CNIL (France) – SAN–2026-003

4 February 2026

Xz:

{{DPAdecisionBOX

|Jurisdiction=France
|DPA-BG-Color=
|DPAlogo=LogoFR.png
|DPA_Abbrevation=CNIL
|DPA_With_Country=CNIL (France)

|Case_Number_Name=SAN–2026-003
|ECLI=

|Original_Source_Name_1=CNIL
|Original_Source_Link_1=https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000053408671?page=1&pageSize=10&query=2016%252F679&searchField=ALL&searchType=ALL&sortValue=DATE_DECISION_DESC&tab_selection=cnil&typePagination=DEFAULT
|Original_Source_Language_1=French
|Original_Source_Language__Code_1=FR
|Original_Source_Name_2=
|Original_Source_Link_2=
|Original_Source_Language_2=
|Original_Source_Language__Code_2=

|Type=Investigation
|Outcome=Violation Found
|Date_Started=
|Date_Decided=22.01.2026
|Date_Published=29.01.2026
|Year=2026
|Fine=5,000,000
|Currency=EUR

|GDPR_Article_1=Article 32 GDPR
|GDPR_Article_Link_1=Article 32 GDPR
|GDPR_Article_2=
|GDPR_Article_Link_2=
|GDPR_Article_3=
|GDPR_Article_Link_3=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Party_Name_1=FRANCE TRAVAIL
|Party_Link_1=https://www.francetravail.fr/accueil/
|Party_Name_2=
|Party_Link_2=
|Party_Name_3=
|Party_Link_3=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=Unknown
|Appeal_To_Link=

|Initial_Contributor=xz
|
}}

The DPA held that a public national institution failed to implement appropriate technical and organizational measures under [[Article 32 GDPR]], leading to a serious data breach, and imposed a €5,000,000 fine, an injunction to strengthen security and access controls, and a daily penalty of €5,000 for non-compliance.

== English Summary ==

=== Facts ===
FRANCE TRAVAIL (the controller) , a public national institution managing employment data on behalf of the State, suffered a data breach in which attackers accessed its system using legitimate employee accounts. The breach resulted in the extraction of 25 GB of data, including sensitive personal data such as health information, disability status, NIR numbers, and other identifying information of millions of job seekers.

The French Data Protection Authority (CNIL) initiated then an ex officio investigation.

=== Holding ===
CNIL held that the controller failed to comply with [[Article 32 GDPR]] due to gross negligence in securing personal data. It imposed an administrative fine of €5,000,000, issued an injunction requiring the controller to justify implementation of robust password policies, multi-factor authentication, effective monitoring of activity logs and attached a daily penalty of €5,000 per day for non-compliance.

CNIL emphasized that the controller had been previously warned about the need to implement effective logging and trace analysis systems, but failed to take adequate action. This prior warning, combined with the scale and nature of the breach, led the CNIL to conclude that the organization’s failure constituted gross negligence under Article 32 of the GDPR.

The controller argued that its information system was highly complex and that, as a public administrative institution, imposing a fine would be disproportionate and could negatively affect its budget and operations. However, CNIL held that the controler was responsible for the processing because it acted on behalf of the State, not as the State itself, and retained financial and operational autonomy.
== Comment ==
CNIL decided to make the deliberation public, with identification of FRANCE TRAVAIL removed after two years.

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the French original. Please refer to the French original for more details.

<pre>
Deliberation of restricted training n° SAN–2026-003 of 22 January 2026 imposing a financial penalty against the operator FRANCE TRAVAIL

Developments in deliberation containing personal data or secrets protected by law are replaced by the sign […]

****

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Mr. Philippe-Pierre CABOURDIN, President, Ms Laurence FRANCESCHINI and Isabelle LATOURNAIE-WILLEMS, MM. Didier KLING and Bertrand DU MARAIS, members,

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

Having regard to Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms, in particular Articles 20 et seq.;

Having regard to Decree n°2019-536 of 29 May 2019 made for the application of the law n°78-17 of 6 January 1978 relating to data processing, files and freedoms;

Having regard to deliberation n° 2013-175 of 4 July 2013 adopting the rules of procedure of the National Commission for Informatics and Freedoms;

Having regard to Decision No. 2025-1154 QPC of 8 August 2025 of the Constitutional Council;

Having regard to Decision No. 2024-051C of 13 March 2024 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary-General to carry out or have a verification mission carried out;

Having regard to the decision of the President of the National Commission for Information Technology and Freedoms appointing a rapporteur to the restricted training of 3 July 2025;

