CNIL (France) - SAN-2021-014: Difference between revisions

From GDPRhub
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 52: Line 52:
}}
}}


The French company ''Société nouvelle de l'annuaire français'' managing an online phone book on the website "annuairefrancais.fr" was condemned by the French DPA to pay a fine of 3000€ for its inaction to efficiently  implement the rights of rectification and erasure.
The French DPA fined the Société Nouvelle de l'Annuaire Français, an online phone book company, €3,000 for infringing the right to rectification, the right to erasure and the obligation to have a record of processing activities.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
The CNIL received 16 complaints between 2018 and 2019 specifying that users were facing difficulties for deleting or rectifying their data on the annuairefrancais.fr website. The website hosts information about companies registered in France that are published on the SIRENE database - a public database managed by the National Institute for Statistics and Economic Studies (INSEE). The website annuairefrancais.fr offers the possibility of creating an account allowing users to get information about registered companies and to subscribe to commercial offers from these companies. After an initial inspection, the CNIL found that the processing was not compliant with the GDPR and issued a formal notice giving the company two months bring its processing practices into compliance by implementing a clear policy regarding data deletion and rectification, establishing a record of processing activities and dealing with the data subjects' requests.  
The CNIL received 16 complaints between 2018 and 2019 specifying that users were facing difficulties for deleting or rectifying their data on the annuairefrancais.fr website. The website hosts information about companies registered in France that are published on the SIRENE database - a public database managed by the National Institute for Statistics and Economic Studies (INSEE). The website annuairefrancais.fr offers the possibility of creating an account allowing users to get information about registered companies and to subscribe to commercial offers from these companies. After an initial inspection, the CNIL found that the processing was not compliant with the GDPR and issued a formal notice giving the company two months to bring its processing practices into compliance by implementing a clear policy regarding data deletion and rectification, establishing a record of processing activities and dealing with the data subjects' requests.  
 
=== Dispute ===
 
 
=== Holding ===
=== Holding ===
Noting that the company has not cooperated very much and has not implemented the measures mentioned in the formal notice, a fine of 3000€ has been pronounced.
Noting that the company had not actively cooperated and had failed to implement the required measures within the prescribed period, as spelled out in the formal notice, the CNIL imposed a fine of €3,000 on the company ''Société nouvelle de l'annuaire français''.
 
Concerning article 16 (right to rectification), the deadline of the formal notice to modify the information was largely exceeded since the company's director did not follow up until July 2021, whereas the deadline expired in September 2020. The user requested the modification of his address which corresponded to his personal and not professional address.


At the time of the audit in September 2019, the requests for deletion of data (Article 17) had not been processed since April. Several requests that were supposed to be processed had, in fact, not been followed up on, even after the formal notice period had expired. The CNIL considered that if the data controller had indeed reinitialized its database by taking only the INSEE data, this was not sufficient to ensure that the requests were taken into account.
More specifically:


Similarly, the company never implemented the record of processing activities mentioned in Article 30 of the GDPR, even though data processing constitutes the core of its activity.
* concerning [[Article 16 GDPR]] (right to rectification), it was found that the company had failed to follow up on a data subject's request to rectify his postal address from his personal to his professional address within the prescribed period. The deadline for rectifying the personal data of the complainant had been largely exceeded as the company's director implemented the required measures in July 2021, whereas the deadline expired in September 2020;
* concerning  [[Article 17 GDPR]] (right to erasure), it was also found that the erasure requests of several data subjects had not been processed within the prescribed period. Several requests which were supposed to have been processed had, in fact, not been followed up on, even after the formal notice period had expired. The CNIL considered that if the data controller had indeed reinitialized its database by taking only the INSEE data, this was not sufficient to ensure that the requests were taken into account;
* concerning [[Article 30 GDPR]] (record of processing activities), it was found that the company had failed to create and complete a record of processing activities although processing a large amount of personal data constituted the core of its activity.


== Comment ==
== Comment ==

Latest revision as of 07:23, 23 September 2021

CNIL (France) - SAN-2021-014
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 16 GDPR
Article 17 GDPR
Article 30 GDPR
Type: Investigation
Outcome: Violation Found
Started:
Decided: 15.09.2021
Published: 16.09.2021
Fine: 3000 EUR
Parties: Société nouvelle de l’annuaire français (SNAF)
National Case Number/Name: SAN-2021-014
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Juleso3

The French DPA fined the Société Nouvelle de l'Annuaire Français, an online phone book company, €3,000 for infringing the right to rectification, the right to erasure and the obligation to have a record of processing activities.

