France
FRANCE TRAVAIL
5,000,000 €
GDPR enforcement action by French Data Protection Authority (CNIL) on 2026-01-22.
Rank · Sector
#1
of 357 in Public Sector and Education
Rank · France
#14
of 74
Rank · All fines
#75
of 3,050
Case details
- Authority
- French Data Protection Authority (CNIL)
- Date
- 2026-01-22
- Controller / Processor
- FRANCE TRAVAIL
- Sector
- Public Sector and Education
- Quoted Articles
- Art. 32 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The French DPA has imposed a fine of EUR 5,000,000 on FRANCE TRAVAIL. The controller suffered a successful cyber attack due to insufficient technical and organisational measures, resulting in the leak of personal and special category data concerning 38,820,828 individuals. The attack was carried out using the 'social engineering' method, meaning that the attacker obtained goods or information by exploiting the trust, ignorance or credulity of third parties.
Open original source
Links to the regulator's original publication or another source.
Related fines
France
2025-09-01
200,000,000 €
ETid-2862
GOOGLE LLC
Media, Telecoms and Broadcasting
France
2025-09-01
150,000,000 €
ETid-2864
INFINITE STYLES SERVICES CO. LIMITED
Industry and Commerce
France
2025-09-01
125,000,000 €
ETid-2863
GOOGLE IRELAND LIMITED
Media, Telecoms and Broadcasting
France
2021-12-31
90,000,000 €
ETid-978
Google LLC
Media, Telecoms and Broadcasting
France
2021-12-31
60,000,000 €
ETid-979
Google Ireland Ltd.
Media, Telecoms and Broadcasting
France
2021-12-31
60,000,000 €
ETid-980
Facebook Ireland Ltd.
Media, Telecoms and Broadcasting