In view of Mr.’s report Fabien TARISSAN, Commissioner for Rapporteur, notified to FRANCE LABOUR on 24 July 2025 ;

Having regard to the written comments of FRANCE LABOUR received on 22 September 2025 ;

Having regard to the response of the rapporteur notified to FRANCE LABOUR on 22 October 2025 ;

Having regard to the written observations of FRANCE LABOUR received on 21 November 2025 ;

Having regard to the closure of the instruction notified to FRANCE LABOUR on 2 December 2025;

Having regard to the application for a closed door on 11 December 2025 and refused on 12 December 2025;

Having regard to the oral comments made at the session of the restricted formation of 18 December 2025;

Considering the other documents in the file,

Were present, during the session of the restricted training:

– M. Fabien TARISSAN, Commissioner, heard in his report;

As representatives of FRANCE LABOUR :

– […]

As Government Commissioner:

– Mr. Damien MILIC.

The operator FRANCE TRAVAIL having been informed of his right to remain silent on the facts alleged against him and having had the floor last;

After deliberating, adopted the following decision:

I. Facts and Procedure

A. Presentation of the operator FRANCE TRAVAIL and the processing implemented

1. The operator FRANCE TRAVAIL (hereinafter, “the operator” or “organization”) located Le Cinetic 1-5, 1 avenue du Docteur Gley in Paris (75020), is a public administrative institution placed under the supervision of the Ministry in charge of employment. FRANCE TRAVAIL has financial autonomy.

2. The missions of FRANCE TRAVAIL are defined in Article L. 5312-1 of the Labour Code. In particular, the operator provides compensation and support missions for claimants to return to employment, as well as advice to companies in their recruitment. The operator’s mission is also to offer support adapted to the needs of the persons who have been the subject of a decision to recognize the status of disabled worker and beneficiaries of the employment obligation.

3. FRANCE TRAVAIL carries out this last mission in connection with the CAP EMPLOI, which are specialized placement organizations mentioned in Article L. 5214-3-1 of the Labour Code. There are 98 CAP EMPLOI structures in France, which are represented with public authorities, economic decision-makers and social partners by the National Council for Disability and Employment of Specialized Investment Organisations (CHEOPS). CAP EMPLOI structures are autonomous and generally created in associative form, independent of FRANCE TRAVAIL. They accompany about 20% of people with disabilities registered with FRANCE TRAVAIL.

4. Since 2018, in order to compensate for the fragmentation of support, a unified offer of services allows job seekers who have been the subject of a decision to recognize the status of disabled worker and beneficiaries of the employment obligation to be accompanied within the agencies of FRANCE TRAVAIL, whether their referent advisor is a FRANCE TRAVAIL advisor or a CAP EMPLOI advisor.

5. In order to allow this integrated service offer, a “treatment of health data necessary for the appropriate support of job seekers with disabilities” was created by Decree No. 2022-1161 of 16 August 2022 (Articles D. 5312-50 to D. 5312-54 of the Labour Code). This decree authorizes the integration of support by CAP EMPLOI to the information system of FRANCE TRAVAIL. The National Commission for Informatics and Freedoms (hereinafter “the CNIL” or “the Commission”) has delivered an opinion on this treatment in its deliberation n° 2022-050 of 21 April 2022 (non-public).

6. The processing allows the integration into the pre-existing information system of FRANCE TRAVAIL (Article R. 5312-38 of the Labour Code) of data enabling the operator FRANCE TRAVAIL and the CAP EMPLOI organizations to carry out the tasks listed in Article D. 5312-50 of the same code. Article D. 5312-51 of the Labour Code provides for a co-responsibility for processing between the operator FRANCE TRAVAIL and the specialised investment organisations (represented by CHEOPS).

7. The data processed in this context and recorded in the information system of FRANCE TRAVAIL concern: the type of disability, the origin of the disability, the need related to the compensation of the disability, the need related to the recovery of the person, the limitations of abilities and the title justifying the benefit of the employment obligation (Article D. 5312-51 of the Labour Code).

8. They are then integrated into the business application of FRANCE TRAVAIL named […]. Authorized users of CAP EMPLOI can connect to this tool, […] from a web browser. Approximately 2 300 employees of CAP EMPLOI structures have such access.

9. The tool […] has a feature […] that allows to carry out a search, according to different criteria, among all the people present in the database of FRANCE TRAVAIL […]. The search can be carried out within the region of the connected agent, but also other regions without geographical limitation.