English Summary

Facts

The CNIL received 16 complaints between 2018 and 2019 specifying that users were facing difficulties for deleting or rectifying their data on the annuairefrancais.fr website. The website hosts information about companies registered in France that are published on the SIRENE database - a public database managed by the National Institute for Statistics and Economic Studies (INSEE). The website annuairefrancais.fr offers the possibility of creating an account allowing users to get information about registered companies and to subscribe to commercial offers from these companies. After an initial inspection, the CNIL found that the processing was not compliant with the GDPR and issued a formal notice giving the company two months to bring its processing practices into compliance by implementing a clear policy regarding data deletion and rectification, establishing a record of processing activities and dealing with the data subjects' requests.

Holding

Noting that the company had not actively cooperated and had failed to implement the required measures within the prescribed period, as spelled out in the formal notice, the CNIL imposed a fine of €3,000 on the company Société nouvelle de l'annuaire français.

More specifically:

  • concerning Article 16 GDPR (right to rectification), it was found that the company had failed to follow up on a data subject's request to rectify his postal address from his personal to his professional address within the prescribed period. The deadline for rectifying the personal data of the complainant had been largely exceeded as the company's director implemented the required measures in July 2021, whereas the deadline expired in September 2020;
  • concerning Article 17 GDPR (right to erasure), it was also found that the erasure requests of several data subjects had not been processed within the prescribed period. Several requests which were supposed to have been processed had, in fact, not been followed up on, even after the formal notice period had expired. The CNIL considered that if the data controller had indeed reinitialized its database by taking only the INSEE data, this was not sufficient to ensure that the requests were taken into account;
  • concerning Article 30 GDPR (record of processing activities), it was found that the company had failed to create and complete a record of processing activities although processing a large amount of personal data constituted the core of its activity.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Bertrand du MARAIS, member, and Ladies Anne DEBET and Christine MAUGÜE, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n ° 78-17 of January 6, 1978 relating to data processing, files and freedoms modified, in particular its articles 20 and following;

Considering Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to information technology, files and freedoms;

Having regard to deliberation no 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Informatics and Freedoms;

Considering the decision n ° 2019-133C of June 26, 2019 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing operations implemented by this body or on behalf of the New Company of the French Directory;

Considering the decision n ° MED 2020-017 of July 21, 2020 giving formal notice to the New Company of the French Directory;

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated April 12, 2021;

Considering the referrals n ° 18011796, 18013215, 18015831, 18016541, 18019128, 18020503, 18020676, 18022147, 18024212, 18024300, 19000390, 19001882, 19003400, 19004724, 19008218 and 19014490;

Having regard to the report by Mrs. Sophie LAMBREMON, rapporteur commissioner, notified to the Société nouvelle de l'Anuaire français on May 27, 2021;

Considering the email and comments sent by the company on June 2 and July 6, 2021;

Having regard to the other documents in the file;

The following were present during the restricted training session on July 8, 2021:

- Mrs Sophie LAMBREMON, commissioner, heard in her report;

As representative of the Société nouvelle de l'Anuaire français:

- […];

The New Company of the French Yearbook having spoken last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. The Société nouvelle de l'Anuaire Français (hereinafter "the company" or the "SNAF") is a simplified joint-stock company with a share capital of 5,000 euros, located at 87 rue des Pyrénées in Paris (75020). It has an advertising management activity and manages the annuairefrancais.fr website. Its president is its sole employee. In 2018, it achieved a turnover of approximately […], for a net profit of approximately […]. In 2019, the company's turnover amounted to […] with a net profit […].

2. The annuairefrancais.fr website is a professional directory listing French companies and which draws up, for each of them, a presentation sheet containing its main administrative information, in particular the name and address of its manager. These data come exclusively from the SIRENE public database published by INSEE on its website. About once a month, the manager of the company manually downloads the file made available by INSEE and compares the new list with the one previously published on the company’s website to update its database. Company managers can create an account on the site to access a personal space allowing them to subscribe to the company's commercial offers offering a personalized presentation of their company.

