News

🚨 A Micro-Enterprise Fined by the CNIL

Source : SAN 2021-014

In 2021, the restricted formation of the CNIL imposed a fine of €3,000 on a micro-enterprise for several violations, including the absence of a register of processing activities.

🔍 Case Details

This micro-enterprise, a single-person SASU (a simplified joint-stock company), offered an online directory service.
Between March 2018 and May 2019, 16 complaints were filed with the CNIL by individuals listed in this directory without their consent, including company representatives and sole proprietors.

Despite their requests, these individuals were unable to have their data rectified or erased, violating Articles 16 (rectification) and 17 (erasure) of the GDPR. The CNIL launched an investigation in response to the complaints.

Findings During the Inspection

1. Violation of Article 31 - Lack of Cooperation
• The micro-enterprise failed to adequately respond to the CNIL’s inquiries, demonstrating a lack of transparency and cooperation with the supervisory authority.
2. Violation of Article 30 - Absence of a Processing Activities Register
• The company did not maintain a register of processing activities, a mandatory document that lists all data processing activities.
• This register is crucial for ensuring that collected data is adequate, relevant, and limited to the intended purposes.

📋 Importance of the Processing Activities Register

The processing activities register must be kept in writing, either manually or electronically, and should include:

• The contact details of the data controller, subcontractors, and DPO (if applicable).
• Categories of processed data, purposes, legal bases, retention periods, and any transfers outside the EU.
• Stakeholders (operational teams, data recipients, etc.) and the security measures in place.

Exceptions for Small Businesses

Companies with fewer than 250 employees are required to maintain a register only for:

• Regular processing activities (e.g., customer and payroll management).
• Processing that involves risks to individual rights and freedoms (e.g., surveillance, GPS tracking).
• Processing of sensitive data (e.g., health)

📌 Consequences

• Administrative Fine: €3,000
• Reputational Damage: Non-compliance with GDPR obligations harms the company’s credibility.
• Injunction to Achieve Compliance: The CNIL ordered the company to address its shortcomings.

🔧 Best Practices for GDPR Compliance

• Maintain an Up-to-Date Register: Even small businesses must document sensitive or regular data processing activities.
• Cooperate with the CNIL: Provide clear answers and fully cooperate during inspections.
• Respect Individual Rights: Implement efficient processes to rectify or erase personal data upon request.

This case highlights the importance of documentation and adherence to GDPR obligations, even for micro-enterprises.