France
SAF LOGISTICS
GDPR enforcement action by French Data Protection Authority (CNIL) on 2023-09-18.
Case details
- Authority
- French Data Protection Authority (CNIL)
- Date
- 2023-09-18
- Controller / Processor
- SAF LOGISTICS
- Sector
- Employment
- Quoted Articles
- Art. 5 (1) c) GDPR, Art. 9 GDPR, Art. 10 GDPR, Art. 31 GDPR
- Type of violation
- Non-compliance with general data processing principles
Summary
The French DPA has fined SAF LOGISTICS EUR 200,000. An employee reported to the DPA that the controller had collected data on the private lives of its employees.
During its investigation, the DPA found that the controller had collected a large amount of information about employees' family members, including their identity, contact details, position, employer and marital status, via a form sent to employees. The DPA considered this to be a violation of the employees' privacy.
In addition, the forms requested information on blood type, ethnicity, and political affiliation. The DPA found that the controller had no legal basis for processing such sensitive data.
The DPA also found that the controller had been storing extracts from the criminal records of employees who had already been cleared by the relevant authorities following an administrative investigation. Accordingly, the DPA no longer saw a reason for the retention.
The DPA also requested the controller to provide a translation of the form written in Chinese. However, the controller only provided an incomplete translation.
Related fines