3. The National Commission for Informatics and Freedoms (hereinafter "the CNIL" or "the Commission") received, between March 1, 2018 and May 16, 2019, sixteen complaints (n ° 18011796, 18013215 , 18015831, 18016541, 18019128, 18020503, 18020676, 18022147, 18024212, 18024300, 19000390, 19001882, 19003400, 19004724, 19008218 and 19014490) concerning the website annuairefrancais.fr, relating to the difficulties encountered during requests for erasure and rectification personal data.

4. A control mission was then carried out by the CNIL with the company, in application of the decision n ° 2019-133C of June 26, 2019 of the President of the Commission.

5. The main purpose of this mission was to verify compliance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on data protection (hereinafter "the GDPR" or "the Regulation" ) and of the amended law n ° 78-17 of 6 January 1978 relating to data processing, files and freedoms (hereinafter "the amended law of 6 January" or "the Data Protection Act") of the processing implemented by this body or on its behalf.

6. The president of the company was summoned by a letter of July 17, 2019, received on July 20, 2019, to a hearing, in application of article 19-III of the aforementioned law, which was held on September 5. 2019. In addition, an online check was carried out on September 3, 2019. The report of the online check was notified to the company by letter of September 9, 2019.

7. At the end of the audit by hearing, the company was asked to communicate to the CNIL, within eight days, all the exchanges between the complainants at the origin of the control procedure and the company. , as well as a copy of an example of response to a request for erasure, a count of the number of individual companies present in the "PROFESSIONAL 3" table of the company database, a copy of any contractual document framing the commercial relationship with […] and a copy of any contractual document framing the commercial relationship […]. The minutes of the hearing were notified to the company by post on September 9, 2019.

8. As the company did not produce the requested information within the time limit set at the end of its hearing, a follow-up email was sent to it by the CNIL services on September 23, 2019, granting it an additional period of eight days to bring the requested items.

9. On October 4, 2019, the company only partially responded to the CNIL's requests by providing only the documents framing its commercial relationship with […]. In addition, the company questioned the CNIL about the legality of the dissemination of data collected by INSEE and the personal nature of the data processed. She also highlighted a conflict between her and […]. Finally, she said "having excluded specific requests" transmitted by the CNIL without specifying the subject of these requests and without providing supporting documents.

10. Numerous exchanges then took place between the company and the Commission services, without the company responding effectively to the requests made following the audit. The CNIL thus sent a follow-up on October 7, 2019 specifying in particular that the documents concerning [...] were only hypertext links. In response, the company sent an email the same day in which it indicated that it was going to respond to the CNIL's requests, which it did not do, however, which led the CNIL to proceed with a new relaunch. on October 10, 2019. The company provided answers on October 15 and 16, 2019 in connection with the handling of complaints and the contracts requested, but without providing the requested supporting documents.

11. On 16 October 2019, the Commission services sent a letter stating that the company had not provided any supporting documents concerning the exchanges between the complainants and the company.

12. By decision n ° MED 2020-017 of July 21, 2020, notified on July 21, 2020 and received on July 23, 2020, the President of the Commission gave formal notice to SNAF, within two months, to:

"- inform the persons concerned, in accordance with the provisions of Articles 12, 13 and 14 of the Regulation, regarding the processing of personal data in place, and in particular provide complete information to the persons, and this, in a document or medium separate from the general conditions of use of the site in order to ensure that it is easily accessible by also providing specific information to entrepreneurs whose data has been collected from the INSEE databases;

- rectify the data of the complainant concerned and set up a procedure to effectively take into account any request to exercise the right of rectification and updating made by persons whose personal data appears in the database company data;

- proceed with the deletion of the data of the complainants concerned ([…]) and put in place a procedure allowing to effectively take into account any request to exercise the right of erasure of the persons whose personal data appear in the database. company data;

- implement a register of processing activities;

- transmit the elements requested at the end of the minutes n ° 2019-133 / 2 not yet communicated;

- justify to the CNIL that all of the aforementioned requests have been complied with, and this within the allotted time. "

13. It was stated in the formal notice that if, at the end of the two-month period, the company had complied with the formal notice, the procedure would be closed and a letter would be sent to the company to this effect. . Conversely, if the company did not comply with the formal notice, a rapporteur would be appointed by the President of the Commission, who could ask the restricted committee to pronounce against the company one of the measures provided for in article 20 of the amended law of 6 January 1978.

