News

📅 December 29, 2023 – CNIL Sanction
💸 €75,000 fine imposed on a data broker
📄 Reference: SAN-2023-025

🎯 Why?

🔹 Misleading forms: The company collected personal data via game contests... without valid consent!
👉 The appearance of the forms misled participants about the true purpose of the data collection.

🔹 Lack of a valid legal basis (Art. 6 GDPR):
There was no valid legal basis for collecting prospect data.

🔹 Shared Processing Register with Another Company (Art. 30 GDPR):
The company implemented a register of processing activities shared with another company it acquired, for processing activities related to human resources or prospecting.
This register does not specify which company acts as the data controller for the relevant activity.
The data controller must be clearly identified!

📢 What the CNIL ordered:
✅ Update game contests to ensure clear, freely given, and informed consent
✅ Comply with documentation requirements for data processing

📌 Key takeaway:
🔍 Transparency, traceability, and lawfulness are pillars of the GDPR. An attractive form is good — but a compliant form is better! 😉