procedure in order to prevent such practices from recurring - consisting in the creation of a common Excel tool which must be used to the data extractions in DORA (and other relevant applications) carried out for the constitution of the preparatory files, in order to freeze what a preparatory table can contain in terms of data - now make it possible to prevent the emergence of such practices, and could usefully have been implemented before the initiation of this proceeding.

41. In view of all of the foregoing, the restricted training considers that it was the responsibility of RATP, as data controller, to ensure that only the categories of personal data necessary for the making of decisions relating to the evaluation to constitute the files in question, in accordance with articles 5.1.c and 5.2 of the GDPR. Consequently, the RATP failed to fulfill its obligations by including in these files data relating to the number of days of strike per employee during the period assessed and by refraining from ensuring that the purge decided following the discovery of the offending files is actually implemented.

42. The Restricted Panel therefore considers that these facts constitute a breach of Articles 5, paragraph 1, e), and 5, paragraph 2, of the GDPR.

C. The breach of the obligation to define and respect a retention period for personal data proportionate to the purpose of the processing pursuant to Article 5.1.e of the GDPR

43. Under the terms of Article 5.1.e of the Regulation, personal data must be "kept in a form allowing the identification of the persons concerned for a period not exceeding that necessary for the purposes for which they are intended. processed; personal data may be kept for longer periods as long as they will be processed exclusively for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with the Article 89 (1), provided that the appropriate technical and organizational measures required by this Regulation are implemented in order to guarantee the rights and freedoms of the data subject (limitation of retention) ".

1. Regarding the retention periods of data accessible in the DORA application

44. The rapporteur notes that the delegation has been informed that the DORA application is a tool for viewing and extracting data from five IT applications, which are implemented for the processing and management of human resources of the BUS department. The RATP indicated that the purpose of this application is in particular "the exploration of operational data" (operating data, quality of service, data relating to human and economic resources). As a visualization tool, it does not allow users to modify data in searchable information systems, but allows them to extract it to Excel files.

45. The rapporteur also notes that the delegation was informed that the personal data contained in DORA are kept, on an active basis, for the duration of the agent's employment in the BUS department, extended by six years. The rapporteur emphasizes that RATP has not been able to justify this data retention period with regard to the purposes for which they are processed and considers that this retention period in the active database in the DORA tool is therefore excessive. .

46. In defense, the RATP argues that the retention period which had been indicated to the control delegation, namely the length of the agent's employment in the BUS department, extended by six years, was incorrect and that this duration corresponded to the retention period of data in the archive database and not in the active database. In its writings, the RATP explains that the retention period in the active database was in fact six years on the date of the checks carried out by the CNIL. It further specifies that this period was considered excessive during internal work and that it was reduced to two years, plus the current year, after the checks carried out by the delegation.

47. The restricted committee first of all takes note of the details provided by the RATP during the procedure and in particular of the fact that the data were kept in an active database in DORA for six years and not during the length of the employment of six years.

48. The restricted committee recalls that the retention period of personal data must be determined according to the purpose pursued by the processing. When this purpose is achieved, the data must in principle be deleted, anonymized or be subject to intermediate archiving when their retention is necessary for compliance with legal obligations or for pre-litigation or litigation purposes.

49. In this case, the DORA application is a data visualization tool for the purposes of human resources management of the BUS department, the purpose of which is "exploration of operational data". It should allow, among other things, a monitoring of agent activity. The restricted training noted that this purpose, as identified by the RATP, is very broad and imprecise, and that it does not allow for a precise understanding of the operational needs that result from it. In addition, nothing in the file makes it possible to determine what purposes would justify the agents authorized to access DORA to be able, in order to achieve them, to view all of this data relating to human resources over a period of six years. For example, this information includes data relating to the number of days of strike action per employee, which are used in particular to calculate the basis of pay as well as social security contributions and contributions. The RATP does not establish why this information should be kept in the DORA application, once the payslip is established, for a period of six years, while a much shorter period on an active basis would be sufficient for the establishment of the payroll. Other purposes, such as viewing information for monitoring agent activity, may justify a longer period, but the need to go back to the previous six years has not been established.

50. The Restricted Committee further notes that, far from being able to justify the retention period of all the data in the DORA application with regard to the purposes of this tool, the RATP on the contrary argued that the the retention period in the active database of the DORA application, at the date of the checks, was considered excessive in view of the exploration purposes of this application. This period was, during the procedure, reduced to two years plus the current year, to allow managers to monitor the activity of agents over a reduced period but sufficiently significant to see changes.

51. Consequently, the restricted committee considers that the retention of the personal data in question for six years on an active basis, without a differentiated and adapted approach to data retention with regard to the precise purposes for which they are processed. implemented, did not allow compliance with the principle of limiting the retention period of data.