14. The formal notice having remained unanswered, a reminder letter was sent by the President of the CNIL on November 19, 2020, granting the company an additional 15 days to respond to the formal notice.

15. On December 17, 2020, the company sent an email to the CNIL services in which it indicated that it had handled all of the complainants' requests individually, without providing any supporting documents. She then explained that she did not have the means to "automatically manage deletion requests".

16. On March 6, 2021, the company sent a new email to the CNIL services in which it established a list of the files corresponding to the various referrals received by the CNIL and in which it indicated the treatment granted to each of them and their actual status. This response did not include any supporting documents.

17. For the purposes of examining these elements, the President of the Commission appointed, on April 12, 2021, Ms. Sophie LAMBREMON as rapporteur, in accordance with Article 39 of Decree No. 2019-536 of May 29, 2019.

18. At the end of her investigation, the rapporteur had a bailiff served on the Société nouvelle de l'Anuaire français, on May 27, 2021, with a report detailing the breaches of the GDPR that she considered to be in the present case. . The report notification letter specified to the company that the file was registered for the restricted training session on July 8, 2021.

19. This report proposed to the restricted formation of the Commission to pronounce an administrative fine.

20. On June 2, 2021, the company sent an email to the CNIL services. She supplemented her email with comments of July 6, 2021.

21. The company and the rapporteur presented oral observations during the session of the restricted formation.

II. Reasons for the decision

A. On the concept of personal data

22. Article 4.1 of the GDPR defines "personal data" as "any information relating to an identified or identifiable natural person".

23. The company expressed doubts as to the personal nature of the data processed and therefore as to the competence of the Commission. According to the company, the data it publishes in its directory is not subject to Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 on the grounds that they are not personal data but data relating to enterprises.

24. The rapporteur considers that the information on these pages contains data which has the character of "personal data" within the meaning of the GDPR as long as it allows a direct identification of a natural person.

25. The restricted committee notes that the files relating to the companies referenced in the directory accessible from the company's website include, in particular, the names, first names and addresses of natural persons when they have the status of self-employed. or when they exercise a liberal profession without being a member of a practice structure. Consequently, the data present on the files relate to an identified natural person and thus have the character of "personal data" within the meaning of the GDPR.

26. In this regard, the restricted committee observes that the CNIL has adopted this position consistently for many years. In this sense, as early as 1985, it indicated that "are directly nominative: information relating to directors, whatever the form of the company, as well as information relating to voters within the framework of the organization of consular elections; information relating to the corporate name of the company, when it is a company in name "(deliberation n ° 85-45 of October 15, 1985). The Council of State also affirms that personal data are data which allow a direct identification of a natural person (see in this sense the Council of State decision, 10th SSJS, December 30, 2015, n ° 376845, § 8).

27. The restricted committee therefore considers that the data processed by the Société nouvelle de l'Anuaire Français are personal data within the meaning of Article 4.1 of the Rules and that the provisions of the Rules are applicable to the processing carried out by the company.

B. On the classification of the facts with regard to the general data protection regulation

1. On the failure to comply with requests for rectification of data

28. According to Article 16 of the GDPR "the data subject has the right to obtain from the controller, as soon as possible, the rectification of personal data concerning him which is inaccurate".

29. It emerges from the findings of the CNIL delegation that, when the company receives rectification requests from entrepreneurs whose data appears on the annuairefrancais.fr site, a comparison is made between the data in the SIRENE database and company data appearing on the company's website. It was also established that the company only allowed requests for rectification of data when a difference was noted between the file on the annuairefrancais.fr site and the SIRENE database. If the files for the site and the SIRENE database were identical, the company refused to correct the data.

30. On September 13, 2017, […] (referral n ° 18020503) sent a request for rectification of its address to the Société nouvelle de l'Anuaire français. He specified that the address given on the form was that of his personal home and not his professional address. Noting that the information on his company's file was still inaccurate, […] contacted the company again on January 23, 2018. He subsequently lodged a complaint with the CNIL on October 10, 2018, this data no 'still not rectified.