B. Notification of personal data breach

10. On Thursday, February 29, 2024, abnormal activity was detected on the performance measurement system of the information system of FRANCE TRAVAIL, resulting in partial unavailability of the service and a high consumption of resources. The alert was noted and taken into account on Monday, March 4, 2024 at the end of the day, then gave rise to investigations on Tuesday, March 5, 2024.

11. The investigations conducted by FRANCE TRAVAIL have made it possible to establish an intrusion on its information system. The attack, which spread from Tuesday, February 6 to Tuesday, March 5, 2024, specifically targeted CAP EMPLOI employee accounts.

12. The attack was carried out by so-called “social engineering” techniques, i.e. according to techniques consisting of obtaining a good or information, exploiting the trust, ignorance or credulity of third parties (definition of the National Agency for the Security of Information Systems (ANSSI)). Indeed, after having managed to recover the data necessary for the reset of the password of a CAP EMPLOI advisor account, the attackers made a request for reset to the provider of the IT support by pretending to be CAP EMPLOI employees and were thus able to usurp the accounts. The attackers then contacted the CAP EMPLOI advisors whose account they had usurped by posing as computer support in order to communicate their new password. […].

13. The investigations conducted revealed that the attackers accessed the data of […] (usage name, name of birth, first name, gender, date of birth, NIR, address, postal code, telephone number, email address, geographical address (region of belonging), individual reference, status of job seeker (registered, cancelled or identified), start date and end of registration) […].

14. FRANCE TRAVAIL said the attackers have this been exfiltrated 25 giga bytes (GB) of data for 36 820 828 people to external hosting platforms. This corresponds to the data not only of people registered with FRANCE TRAVAIL in the last 20 years, but also of those not on the list of job seekers but having a candidate space on the website “francetravail.fr”, which allows for example to consult job offers.

15. On 8 March 2024, FRANCE TRAVAIL made a notification of data breach with the CNIL, completed on 15 May 2024.

16. Pursuant to Decision No. 2024-051C of 13 March 2024 of the President of the Commission, a delegation of the CNIL carried out an on-site monitoring mission of the operator FRANCE TRAVAIL in order to verify compliance with the provisions of the amended Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms (hereinafter the law “of 6 January 1978 amended” or “the Data Protection Act”

17. This on-the-spot check gave rise to a report n° 2024-051/1 of 21 March 2024.

18. On 2 April and 15 May 2024, FRANCE TRAVAIL provided additional elements requested by the delegation during the on-site check and during the investigations.

19. For the purpose of testing these elements, the President of the Commission appointed Mr. Fabien TARISSAN as rapporteur on the basis of Article 22 of the Act of 6 January 1978 amended.

20. On 24 July 2025, at the end of his investigation, the rapporteur had the body notify a report in which he considered that FRANCE TRAVAIL had committed a breach of Article 32 of the GDPR and proposed that the restricted training be issued against it an administrative fine, as well as an injunction to bring its processing into line with the above-mentioned provisions, accompanied by a periodic penalty payment. He also proposed that this decision be made public but that it should no longer be possible to identify the organization by name at the end of a period of two years from its publication.

21. On 22 September 2025, FRANCE TRAVAIL produced comments in response to the report.

22. On 22 October 2025, the rapporteur’s reply was notified to FRANCE LABOUR.

23. On 21 November 2025, FRANCE TRAVAIL sent new comments in response.

24. By letter of 2 December 2025, the rapporteur, pursuant to Article 40, III, of Decree No. 2019-536 of 29 May 2019 taken for the application of the Data Protection Act, informed the body that the instruction was closed.

25. By letter of 2 December 2025, the operator FRANCE TRAVAIL was informed that the file was on the agenda of the session of the restricted training session of 18 December 2025.

26. On 12 December 2025, the president of the restricted formation refused the request for closed doors formed by FRANCE JOVAIL in his letter of 11 December 2025. He recalled that since the procedure before the restricted training was written and that if the organization did not wish to disclose to third parties elements that might prejudice it, it could, at the meeting, refer to its written observations. He also added that the risks of breaches of the integrity of the information system and the agents of FRANCE TRAVAIL were not substantiated as they were.

27. On 18 December 2025, the rapporteur and the body submitted oral comments at the restricted training session.

II. Reasons for the decision

A. On the responsibility of FRANCE LABOUR with regard to the processing in question

28. According to Article 4, paragraph 7 of the GDPR, the controller is “the natural or legal person, the public authority, the service or another body which, alone or jointly with others, determines the purposes and means of processing; where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller may be designated or the specific criteria applicable to its designation may be provided for in the Union or the law of the Member State.

29. Article 26 of the GDPR states that “where two or more controllers jointly determine the purposes and means of processing, they are the joint controllers. Joint controllers shall define in a transparent manner their respective obligations in order to ensure compliance with the requirements of this Regulation … “

30. Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted by the EDPS on 7 July 2021, state that “the existence of joint liability does not necessarily result in equivalent liability of the various operators concerned with the processing of personal data. On the contrary, the CJEU has clarified that these operators can be involved at different stages of this processing and in different degrees, so that the level of responsibility of each of them must be assessed taking into account all the relevant circumstances of the case case. “

31. The rapporteur considers that FRANCE TRAVAIL is responsible for the implementation of the appropriate technical and organisational measures for its information system, including when it is made available to its co-controllers, the CAP EMPLOI (represented by CHEOPS). It considers that the CAP EMPLOI is responsible for complying with the rules imposed by FRANCE TRAVAIL for access to this information system.

32. FRANCE TRAVAIL contests having exclusive responsibility for the implementation of these technical and organizational measures and argues that CAP EMPLOYMENT necessarily plays a role in their capacity as co-heads of treatment. The operator adds that the scope of joint responsibility has been clearly defined in the various contractual documents, which indicate that the CAP EMPLOYMENT has been responsible for the measures that are in their environment and that allow them to access the information system of FRANCE LABOUR.

33. As a preliminary point, the restricted training notes that the co-responsibility of processing between the operator FRANCE TRAVAIL and the specialised placement bodies (CAP EMPLOI) is provided for in Article D. 5312-51 of the Labour Code.

34. It also notes that both the above-mentioned Guidelines 07/2020 and the Court of Justice of the European Union (hereinafter the “ECJ”) have found that co-responsibility does not necessarily result in equivalent liability. The level of responsibility of each party must be assessed taking into account the relevant circumstances of the case (CJEU, 7 March 2024, “IAB Europe v. Gegevensbeschermingsauthoriteit “, C-604/22, paragraph 58).

35. In the present case, the restricted training recalls that the processing in question is a pre-existing treatment of FRANCE TRAVAIL, to which Decree No. 2022-1161 of 16 August 2022 authorised the integration of data for the support of job seekers benefiting from the employment obligation. To be able to provide this support, the CAP EMPLOI advisors connect remotely, […], to the business application […] of the information system of FRANCE TRAVAIL.

36. The restricted training notes that the CAP EMPLOI sign an application for membership to formalize, in addition to the agreement of joint liability of treatment, the conditions of this access. With this membership, the CAP EMPLOIS express “their agreement on the characteristics of the common information system” and undertake to respect, disseminate and apply the instructions communicated by FRANCE TRAVAIL relating to the protection of personal data and the security of its information system.

37. In addition to these commitments, the CAP EMPLOI offer FRANCE LABOUR support in monitoring compliance with these rules, in particular by “facilitating the realization of the security audits of the Cap emploi jobs and by informing Pôle emploi [FRANCE TRAVAIL] of the difficulties encountered by the Cap emploi”.

38. Secondly, the restricted training observes that FRANCE TRAVAIL undertakes to “implement the technical security measures for the tools made available to employees Cap emploi” and ensures the proper compliance with the rules related to authorizations, minimization, and compliance with the law of the protection of personal data. More generally, FRANCE TRAVAIL ensures that the level of safety of the working environment of CAP EMPLOI is sufficiently high, which the operator reserves the right to verify by audits. The restricted training notes that in the event of non-conformities in the working environments of CAP EMPLOI, the operator FRANCE TRAVAIL can formulate recommendations, or even order the disconnection of environments considered insufficiently secure in case of persistence of these non-conformities.

39. In addition, the data protection impact assessments (DSIA) – carried out prior to the implementation of the processing in 2022 – specify that it is the rules of the documentary corpus of the FRANCE TRAVAIL information system security policy that apply to the processing in question. If FRANCE TRAVAIL maintains that this is “simply a normal measure of good management by France Work of its own solutions to which it gives access to third parties”, the restricted training considers that it is clear from this passage and from all the contractual documents transmitted that the effective deployment of the technical measures to ensure the security, of its own information system, is the responsibility of FRANCE TRAVAIL.

