News

πŸ‡«πŸ‡· Collection form and Processing register

Tools & Documentation, Legal basis | 28/03/2025

πŸ“… December 29, 2023 – CNIL Sanction
πŸ’Έ €75,000 fine imposed on a data broker
πŸ“„ Reference: SAN-2023-025

🎯 Why?

πŸ”Ή Misleading forms: The company collected personal data via game contests... without valid consent!
πŸ‘‰ The appearance of the forms misled participants about the true purpose of the data collection.

πŸ”Ή Lack of a valid legal basis (Art. 6 GDPR):
There was no valid legal basis for collecting prospect data.

πŸ”Ή Shared Processing Register with Another Company (Art. 30 GDPR):
The company implemented a register of processing activities shared with another company it acquired, for processing activities related to human resources or prospecting.
This register does not specify which company acts as the data controller for the relevant activity.
The data controller must be clearly identified!

πŸ“’ What the CNIL ordered:
βœ… Update game contests to ensure clear, freely given, and informed consent
βœ… Comply with documentation requirements for data processing

πŸ“Œ Key takeaway:
πŸ” Transparency, traceability, and lawfulness are pillars of the GDPR. An attractive form is good — but a compliant form is better! πŸ˜‰

Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance
]]>