31. The company was put on formal notice by the President of the Commission, by decision of July 21, 2020, within two months, to correct the data of the complainant who contacted the CNIL. It was also given formal notice, within the same period, to put in place a procedure to effectively take into account any request to exercise the right of rectification and update made by persons whose personal data appear. in the company database.

32. The rapporteur notes in her sanction report that on the day of the inspection, 3 September 2019, i.e. two years after her request, the company profile of […] still presented inaccurate information, the company thus ignoring its obligations under Article 16 of the GDPR.

33. The company indicates that it proceeded, on July 6, 2021, to the deletion of all data relating to […].

34. The restricted committee notes that […] alerted the Société nouvelle de l'Anuaire français, in September 2017, to the inaccuracy of some of the data mentioned on its company's file published on the annuairefrancais.fr site.

35. Although the company told him, as of September 13, 2017, to take his request into account, the restricted committee noted that the complainant had, in the absence of rectification of his data, sent a reminder to the company in January 2018 , then lodged a complaint with the CNIL in October 2018. During the control carried out by the delegation in September 2019, the company had still not rectified the personal data of the complainant. In July 2020, the president of the CNIL subsequently put the company on notice to rectify, within two months, the data of […]. The restricted committee noted that this request was again not followed up, the company not having provided a satisfactory response to the formal notice. In addition, the restricted committee notes that the rapporteur specifies in her sanction report of 25 May 2021 that the informal checks carried out at the time of its drafting showed that the complainant's file still included the address of his personal home, the rectification request has therefore still not been taken into account.

36. The restricted panel was notified by letter of July 6, 2021 that the company had finally granted the complainant's request.

37. The restricted committee accepts, in any event, that despite the various steps taken by the complainant and the CNIL services, the company did not comply with the expiry of the time limit set in the formal notice of the July 21, 2020.

38. Under these conditions, and in view of the foregoing, the Restricted Panel considers that the company has failed in the obligation provided for in Article 16 of the Rules.

2. On the failure to comply with data erasure requests

39. According to article 17 of the GDPR "the data subject has the right to obtain from the controller the erasure, as soon as possible, of personal data concerning him and the controller has the obligation erase such personal data as soon as possible, when one of the following grounds applies […] the data subject objects to the processing pursuant to Article 21 (1) and there is no no compelling legitimate reason for the processing ".

40. In addition, Article 21 (1) provides that "the data subject has the right to object at any time, for reasons relating to his particular situation, to the processing of personal data concerning him based on the Article 6 (1) (e) or (f), including profiling based on these provisions. The controller no longer processes personal data, unless he can demonstrate that there are legitimate reasons and imperative for the processing which prevails over the interests and rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims ". Finally, Article 6 (1) (f) provides that "the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject who require protection of personal data, in particular when the data subject is a child ".

41. The CNIL's delegation of control established that the company receives requests to exercise the right to erasure by telephone, by mail, by email and by an online form. During the control of September 5, 2019, the delegation was informed that these requests were normally processed as they were received, but that they had not been since April 2019, "due to operational difficulties ". It was thus noted, during the audition check, in the inbox of the company's emails, the presence of 135 requests for erasure of data not read and not processed by the manager of the company. The oldest was received on May 3, 2019, more than four months before the hearing.

42. The delegation also noted, in the context of the online control of September 3, 2019 that, among the pages whose deletion had been requested from the company by the complainants who contacted the CNIL, five were still present, on the day of the control. , on the company's website and that they contained the personal data of the complainants (the pages marked with […]). For three other complainants ([…]), if the files corresponding to their establishment had indeed been deleted, data concerning them, such as professional activity and the department in which the company is located, remained accessible in the index pages. of the site www.annuairefrancais.fr and thus always appeared when entering the name of the complainants during a search carried out on a search engine.

43. The company was ordered to proceed with the deletion of the data of the complainants concerned ([…]) and to put in place a procedure making it possible to effectively take into account any request to exercise the right to erase data. persons whose personal data are in the company's database.

44. The rapporteur notes in her sanction report that the company did not delete the data of all the complainants within the time limit, as the data of […] is still accessible.

45. The company indicates, in a letter of July 6, 2021, that it has reinitialized its entire database and that it is now exclusively made up of data from the SIRENE directory distributed by INSEE. It specifies that the requests made by people on the previous information published on the annuairefrancais.fr site were de facto canceled because this data was deleted during this update. From now on, the company only disseminates data published each month by INSEE, and previously updated by the latter.

46. The restricted committee considers that it emerges from the aforementioned provisions of the GDPR that, when the processing has as a legal basis the legitimate interest of the controller, the latter must comply with the request for erasure made by the data subject. when the latter has objected to the processing of his personal data and the data controller does not demonstrate compelling legitimate grounds for the processing.

47. The restricted committee notes that on the day of the findings, in eight of the sixteen complaints referred to in this procedure, the company did not provide an effective response to the requests made and the personal data in question remained directly accessible. in the company files posted on the website.

48. In addition, the restricted committee notes that the data controller does not invoke any compelling legitimate reason justifying that the processing he implements would take precedence over the rights of the complainants, while the data subjects have expressed their opposition to the processing and that they have made a request for the erasure of their personal data.

49. The restricted committee also considers that the measures that the company announces that it has recently put in place in connection with the updating of its database, which, according to the latter, would allow it to satisfy requests for the exercise of rights, are not not sufficient to ensure that these requests are taken into account, since the data of three complainants are still accessible on the site despite the update carried out.

50. The restricted committee accepts, in any event, that the company did not comply with the expiry of the deadline set in the formal notice of July 21, 2020.

51. In these circumstances, the restricted panel considers that the company has failed in the obligation provided for in Article 17 of the Rules.

3. On the breach of the obligation to implement a register of processing activities

52. Article 30 of the GDPR provides that "each controller and, where applicable, the representative of the controller shall keep a register of processing activities carried out under their responsibility". This obligation cannot be imposed on companies with less than 250 employees, "unless the processing they carry out is likely to involve a risk for the rights and freedoms of the persons concerned, if it is not occasional […] ".

53. The findings of the CNIL delegation show that the company does not implement a register of processing activities.

54. The company was given formal notice on July 21, 2020 to implement a register of processing activities. However, she did not respond to this injunction as part of the formal notice.

55. The rapporteur considers in her sanction report that the company has therefore failed in its obligation under Article 30 of the GDPR.

56. The company does not produce any defense evidence on this point.

57. The restricted committee notes that although the company has a single employee in the person of its chairman, […], the processing carried out by the company is not however occasional since it constitutes the heart of its activity. The company should therefore have implemented a register of its processing activities.

58. The restricted committee holds that the company did not comply with the expiry of the deadline set in the notice of July 21, 2020, or subsequently.

59. In these circumstances, the restricted panel considers that the company has breached the obligation provided for in Article 30 of the Rules.

4. On the breach of the obligation to cooperate with the services of the CNIL

60. Article 31 of the GDPR provides that "the controller and the processor as well as, where applicable, their representatives shall cooperate with the supervisory authority, at the latter's request, in the execution of his missions" .

61. The CNIL delegation noted that the company had not responded to all the requests it had formulated following the audit test carried out on September 5, 2019, but only to some, most of the time in such a way. unsatisfactory or incomplete. In addition, it was noted by the delegation that, in the company's email inbox, four emails from the CNIL dated November 13, 2017, January 16, 2018, January 29, 2018 and February 1, 2018, were not not open. As these letters were not read by the data controller, no response was given to them.

62. The company was therefore put on formal notice, on July 21, 2020, in particular to communicate the documents requested during the audit. The formal notice also included other injunctions aimed at bringing the processing into conformity and respecting the rights of individuals.

63. The rapporteur maintains in her sanction report that the company only partially responded to the request for communication of documents from the delegation of control, despite the numerous exchanges, and that the company did not comply with the requirements. of the formal notice within the time limit, which constitutes a breach of the obligation of cooperation provided for in Article 31 of the GDPR.

64. In defense, the data controller expressed difficulties in managing the resulting workload. However, he claims, in a letter of July 6, 2021, that he spent nearly a full month "answering the same thing" to the CNIL services, considering that he had brought himself into compliance with the GDPR.

