One year of sanctions by the CNIL: assessment and points of attention

In 2024, there was an intensification of sanctions pronounced by the CNIL¹. In a context where the protection of personal data is becoming an increasingly critical issue, the CNIL continued its efforts to ensure compliance with the GDPR and the Law Informatics and Freedoms.

This year also marks the end of the CNIL’s 2022-2024 strategic plan², during which she adopted her latest priority control themes³: the collection of data in the context of the Olympic and Paralympic Games, the protection of minors’ data collected online, loyalty programs and digital tickets, as well as the right of access for the persons concerned. 

1. An increase in the number of sanctions, but a decrease in the overall amount

In 2024, the CNIL issued 55 sanctions, compared to 42 in 2023, a figure that has been constantly increasing in recent years. However, the overall amount of administrative fines has decreased, falling from over 89 million euros in 2023 to approximately 55 million in 2024.

The development of the simplified procedure⁴ explains in part this evolution: 38 sanctions have been issued via this procedure (compared to 24 in 2023). This procedure, capped at a maximum fine of €20,000, has primarily been used with modest entities such as healthcare professionals, associations, and SMEs. The main breaches identified within the framework of this procedure are the lack of cooperation with the CNIL and the lack of data security.

2. More diversity of sanctioned actors

• Public administrations : Several municipalities as well as three ministries have been sanctioned. The ministries of the Interior and Overseas, as well as the Ministry of Justice, have been asked to refrain for an inappropriate use of public agents’ data, particularly concerning the use of the judicial record file (TAJ)⁵.
• Healthcare professionals : The CNIL has sanctioned several practitioners, including dentists, for breaches related to patients’ right of access to their medical records.
• Commercial sector : non-compliant advertising practices, such as commercial prospecting carried out without prior consent⁶, have been heavily sanctioned in 2024. One of the record sanctions of 2024 perfectly illustrates this reinforced control axis of the CNIL: it concerns the fine imposed on Orange SA⁷ on last November, amounting to 50 million euros.

3. A focus on the actors in the healthcare sector

Data processing of health data has been at the heart of several significant decisions in 2024. Pursuant to Articles 65 and following of the Act on Informatics and Freedom, the establishment of a health data warehouse may require prior authorization from the CNIL.

Accordingly, a fine of €800,000 was notably imposed on a company specializing in the production of statistical studies on health data, for failing to obtain this authorization. This breach, detected three times this year, highlights the importance of complying with the CNIL’s various recommendations regarding the protection of health data. These sanction decisions also emphasize the importance for actors to document and justify their choices in relation to the compliance of implemented treatments, particularly when they arise outside the scope of CNIL authorizations.

4. List of main deficiencies identified

As in 2023, the main breaches identified by the CNIL (approximately one-third of decisions) relate to :

• The transparency : Shortcomings in prior mandatory information and a lack of clarity regarding the purposes of the processing constitute recurring grounds for sanction.
• The security of personal data : failures in the areas of encryption, password management, and access control have led to numerous penalties in various sectors of activity.
• The obligation of cooperation with the CNIL : The lack of responsiveness during inspections and the absence of transmission of required information have been repeatedly noted by the CNIL.

Also, this year, breaches related to the right of access, which is among the priority control axes for 2024, are among the most frequently sanctioned offenses.

5. What lessons should be drawn from this for 2025 ?

In line with decisions made in previous years, the CNIL primarily imposed sanctions relating to data security, transparency, and cooperation with the authority. 

Strengthen the documentation of its complianceThe CNIL has developed its expertise and control regarding more specific and/or technical breaches, particularly in the field of health data. Entities must now go beyond purely formal compliance by being able to justify their decisions and choices regarding compliance. This implies precise documentation of the choices made, analyses conducted, and interest balancing performed. For example, the concerned entities may rely on the upcoming guidelines of the GDPR on transparency and legitimate interest⁸, which will detail and illustrate the use of the criteria retained for the use of this legal basis and the obligation to document the balancing of prior interests.

Anticipate the priority control themes
The year 2025 also marks the beginning of the new strategic plan 2025-2028⁹ from CNIL, which is orientating its new priorities towards future themes such as the artificial intelligence, the protection of minors, the cybersecurity and the digital uses of everyday life. Although the specific control axes for 2025 have not yet been published, they will necessarily align with the lines of this new plan. 

This assessment of an additional year of CNIL sanctions demonstrates that GDPR compliance is constantly evolving and that it is directly integrated with the themes of new European texts, including the IA Act. 

In light of the themes announced by the CNIL within its new strategic plan, any entity wishing to develop or use an artificial intelligence system by 2025 must ensure its compliance with GDPR (and document this compliance), as well as with new European legislation applicable. 

Engage the services of a law firm specializing in GDPR

As a law firm specializing in data protection, we are at your disposal to assist you with all your projects. Whether you are a startup, a SME or a group of companies, our expertise will allow you to navigate smoothly in the complex landscape of regulation and compliance. Do not hesitate to contact us to benefit from personalized advice and secure your digital future

1. https://www.cnil.fr/fr/les-sanctions-prononcees-par-la-cnil ↩︎
2. https://www.cnil.fr/fr/la-cnil-publie-son-plan-strategique-2022-2024 ↩︎
3. https://www.cnil.fr/fr/les-controles-de-la-cnil-en-2024-donnees-des-mineurs-jeux-olympiques-droit-dacces-et-tickets-de ↩︎
4. https://www.cnil.fr/fr/la-procedure-de-sanction-simplifiee. ↩︎
5. Délibération SAN-2024-017 du 17 octobre 2024 ↩︎
6. Article L34-5 du Code des postes et des communications électroniques ↩︎
7. Délibération SAN-2024-019 du 14 novembre 2024 ↩︎
8. https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf ↩︎
9. https://www.cnil.fr/sites/cnil/files/2025-01/plan_strategique_cnil_2025-2028.pdf ↩︎