News

🚨 EXCESSIVE DATA COLLECTION • SENSITIVE DATA • LACK OF COOPERATION
📅 SAN 2023-013 – September 18, 2023
💸 €200,000 fine imposed on S__ LOGISTIC (air freight company, Chinese parent company)

📌 Why?
The CNIL sanctioned an air freight company for several serious violations of the GDPR, particularly regarding employee privacy and lack of cooperation with the authority.

🔍 Key Violations Identified:
1️⃣ Excessive data collection (Art. 5-1(c) GDPR)
➡️ An HR form requested detailed information about employees’ family members (identity, job title, employer…), beyond what was necessary.

2️⃣ Unlawful processing of sensitive data (Art. 9 GDPR)
➡️ Collection of blood type, ethnic origin, and political affiliation — strictly prohibited unless an exception applies.

3️⃣ Collection of criminal record data (Art. 10 GDPR)
➡️ Retention of criminal record extracts, even though only clearance certificates were required.

4️⃣ Lack of cooperation with the CNIL (Art. 31 GDPR)
➡️ Incomplete and unclear responses to the authority's requests.

⚠️ Consequences:
• Violation of employee privacy
• Damaged corporate image
• Immediate obligation to become GDPR compliant

🔐 Compliance with the principles of data minimization and prohibitions on sensitive data processing is not optional, especially when it comes to personal data.