65. In the first place, the restricted committee notes that the thirteen exchanges between the company and the CNIL did not lead to the communication of all the documents requested during the hearing of September 5, 2019 (documents mentioned above in paragraph 7). However, multiple reminders were sent to the company in September and October 2019 by the services of the CNIL, without success, and the last letter sent by the CNIL by an email of November 8, 2019 remained unanswered. At the end of these numerous exchanges, on all the requests formulated by the CNIL, the company communicated only the specific rental conditions of […], the conditions of use of […], an indication - without proof - of the status on the French directory site of the files corresponding to the sixteen referrals received by the CNIL and a screenshot of the download page of the SIRENE databases of companies on the data.gouv.fr site. Thus, no response was given on the exchanges between the complainants and the company, the communication of a copy of a response to a request for deletion of a file and the count of the number of individual companies present in the "PROFESSIONAL 3" table of the company database.

66. Second, the restricted panel notes that, despite the various discussions and reminders in the context of the formal notice, no satisfactory response has been given to the five injunctions issued in this context.

67. In these circumstances, the restricted panel considers that the company has breached the obligation provided for in Article 31 of the Rules.

III. On corrective measures and publication of the sanction deliberation

68. Under the terms of III of article 20 of the amended law of 6 January 1978:

"When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Freedoms may also , if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, refer the matter to the restricted committee for the pronouncement, after contradictory procedure, one or more of the following measures: […]

7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the worldwide annual turnover total for the previous financial year, whichever is higher. In the hypotheses mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83 ".

69. Article 83 of the GDPR further provides that "each supervisory authority shall ensure that the administrative fines imposed […] are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account. account in deciding whether to impose an administrative fine and in deciding the amount of this fine.

70. On the imposition of a fine and its amount, the restricted committee considers that, in the present case, the aforementioned breaches justify the pronouncement of an administrative fine against the company.

71. Regarding the fine proposed by the rapporteur, the company argues in defense that its amount is excessive, given its financial capacity.

72. The Restricted Panel analyzes the criteria set out in Article 83 as follows.

73. First of all, the restricted training notes the number of breaches and the fact that they constitute breaches affecting the rights of individuals and the fundamental principles of the protection of personal data, as well as the obligation cooperation with the CNIL.

74. Next, the restricted committee considers that these breaches had direct consequences for the persons concerned, since sixteen complaints are at the origin of the procedure. In addition, if the difficulties encountered in the exercise of their rights led sixteen people to lodge complaints with the CNIL, the CNIL also noted that one hundred and thirty-five requests for the exercise of rights had not been processed by the company. on the day of the inspection.

75. The limited training also underlines the particularly long period during which the company was supported by the services of the CNIL, which sent it numerous requests within the framework of the control procedure, as well as a formal notice in view. to achieve compliance. Despite particularly long and meticulous support by the Commission services, the company has not taken measures to enable it to be in full compliance with the provisions of the GDPR. Above all, the company has not cooperated satisfactorily with the Commission services and this behavior appears to be deliberate.

76. Finally, the restricted committee observes that if the company ended up taking certain measures with a view to bringing it into conformity with the GDPR, these only came late, and only within the framework of the sanction procedure. In addition, the restricted panel notes that the company does not meet the demands of all the plaintiffs, nor all the injunctions of the formal notice.

77. All of these breaches and their seriousness justify a fine.

78. Regarding the amount of the administrative fine, the restricted panel noted that in 2018 the company's turnover amounted to […], with a net accounting result of […]. In 2019, the company's turnover amounted to […] with a net profit […].

79. Therefore, having regard to the relevant criteria of Article 83, paragraph 2, of the GDPR mentioned above, the restricted committee considers that the imposition of a fine of 3,000 euros appears effective, proportionate and dissuasive, in accordance with the requirements of Article 83 (1) of the GDPR, with regard to the size of the company and its financial situation.

80. Regarding the publicity of the decision, the restricted panel considers that the seriousness of certain breaches in itself justifies the publication of this decision.

81. The restricted committee also recalls that the breaches have given rise to several complaints received by the CNIL and that the breaches in connection with the exercise of human rights are serious. It considers that the publication of its decision makes it possible to inform people of the existence of the breaches committed by the company.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

- pronounce an administrative fine on the Société nouvelle de l'Anuaire Français in the amount of three thousand (3,000) euros, in view of the breaches established in Articles 16, 17, 30 and 31 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;

- make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name after the expiration of a period of two years from its publication.

President

Alexandre LINDEN

This decision may be appealed against to the Council of State within two months of its notification.