Régie autonome des transports parisiens – €400,000 Fine (France, 2021)

The French DPA (CNIL) imposed a fine of EUR 400,000 on RATP (the operator of the public transport system in Paris). In May 2020, a trade union filed a complaint with the CNIL alleging that the number of strike days exercised by staff were included in files used to prepare promotion decisions. The CNIL then conducted investigations in several RATP bus centers. These led to confirmation of this practice in three RATP bus centers. The CNIL indicated that files for evaluating performance and promotion prospects should only contain data necessary for evaluating employees.In particular, it was sufficient to indicate the total number of days of absence without the need to go into detail and distinguish the days associated with the exercise of the right to strike. It found that the use of data on the number of days staff members were on strike was not necessary for these purposes, and that the RATP thus violated the principle of data minimization set forth in Article 5 (1) (c) GDPR. In addition, the DPA found that the RATP had excessively retained many of its employees' data. Indeed, the RATP kept files on the evaluation of staff members for more than three years after the promotion commission, although their retention was only required for 18 months after the holding of these commissions. Further, CNIL found that RATP did not adequately differentiate between staff authorization levels, allowing more staff than necessary to access certain data. For this reason, CNIL concluded that RATP failed in its duty to implement appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.