News

📋📖 🇫🇷 The CNIL Sanctions Two Small companies for Lack of Processing Activity Records 📋📖 🇫🇷

In 2024, the CNIL (French Data Protection Authority) sanctioned two companies with fewer than 250 employees for failing to maintain a register of processing activities, despite the fact that the data processing involved was not occasional.

❌ Violation Identified:

Violation of Article 30 – Absence of a Register of Processing Activities

• The companies failed to maintain a record of personal data processing activities, a mandatory document that lists all data processing operations.
• This register is essential for ensuring that collected data is adequate, relevant, and limited to the intended purposes.

📋 Why the Register is Important:

The record of processing activities must be written, either in paper or electronic form, and should include:

• Contact details of the data controller and, if applicable, the DPO
• Categories of data processed, purposes, legal bases, retention periods, possible transfers outside the EU
• Stakeholders involved (operational teams, data recipients, etc.) and the security measures in place

🛑 Exceptions for Small Businesses:

Companies with fewer than 250 employees must maintain a register only for:

• Routine processing (e.g., client management, payroll)
• Processing that presents risks to individuals’ rights and freedoms (e.g., video surveillance, GPS tracking)
• Processing of sensitive data (e.g., health, etc.)