52. In view of all these elements, the restricted committee considers that the breach of Article 5, paragraph 1, e) of the GDPR is characterized.

2. Regarding the retention period of the classification committee preparation files

53. The rapporteur notes that the delegation was informed that the expected retention period of the files for the preparation of the classification commissions was eighteen months, from the date of the classification commission for which they were established. This duration is provided for on the corresponding register sheet, depending on the purpose of this processing (decision-making aid for the assessment of agents). However, the delegation noted that, in the Aubervilliers and Vitry-sur-Seine bus centers, the 2017 classification committee preparation files were present on the servers.

54. In view of these findings, the rapporteur criticizes RATP for keeping the files in question for a period that exceeds that necessary with regard to the purpose of the processing and for not effectively implementing its policy of conservation.

55. In defense, the RATP emphasizes the isolated nature of the facts.

56. The restricted committee notes that the committee preparation files are established as a decision-making support for preparatory meetings for the annual classification committees, with a view to the evaluation of staff, and can therefore only be kept for the duration. necessary for the achievement of this purpose. The restricted committee observed that the RATP set their retention period at eighteen months after the classification commission for which these files are produced, having considered that this was the period necessary for the purpose of the processing.

57. However, the restricted committee notes that the CNIL delegation noted the conservation, in the Aubervilliers and Vitry-sur-Seine bus centers, of the classification committee preparation files dating from 2017, which corresponds to for a period of more than three years after the meeting of the classification committee concerned. The restricted committee considers that this retention is excessive insofar as it exceeds the time necessary to achieve the purpose pursued, which is, according to the RATP, eighteen months after the classification commission for which these files are produced. . The planned retention period for the classification commission preparation files is therefore not effectively implemented since only files relating to the 2019 and 2020 classification commissions should have been able to appear on the servers on the date of the checks. However, the effectiveness of the implementation of a data retention period policy is the necessary counterpart to its definition and makes it possible to ensure that the data are kept in a form allowing the identification of the persons concerned for a period of time. not exceeding that necessary with regard to the purposes for which they are processed. This also makes it possible, in particular, to reduce the risks of unauthorized use of the data in question, by an employee or by a third party.

58. Consequently, the restricted panel considers that RATP has failed to comply with its obligations under Article 5, paragraph 1, e) of the GDPR.

D. The breach relating to the obligation to ensure the security of personal data pursuant to Article 32 of the GDPR

1. On authorizations to access and extract data in DORA

59. Article 32 of the Rules provides:

"1. Taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which vary, for the rights and freedoms of natural persons, the data controller and the processor implement the appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk, including, among others, according to the needs:

[…] (B) the means to ensure the constant confidentiality, integrity, availability and resilience of processing systems and services; […] ".

60. The rapporteur notes that the delegation was informed that the DORA tool allows all authorized agents, whatever their missions, to perform the same actions and, thus, not only to view personal data. stored in the tool but also to extract all of this data. The rapporteur therefore considers that DORA's authorization policy does not make it possible to limit users' access to only the data they actually need in the context of their duties, being reminded that the DORA tool contains a large volume of data. data, particularly in connection with human resources management, and relating to all the agents of the BUS and MRB departments (bus rolling stock).

61. In defense, the RATP maintains that the system cannot be compartmentalized and that all authorized agents need to have access to all data in the course of their duties. It also argues that transversal access between operational units corresponds to an operational and organizational need and specifies in this regard that operational unit directors need to have access to the data of all operational units in order to ensure continuity of service. RATP also maintains that it is in the process of implementing an action plan aimed at partitioning the access of the "operational unit management" and "HR assistant" profiles to only the data of the operational unit to which they are attached.

62. The restricted committee recalls in this regard that in application of article 32 of the GDPR, the data controller must put in place appropriate measures to ensure the confidentiality of the data and prevent the data from being processed unlawfully by the made up of people who don't need to know. The prevention of misuse and data breaches can be partly ensured by organizational measures, in particular by informing users of the information system about the data that they are authorized to process for their missions, by controlling the use that is made of it. is done, in particular by means of connection logs, and by disciplining non-compliance with the applicable rules. In addition to these measures, the management of authorizations to consult or use an information system must tend to limit access to only the personal data that a user needs for the performance of his missions, in particular by defining profiles. empowerment in systems by separating tasks and areas of responsibility. It is therefore up to the data controller to set up, depending on the greater or lesser diversity of the users' missions, an authorization management policy that is appropriate to the importance and sensitivity of the data processed, as well as the risks to which the persons concerned are exposed, according to the means at his disposal.

