CNIL (France) - SAN-2021-016

From GDPRhub
CNIL (France) - SAN-2021-016
Authority: CNIL (France)
Jurisdiction: France
Relevant Law:
Article 4 of the Loi Informatique et Libertés
Article 89 of the Loi Informatique et Libertés
Article 97 of the Loi Informatique et Libertés
Article 99 of the Loi Informatique et Libertés
Article 104 of the Loi Informatique et Libertés
Type: Investigation
Outcome: Violation Found
Decided: 24.09.2021
Published: 30.10.2021
Fine: None
Parties: Ministry of the Interior
National Case Number/Name: SAN-2021-016
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: (in FR)
Initial Contributor: Frederick Antonovics

The French DPA held that a database containing over 6,000,000 fingerprints belonging to suspected or convicted offenders was mismanaged by the Ministry of the Interior.

English Summary


The FAED (‘ficher automatisé des empreintes digitales') is a database managed by the French police. It consists of digital copies of fingerprints belonging to people against whom criminal cases were brought and ‘traces’ of fingerprints collected at crime scenes. It allows law enforcement officers to link a person to several identities or aliases and to link that person to previous proceedings in which his or her prints have been taken.

In December 2018 the CNIL launched a monitoring procedure against the Ministry of the Interior with the view of assessing its compliance with national data protection legislation in regards to the management of the FAED. At the time, the database contained nearly 6,300,000 digital fingerprints belonging to identified persons suspected or convicted of having committed an offence, as well as 240,000 unidentified traces.

In April 2021, the CNIL concluded its investigation and sent the Ministry of the Interior a report detailing various breaches.


The CNIL issued an injunction against the Ministry of the Interior, ordering it to bring the processing operations in question into line with the obligations resulting from Articles 4, 89, 97, 99 and 104 of the Loi Informatique et Liberté. In particular, it identified five key breaches to remedy:

On the failure to identify the lawfulness of the processing - article 89

The Ministry of the Interior unlawfully processed certain categories of data, such as the names of victims and the license plate number of vehicles. It also kept a physical file containing over 7,000,000 'signage sheets' without a legal basis.

On the failure to comply with the data retention period - article 4

The law provided for a 15 year limit on retaining the information in the database. Over 2 million files were kept beyond this retention period. This data should have been progressively deleted from the entry into force of relevant national law in 2017.

On the failure to provide accurate data - article 97

The Ministry of the Interior was ordered to take all reasonable measures to guarantee all inaccurate, incomplete or no longer up to data person data will be deleted or rectified without undue delay.

On the failure to safeguard data - article 99

It was also ordered to implement appropriate measures to "ensure a level of security appropriate to the risk; for example by requiring that access to the FAED requires logging in using the 'agent card' and a PIN code, by ensuring that personal data are processed only under the secure conditions defined for the implementation of the FAED Central Index at the end of the signalling operations, in particular in the signalling rooms, e.g. by issuing instructions to this effect to the services in charge of collecting the data."

On the failure to provide information to individuals - article 104

No information about the processing by the police force was given to individuals at police stations. The CNIL highlighted that minors whose data could be held on the database had a particular interest to be informed in an appropriate manner.


Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

ERROR while retrieving original source text, please copy text here