Commune de KOUROU (Municipality of KOUROU) – €5,000 Fine (France, 2023)

On 2 June 2021, the French DPA (“CNIL”) informed a French municipality (“the controller”) that they had not named a DPO. The municipality did not respond, therefore on 25 April 2022, the CNIL gave formal notice to the municipality to designate a DPO within four months of this notice. The controller neither replied to the DPA, nor complied with its requests. The French DPA started a sanctioning procedure against the controller on 8 February 2023. Firstly, Article 37(1)(a) GDPR establishes that the controller shall designate a DPO when the processing is carried out by a public authority or body. This article applies to the municipality and the DPA reiterated the importance of a DPO in order to ensure compliance with said article, especially within public authorities who process large amounts of personal data, some of which is sensitive data. The CNIL found that the municipality did not designate a DPO and therefore failed to comply with Article 37(1)(a) GDPR. Secondly, Article 31 GDPR states that the controller should cooperate within the DPA in the performance of its tasks. The CNIL noted that the municipality did not respond to the different letters, formal notices and decisions addressed to it by the DPA, thus failing to comply with Article 31 GDPR. The DPA fined the municipality €5,000 and ordered the controller to appoint a DPO with a penalty of €150 per day of delay at the end of a period of 2 months following the notification of the decision. The CNIL also ordered the municipality to put a message on their official website for 4 days, informing the users of said decision.