CNIL (France) - SAN-2023-018

From GDPRhub
CNIL - SAN-2023-018
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 31 GDPR
Article 37(1)(a) GDPR
Type: Investigation
Outcome: Violation Found
Started: 02.06.2021
Decided: 12.12.2023
Published: 19.12.2023
Fine: 5,000 EUR
Parties: Commune de KOUROU (Municipality of KOUROU)
National Case Number/Name: SAN-2023-018
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: nzm

The French DPA fined a municipality €5,000 for failing to designate a DPO and to cooperate with the DPA, therefore violating Article 31 GDPR and Article 37(1)(a) GDPR.

English Summary

Facts

On 2 June 2021, the French DPA (“CNIL”) informed a French municipality (“the controller”) that they had not named a DPO. The municipality did not respond, therefore on 25 April 2022, the CNIL gave formal notice to the municipality to designate a DPO within four months of this notice. The controller neither replied to the DPA, nor complied with its requests.

The French DPA started a sanctioning procedure against the controller on 8 February 2023.

Holding

Firstly, Article 37(1)(a) GDPR establishes that the controller shall designate a DPO when the processing is carried out by a public authority or body. This article applies to the municipality and the DPA reiterated the importance of a DPO in order to ensure compliance with said article, especially within public authorities who process large amounts of personal data, some of which is sensitive data. The CNIL found that the municipality did not designate a DPO and therefore failed to comply with Article 37(1)(a) GDPR.

Secondly, Article 31 GDPR states that the controller should cooperate within the DPA in the performance of its tasks. The CNIL noted that the municipality did not respond to the different letters, formal notices and decisions addressed to it by the DPA, thus failing to comply with Article 31 GDPR.

The DPA fined the municipality €5,000 and ordered the controller to appoint a DPO with a penalty of €150 per day of delay at the end of a period of 2 months following the notification of the decision. The CNIL also ordered the municipality to put a message on their official website for 4 days, informing the users of said decision.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details. 

Deliberation of restricted training no SAN-2023-018 of December 12, 2023 concerning the municipality of KOUROU

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Isabelle LATOURNARIE-WILLEMS and Christine MAUGÜÉ; MM. Alain DRU and Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Having regard to Decree No. 2019-536 of May 29, 2019 as amended taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated August 28, 2023;

Having regard to the report of Mrs. Valérie PEUGEOT, commissioner rapporteur, notified to the municipality of KOUROU on September 11, 2023;

Considering the closure of the instruction notified to the municipality on October 23, 2023;

Considering the other documents in the file;

During the restricted training session on November 30, 2023:

- Was present, Madame Valérie PEUGEOT, commissioner, heard in her report;

- The representatives of the commune of KOUROU […] who were regularly summoned were absent.

The restricted formation adopted the following deliberation:

I. Facts and procedure

1. The commune of KOUROU (hereinafter "the commune"), is a territorial collectivity of 25,000 inhabitants, located in the single territorial collectivity of Guyana, whose town hall is located at 30 avenue des Roches in Kourou (97310).

2. By letter of June 2, 2021, within the framework of the missions defined in article 8 of law n°78-17 of January 6, 1978 as amended relating to computing, files and freedoms, the President of the Commission National Data Protection Authority (hereinafter "the CNIL" or "the Commission") alerted the municipality of KOUROU to the absence of appointment of a data protection delegate (or "DPD") in her breast.

3. This letter received no response from the municipality of KOUROU (hereinafter “the municipality”).

4. On April 25, 2022, the President of the CNIL gave formal notice to the municipality, within four months of notification of this decision and subject to the measures that it could have already adopted, to proceed with the appointment of a DPO. This decision, made public after deliberation by the CNIL office on May 5, 2022, was notified to the municipality on May 19, 2022 by registered letter with acknowledgment of receipt.

5. This formal notice remained without response from the municipality which did not designate a DPO.

6. As part of a simplified sanction procedure, the president of the restricted body pronounced, by decision of February 8, 2023, a fine against the municipality in the amount of five thousand euros for the breaches of the articles 31 and 37-1-a) of the GDPR and an injunction to appoint a data protection officer within three months following notification of the said decision, which took place on February 25, 2023.

7. In the absence of a response from the municipality and the appointment of a DPO, the president of the Commission, on August 28, 2023, appointed Ms. Valérie PEUGEOT as rapporteur on the basis of article 39 of decree no. °2019-536 of May 29, 2019 amended.

8. At the end of her investigation, the rapporteur, on September 13, 2023, notified the municipality of a report detailing the breaches of articles 37-1-a) and 31 of the general data protection regulations (hereinafter after “GDPR”) which it considered constituted in this case. It proposed to the restricted panel to issue a call to order and an injunction to appoint a data protection delegate accompanied by a penalty of one hundred and fifty euros per day of delay at the end of a period of two months following notification of the deliberation and that this decision is made public.

9. By letter dated October 19, 2023, the rapporteur informed the municipality that the investigation was closed, in application of article 40, III, of amended decree no. 2019-536 of May 29, 2019.

10. By letter of October 20, 2023, the municipality was informed that the file was registered at the restricted training session of November 16, 2023.

11. By letter dated November 9, 2023, the municipality was informed that the file was postponed to the restricted training session on November 30, 2023.

12. The rapporteur was heard during the session of the restricted training on November 30, 2023. The restricted training noted the absence of the municipality which was neither present nor represented.

II. Reasons for decision

A. On the failure to fulfill the obligation to appoint a data protection officer pursuant to Article 37(1)(a) of the GDPR

13. In law, Article 37, paragraph 1, a) of the GDPR provides that “The controller and the processor shall in any case appoint a data protection officer when: a) the processing is carried out by a public authority or a public body, with the exception of courts acting in the exercise of their jurisdictional function […]".

14. The restricted training recalls the importance of the role of the data protection delegate, which has become mandatory within public authorities and bodies since the entry into force on May 25, 2018 of Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016 relating to the protection of individuals with regard to the processing of personal data and the free movement of this data. The designation of a data protection officer is essential to ensure that organizations comply with the provisions of the GDPR.

15. The restricted training notes that public authorities responsible for public service missions process numerous personal data (data of citizens, public officials and elected officials), some of which are sensitive data and must take particular care to protect them. protection in a context of increasing computer attacks against public bodies.

16. The data protection officer is responsible, in accordance with Article 39 of the GDPR, in particular for informing and advising the data controller on the obligations incumbent on him, monitoring compliance with the GDPR by carrying out the analysis and verification of processing activities and acting as the point of contact for the supervisory authority on matters relating to processing. In addition, the data protection officer also constitutes the point of contact for the persons concerned, in particular the citizens, regarding questions relating to the processing of their personal data and the exercise of the rights conferred on them by the regulation in accordance with in article 38-4 of the GDPR.

17. In the present case, it appears from the investigation that the municipality did not appoint a data protection delegate even though it had been required to do so since May 25, 2018.

18. Consequently, the aforementioned facts constitute a breach of article 37-1-a) of the GDPR.

B. On the failure to comply with the obligation to cooperate with the services of the CNIL in application of article 31 of the GDPR

19. In law, Article 31 of the GDPR provides that "the controller and the subcontractor as well as, where applicable, their representatives cooperate with the supervisory authority, at the latter's request, in the execution of its missions.

20. In this case, the restricted panel notes that the municipality did not respond to the letter from the President of the CNIL of June 2, 2021 inviting it to appoint a data protection delegate, nor did it did not respond to the formal notice of April 25, 2022 and to the decision of the president of the restricted panel of February 8, 2023 ordering him to appoint a data protection delegate within three months following notification of his decision occurred on February 25, 2023.

21. Thus, the restricted panel considers that the municipality of Kourou, by refraining from responding to all correspondence from the CNIL, failed to comply with the obligation provided for in Article 31 of the Regulation.

III. On corrective measures and their publicity

22. Under the terms of III of article 20 of the law of January 6, 1978 as amended:

23. "When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Liberties may also, where applicable after having sent him the warning provided for in I of this article or, where applicable in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncement, after procedure contradictory, of one or more of the following measures: […]

2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or this law or to satisfy requests presented by the data subject with a view to exercising their rights, which may be accompanied, except in cases where the processing is implemented by the State, with a penalty the amount of which cannot exceed €100,000 per day of delay from the date set by the restricted body; […]

7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the global annual turnover total of the previous financial year, the highest amount being retained. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

24. Article 83 of the GDPR provides that "Each supervisory authority shall ensure that administrative fines imposed under this article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.

25. In 2021, the overall closing result of the administrative account of the main budget of the municipality was in deficit of 13,094,989.01 euros. In 2022, its main budget was proposed by the regional audit chamber of Guyana with a deficit of 3,570,006 euros.

26. The restricted panel considers that, in the present case, the aforementioned breaches justify the imposition of an administrative fine and an injunction to appoint a data protection officer against the municipality.

A. On the imposition of an administrative fine

27. The restricted committee recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation, the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the violation.

28. Restricted training highlights the central role of the data protection officer, the cornerstone of the liability regime, who facilitates compliance with the rules, acts as an intermediary between those administered and a public community and thus reinforces the trust placed in organizations public.

29. Given the nature of the organization concerned, a municipality of more than 16,000 inhabitants which carries out public service missions, the restricted training considers it necessary to raise awareness in the municipality of the essential protection of the personal data that it processes as part of its missions by appointing a data protection delegate.

30. The restricted panel considers that the continued absence of appointment of a data protection delegate by the municipality demonstrates a disregard for the obligations weighing on it in terms of the protection of personal data, and this, especially since this designation should have taken place upon the implementation of the GDPR on May 25, 2018.

31. The restricted panel emphasizes that this breach continued despite the various procedures initiated by the CNIL against the municipality.

32. Thus, the restricted formation notes that, despite the various corrective measures taken by the CNIL, namely a formal notice from its president to remedy this breach then a sanction from the president of the restricted formation accompanied by an administrative fine of five thousand (5,000) euros, the municipality has not taken the necessary measures to ensure compliance, despite the specific injunctions which had been addressed to it.

33. In addition, the municipality failed in its obligation to cooperate with the CNIL through the absence of any response.

34. Also, the restricted panel considers that the imposition of a fine against the municipality is justified by the persistence of the shortcomings relating to the absence of appointment of a data protection delegate and the lack of cooperation since the decision of February 8, 2023 rendered by the president of the restricted formation.

35. Furthermore, the restricted panel emphasizes that the acts sanctioned would be likely to cause a sufficiently serious attack on the provisions whose mission the CNIL is responsible for ensuring the application of and thus constitute a criminal offense in application of 2° of the article 226-22-2 of the penal code.

36. Consequently, the restricted panel considers that these breaches justify an administrative fine being imposed.

37. Regarding the amount of the fine, taking into account the activity of the organization which is a local authority and its financial situation, the restricted panel considers that the imposition of an administrative fine of 5,000 euros appears justified.

B. On the issuance of an injunction accompanied by a penalty

38. Firstly, the restricted committee notes that the municipality has still not appointed a data protection delegate.

39. Given the persistence of the breach noted in connection with the appointment of a data protection delegate, the restricted panel considers it necessary to issue an injunction so that the municipality complies with its obligations.

40. Secondly, the restricted training emphasizes that a daily penalty is a financial penalty per day of delay that the data controller will have to pay in the event of non-compliance with the injunction at the end of the planned execution period. .

41. The restricted panel adds that in order to preserve the penalty's custodial function, its amount must be both proportionate to the seriousness of the alleged breaches but also adapted to the financial capacities of the data controller.

42. In view of these elements, the restricted panel considers proportionate the imposition of a penalty of 150 euros per day of delay and payable after a period of two months.

C. On the publicity of the decision

43. Finally, the restricted panel considers it necessary for its decision to be made public in view of the seriousness of the breaches and their persistence.

44. She emphasizes that the protection of personal data by public authorities is all the more important as they process a considerable number of data, some of which are sensitive. In addition, cybersecurity issues, particularly in view of the increase in attacks against the information systems of these entities, highlight the importance of the role of the data protection delegate within public authorities.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• pronounce against the municipality of KOUROU an administrative fine in the amount of five thousand (5,000) euros with regard to the breaches constituted in articles 31 and 37 of regulation (EU) no. 2016/679 of April 27, 2016 relating to data protection;

• issue an injunction against the municipality of KOUROU to appoint a data protection delegate accompanied by a penalty of one hundred and fifty (150) euros per day of delay after a period of two months following notification of the deliberation of the restricted panel;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the municipality of KOUROU by name at the expiration of a period of one year from its publication;

• order the municipality to publish, on the official website of the municipality of KOUROU accessible at the address https://www.ville-kourou.fr/, an information message intended for its users regarding this decision restricted training;

The publication of this press release will be carried out according to the following methods:

- The inserted insert will faithfully reproduce the following text: "Press release: the restricted formation of the National Commission for Information Technology and Liberties has pronounced a fine of 5,000 euros against the commune of Kourou and an injunction to appoint a delegate to the data protection with a fine of 150 euros per day of return within two months after notification of the decision for failure to appoint a data protection officer and the obligation to cooperate with the CNIL services. Decision accessible at the following address: https://www.cnil.fr/fr/sanction-kourou"

- The text https://www.cnil.fr/fr/sanction-kourou will include a hypertext pointer that can be activated by the user

- The press release will appear in a specific insert located on the page accessible at the address https://www.ville-kourou.fr/. This insert will be inserted under the banner containing the buttons "town hall; city policy; town planning; education; culture, sports, partners"

- The published text will be framed according to the style used by the town hall on its site in the font identical to that used called "montserrat" and whose size cannot be less than 14 pixels

- Publication is ordered for a period of 4 days from 12:00 p.m., Paris time (France), on the seventh day following notification of this deliberation

- At the end of the period mentioned above, the municipality will remove the text from the insert.

The vice president

Philippe-Pierre CABOURDIN

This decision may be the subject of an appeal before the Council of State within three months of its notification.
Retrieved from "https://gdprhub.eu/index.php?title=CNIL_(France)_-_SAN-2023-018&oldid=39413"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki