top of page

French CNIL fines 200 000 € for infringement of employees privacy

Updated: Nov 1, 2023

The French CNIL has imposed a fine of 200 000 euros on SAF LOGISTICS for collecting too much data from its employees, infringing on their privacy and not having cooperated enough with the CNIL.

SAF LOGITICS is an air freight company whose parent company is located in China. An employee reported to the CNIL that SAF LOGISTICS collected data relating to its employees' private lives, as part of an internal recruitement for a position in the parent company.

Therefore, the CNIL carried out an onsite investigation in order to verify the legality of the form used for the collection of data.

CNIL found four breaches of the GDPR by SAF LOGISTICS:

1) Infringement of the data minimisation (Article 5(1)(c) of the GDPR). Via the form sent to its employees, the company collected a large amount of information on employees' family members, including their identity, contact details, position, employer and marital status. The restricted committee considered that the amount and variety of information collected were too significant, this breach leading to infringing on the employees' private lifes.

2) Infringement of the ban on processing sensitive data (Article 9 of the GDPR).

The CNIL noticed that some of the information required on the form was sensitive data such as blood type, ethnicity and political affiliation. The CNIL restricted committee noted that the company didn't meet any of the conditions provided for by the GDPR (Article 9(2)) to collect this sensitive data.

3) A breach of the ban on processing personal data relating to criminal convictions and offences and related security measures (Article 10 of the GDPR). The restricted committee noticed that the company was keeping extracts from the criminal records of employees working in air freight, even though these employees had already been cleared by the relevant authorities following an administrative inquiry. It considered that the company didn't meet the conditions for reading or keeping its employees' criminal records. Moreover, with respect to employees that were not subject to the clearance procedure, the company could have read their criminal records without keeping them.

4) Infringement of the obligation to cooperate with the CNIL services (Article 31 of the GDPR). When the CNIL asked the company to provide a translation of the form that was written in Chinese, it gave an incomplete translation, in which the fields about ethnicity and political affiliation were missing. Therefore, the CNIL had it translated in order to have all the fields of the form. The restricted committee thus considered that the company intentionally sought to prevent the CNIL from exercising its powers of investigation.

11 views0 comments


bottom of page