Following an investigation, the French Data Protection Authority, the CNIL, has imposed a significant fine for data protection breaches on a luxury car rental company. The fine of €5000 was imposed for use of an unlawful GPS tracking system on rented cars. The CNIL found the fine justified because, amongst other things, the tracking system had not been registered with the CNIL, there was no evidence that customers were aware of its use, it was disproportionate as collecting data on a 24/7 basis rather than merely in the event of theft or failure to return the car and access to the data had not been adequately secured (the password had not been changed for two years).
In additional, the CNIL has imposed a fine of €3000 on the Fédération Française d’Athlétisme for data breaches around the publication of sports results. The CNIL found that the Fédération had failed to give non-licensed athletes proper notice that their individual results, achieved in their particular sports event, would be published on the official Fédération Française d’Athlétisme website even though to do so would not have required disproportionate effort. The CNIL also found that the Fédération had failed to implement sufficiently robust security measures to ensure that the personal data it processed remained confidential.
The CNIL does not automatically publish details of all of the fines it imposes. Publication of a fine is used by the CNIL as an additional sanction.
For information about any aspect of data protection law in France, please feel free to call Stéphanie Faber.