RATP – €400,000 Fine (France, 2021)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
France's data protection authority fined RATP EUR 400,000 for improperly using strike data in career advancement files. This matters because it shows that companies must only collect and use data necessary for their purposes. RATP also failed to secure and limit the storage of personal data.
What happened
RATP was fined for using strike data inappropriately and failing to secure and properly limit the storage of personal data.
Who was affected
RATP employees whose strike participation data was used in career advancement procedures were affected.
What the authority found
The CNIL found RATP violated GDPR by processing unnecessary strike data and failing to secure and limit data storage.
Why this matters
This case emphasizes the importance of data minimization and security. Companies should ensure they only collect necessary data and protect it adequately to avoid hefty fines.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The CNIL received a complaint from several unions in May 2020 regarding the collection and storage of data on the number of days that RATP's agents had been on strike days. These data were kept in files normally used for careers advancement procedures. The RATP recognized that four bus transport units were concerned by this practice. The investigation conducted by the CNIL confirmed that this practice had been commonplace in at least three bus transport units of the RATP. During the investigation, the CNIL also found other breaches regarding storage limitation and data security. The CNIL held that it was unlawful to process information on the number of days an agent had been on strike in the context of career advancement procedures because such information was unnecessary for the purpose of the processing. In particular, the RATP should have limited such information to the number of days of absence of each agent, regardless of the reason behind such absence(s). As a consequence, the CNL found that the RATP had been processing these data in breach of the principle of data minimization (Article 5(1)(c) GDPR). The investigation also revealed other breaches with respect to the principle of storage limitation (Article 5(1)(e) GDPR). Indeed, the app used to monitor the work of RATP's agents was storing personal data for an excessive period of time. Moreover, agents' files were kept for more than three years after the commission on careers advancement had taken a decision. In the opinion of the CNIL, the RATP should have kept such files for 18 months maximum. Finally, the investigation also revealed severe security flaws. In particular, it was found that authorized agents could access an excessive amount of data (including human resources files) regardless of their role, from all bus transport units, and could also extract all the data from the app, without any restriction. Because of this, the CNIL considered that the RATP had violated Article 32 GDPR. Taking into acco
Related Enforcement Actions (0)
No other enforcement actions found for RATP in FR
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
29 October 2021
Authority
Commission Nationale de l'Informatique et des Libertés
Fine Amount
€400,000
GDPRhub ID
gdprhub-4329About this data
Cite as: Cookie Fines. RATP - France (2021). Retrieved from cookiefines.eu
Last updated: