FRANCE TRAVAIL – €5,000,000 Fine (France, 2026)

FRANCE TRAVAIL (the controller) , a public national institution managing employment data on behalf of the State, suffered a data breach in which attackers accessed its system using legitimate employee accounts. The breach resulted in the extraction of 25 GB of data, including sensitive personal data such as health information, disability status, NIR numbers, and other identifying information of millions of job seekers. The French Data Protection Authority (CNIL) initiated then an ex officio investigation. CNIL held that the controller failed to comply with Article 32 GDPR due to gross negligence in securing personal data. It imposed an administrative fine of €5,000,000, issued an injunction requiring the controller to justify implementation of robust password policies, multi-factor authentication, effective monitoring of activity logs and attached a daily penalty of €5,000 per day for non-compliance. CNIL emphasized that the controller had been previously warned about the need to implement effective logging and trace analysis systems, but failed to take adequate action. This prior warning, combined with the scale and nature of the breach, led the CNIL to conclude that the organization’s failure constituted gross negligence under Article 32 of the GDPR. The controller argued that its information system was highly complex and that, as a public administrative institution, imposing a fine would be disproportionate and could negatively affect its budget and operations. However, CNIL held that the controler was responsible for the processing because it acted on behalf of the State, not as the State itself, and retained financial and operational autonomy.