63. By way of illustration, the restricted training noted that the Guide for the development of an information system security policy of the National Information Systems Security Agency (published in 2004) specifies in this regard that the definition of authorizations must respect the principle of the need to know: any actor will have exclusive access to the information he needs in the accomplishment of his task.

64. In the present case, the restricted formation notes, first of all, that all the DORA users authorized to access the "pointing" part of the tool have access to the data relating to all the agents of the BUS departments and MRB. On the one hand, all authorized agents therefore have access to all categories of data (all data relating to human resources and thus, in particular, data relating to days of strike or sick leave) without distinction. duties or missions of agents. On the other hand, these agents access the data relating to the agents of their operational unit but also of all the other operational units (i.e. more than 16,000 people), without the need for this access for all the agents having been established. by RATP. On the contrary, the latter explained in its written observations that it was implementing an action plan aimed at partitioning the access of certain profiles to only the data of the operational unit to which they are attached and, thus, to define a stricter authorization policy.

65. Secondly, the restricted committee considers that the configuration of the tool does not ensure the confidentiality of data within the meaning of Article 32 of the GDPR to the extent that all authorized agents can extract all of the data. data contained in the tool. Indeed, the delegation noted that the authorization policy did not make it possible to distinguish, according to the functions of the authorized agents, whether the ability to extract personal data was necessary in relation to their functions.

66. Consequently, the restricted committee considers that the authorization policy for the DORA tool does not guarantee that authorized persons have access only to the data strictly necessary for their functions. It considers that the authorization policy should be more detailed and allow the creation of more different profiles, relating to the functions of the agents or to the bus centers to which they are assigned, as the RATP is now planning to put in place, all the more so given the volume of data and the sensitivity of certain data accessible in the tool.

67. In view of all of these elements, the restricted committee considers that the level of confidentiality of the personal data contained in this tool does not comply with the requirements of Article 32 of the GDPR.

2. On the authorizations to access the preparation files of the classification committees

68. The rapporteur underlines that the delegation noted that, at the Aubervilliers bus center, the classification committee preparation files were accessible on a server to all participants in the arbitration meetings for which they were established. Thus, these preparatory files were accessible, not only to the center management and to the human resources department, who could in any case view the data contained in these files on DORA, but also to all line team managers. , who are not authorized to consult this data in DORA. The thirteen line team managers therefore had access to the personal data of all the bus drivers available for the advancement of the bus center (around 800 bus drivers are assigned to this bus center, of which only a part is "nominable" every year).

69. The rapporteur considers that the fact that the preparatory files for classification committees are accessible on a server by all line team managers does not guarantee the confidentiality of the data since these files contain numerous personal data of agents, and in particular of agents who are not under their responsibility.

70. In defense, the RATP maintains that all the authorized managers need, within the framework of the preparatory meeting, to have visibility on the data relating to all the bus drivers who can be offered from the same operational unit. , to be able to proceed to arbitration. It specifies that making these files available to all managers is necessary in order to ensure collegiality of decisions during the arbitration meetings in question.

71. With regard to the provisions of Article 32 of the aforementioned GDPR, the restricted committee considers that the confidentiality of the data contained in the preparatory files for the classification commissions in question in this case is not guaranteed when the files are updated. available to all line team managers, regardless of whether they are agents under their responsibility or not. Indeed, it notes first of all that while it is legitimate for line team managers to have access to the personal data of the agents under their responsibility upstream of the commissions, in order to decide on their possible progress, it does not appear proportionate for the personal data of all the bus drivers of the bus center to be available to them on a server.

72. The restricted committee then noted that the practice questioned by the rapporteur differs from that observed in the other controlled bus centers, where these files are not made available to line team managers before the meeting. arbitration, but only projected at these meetings. It notes that this practice does not call into question the collegiality of decisions and, thus, satisfies the purpose of the processing, while ensuring a higher degree of confidentiality of the data. In this regard, the restricted committee considers that the risks associated with the loss of confidentiality of the data, such as the reuse of these, are markedly less when the data in question is only projected, the time of a meeting, and not available on a server.

73. Consequently, the restricted committee considers that the practice observed in the other controlled bus centers makes it possible to consider that the risk associated with the fact that the files in question are accessible on a server to all line team managers is not is not proportionate to the desired purpose, that is to say the need, for the participants in the arbitration meetings, to have occasional knowledge of this data in order to participate in the arbitrations.

74. In view of all of these elements, the restricted panel considers that the aforementioned facts constitute a breach of Article 32 of the GDPR.

IV. On corrective measures and their publicity

75. Under the terms of III of article 20 of the amended law of 6 January 1978:

"When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also , if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, refer the matter to the restricted committee for the pronouncement, after contradictory procedure, one or more of the following measures: […]

7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous financial year, whichever is higher. In the hypotheses mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83 ".

76. Article 83 of the GDPR provides that "Each supervisory authority shall ensure that the administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive ", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of this fine.

77. First, on the principle of the imposition of an administrative fine, the RATP maintains that such a measure is not necessary. It considers in particular that account must be taken of the circumstances of the case and in particular of the measures it adopted during the proceedings. She also maintains that the majority of the decisions handed down against public establishments were not financial sanctions whereas "the failures appeared to concern similar facts".

78. The restricted committee recalls that it must take into account, for the imposition of an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, gravity and duration of the violation, the measures taken by the controller to mitigate the damage suffered by the data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the breach.

79. The restricted committee considers first of all that the RATP has shown serious failures in terms of the protection of personal data since breaches are made in the fundamental and elementary principles of the GDPR, which are the principles of data minimization, liability, limitation of the retention period of data and security.

80. The restricted committee notes that by breaching the principle of minimization of personal data, the RATP has shown certain negligence, relating to a fundamental principle of the GDPR. In fact, data relating to the exercise of the right to strike by an agent was made accessible to people who did not have to know about it. The restricted committee notes that if, in the context of certain other processing activities, the controller could process this data, it is otherwise in the context of the assessment of agents, for which the number of days of strike per agent was not relevant. In addition, the use of this particular data, in the context of decision-making relating to the career of the agent, may be unfavorable to him.

81. Next, the restricted committee notes that, even after having been informed of the violation and after having carried out a "social alert" procedure in consultation with the trade unions, the RATP did not take all the necessary measures to ensure the compliance of all the bus centers since the persistence of the breach of article 5.1.c) of the GDPR was observed during the checks, although the RATP confirmed to the CNIL that it brought all the files into compliance in all bus centers.

82. In addition, with regard to the breach relating to the retention period of data, the Restricted Committee notes that the RATP declared, during the inspection, to consider that the retention period set was excessive, without however having put effectively implement measures to ensure compliance with its data retention policy.

83. The restricted training also noted that several shortcomings observed concerned a large number of people, namely around 16,000 agents from the BUS department, which led a trade union organization to appeal to the CNIL.

84. Finally, the restricted committee noted that the compliance measures adopted during the procedure do not concern all the breaches and do not, in any event, exonerate the RATP from its liability for the past.

85. Consequently, the restricted committee considers that it is appropriate to impose an administrative fine with regard to the breaches of Articles 5-1-c), 5-1-e), 5-2 and 32 of the GDPR.

86. Second, with regard to the amount of the fine, RATP highlights the measures taken to remedy all of the alleged facts referred to in the report and its commitment to pursue all of these measures. She also maintains that her financial situation, mainly due to the health crisis, should be taken into consideration. Finally, she argues that the amount proposed by the rapporteur would be disproportionate with regard to previous decisions of the CNIL.

87. The restricted panel recalls that paragraph 3 of Article 83 of the Rules provides that in the event of multiple violations, as is the case in the present case, the total amount of the fine may not exceed the amount set. for the most serious violation. Insofar as the RATP is accused of a breach of Articles 5-1-c), 5-1-e), 5-2 and 32 of the Regulations, the maximum amount of the fine that may be withheld is 20 million euros or 4% of annual worldwide turnover, whichever is greater.

88. The restricted committee also recalls that administrative fines must be dissuasive but proportionate. It considers in particular that the activity of the body and its financial situation must be taken into account in determining the penalty and in particular, in the event of an administrative fine, its amount. It notes in this regard that the RATP reports a turnover in 2020 amounting to approximately […] euros for a net profit of […] euros while the net profit amounted to […] euros. in 2019.

89. Therefore, in view of the economic context caused by the Covid-19 health crisis, its consequences on the financial situation of RATP, its efforts to ensure compliance and the relevant criteria of Article 83, paragraph 2, of the GDPR mentioned above, the restricted committee considers that the pronouncement of an administrative fine of 400,000 euros appears justified.

90. Thirdly, with regard to the publication of the sanction, the RATP maintains that such a measure would cause it disproportionate harm and in particular argues that it would harm its strategy for relaunching its users and that it would be harmful for the relations maintained by RATP with its agents.

91. In view of the number of breaches noted, their persistence, their seriousness and the number of people concerned, the restricted committee considers that the publicity of this decision is justified.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

- pronounce against the Autonomous Paris Transport Authority an administrative fine in the amount of 400,000 (four hundred thousand) euros with regard to the breaches established in Articles 5-1-c), 5-1-c), 5-1-e), 5-2 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data;

- make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the Autonomous Paris Transport Authority by name after a period of one year from its publication.

President

Alexandre LINDEN

This decision may be appealed against to the Council of State within two months of its notification.