40. The restricted formation agrees with the argument of FRANCE LABOUR that “this does not relieve these third parties of their obligations to put their own environment in order to comply with these conditions” and thus recognizes the important role that CAP EMPLOYMENT plays in the dissemination and application of safety rules. Nevertheless, and regardless of those obligations of the CAP EMPLOI resulting from their co-responsibility for processing (see paragraph 33), the restricted training observes that it is to FRANCE LABOR that the initiative of the deployment and management of the measures to ensure the security of its information system, which it has opened access to the CAP EMPLOYMENT for the support of job seekers who have been the subject of a decision to be granted.

41. The restricted training considers that FRANCE TRAVAIL remains responsible for processing and is primarily responsible for determining the applicable safety rules.

B. Failure to comply with the obligation to ensure the security of the personal data processed

1. On the scope of the obligation of FRANCE TRAVAIL with regard to the security of the processing

42. According to Article 24(1) of the GDPR, “taking into account the nature, scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller implements appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation. These measures shall be reviewed and updated if necessary ” .

43. Article 32(1) of the GDPR provides: “Given the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor shall implement the appropriate technical and organisational measures to ensure a level of security adapted to the risk, including

(a) the pseudonymisation and encryption of personal data;

(b) means to ensure the constant confidentiality, integrity, availability and resilience of processing systems and services;

(c) means to restore the availability of and access to personal data within an appropriate time frame in the event of a physical or technical incident;

(d) a procedure for testing, analysing and regularly evaluating the effectiveness of technical and organisational measures to ensure the security of the processing . . . .

44. Article 32(2) of the GDPR provides: “When assessing the appropriate level of security, account shall be taken in particular of the risks posed by the processing, resulting in particular from the destruction, loss, alteration, unauthorized disclosure of personal data transmitted, stored or otherwise processed, or unauthorized access to such data, in an accidental or unlawful manner.”

45. The rapporteur considers that the level of security provided by a controller must be assessed in the light of the risk of disclosure and unauthorised access to the data processed. In the present case, it points out that the processing includes numerous personal data, including specific categories within the meaning of Article 9(1) of the GDPR, as well as data subject to special protection such as the NIR. It considers that FRANCE TRAVAIL has committed a breach of Article 32 of the GDPR by not ensuring a sufficiently high level of security of the data processed for the processing implemented.

46. In defence, FRANCE LABOUR argues that, contrary to what is put forward by the rapporteur, the vulnerabilities alleged are not the consequence of the lack of implementation by FRANCE LABOUR of measures described as “basic”. ON the contrary, FRANCE TRAVAIL maintains that it has deployed strong security measures on the component of the joint treatment under its control, and this from the moment the treatment is implemented.

47. As a preliminary point, the restricted training notes that the CJEU considered in its judgment “Natsionalna agentsia za prihodite” (14 December 2023, C/2024/1065, paragraph 47) that the absence of a personal data breach is not sufficient to demonstrate the absence of failure, nor is the occurrence of a data breach sufficient to characterize in itself the existence of a breach. Security breaches may be punished as such because of the risk they have posed to the integrity of the data processed. The restricted training regularly sanctions breaches of the security obligation without necessarily being the origin of a data breach, such as an insufficiently robust password policy (deliberation of the restricted formation n° SAN-2018-009 of 6 September 2018, published), the storage of passwords in clear (deliberation of the restricted training no.

48. Compliance with the obligation of means by a controller or processor shall be assessed in the light of the appropriateness of the technical and organisational measures implemented, taking into account the risks and assessing whether the nature, content and implementation of these measures are adapted to those risks. It recalls that if it does not appear possible for a controller to protect against all the so-called “social engineering” attacks, that is to say that exploit human psychology, it cannot exempt the controller from its obligations under Articles 24-1 and 32 of the GDPR.

49. Moreover, the restricted training observes that ANSSI applies the principle of “defence in depth” to information systems, which consists in not basing security “on one element but on a coherent whole. This means, therefore, that there must theoretically be no point on which the whole edifice is based, “i.e. that any potential security breach of a software component must be offset by at least a second level of security (see the Memento on the concept of in-depth defence applied to information systems, version 1.1 of July 19, 2004). The restricted training notes that ANSSI puts this concept on the assumption that “any component of a system can be faulty or compromised. This postulate, which also applies to the security functions of an IS [information system], is confirmed regularly by the news on the vulnerabilities of many products and software ” (see the white note Hybrid Information System and Security: a Return to Reality, August 10, 2021).

50. In the present case, the restricted formation notes that […], which has been the subject of the breach, contains numerous personal data (see paragraph 13 of this deliberation). Many other data are also processed by FRANCE TRAVAIL – even if they have not been the subject of the breach – such as the complete records of job seekers. Thus, FRANCE TRAVAIL deals with numerous intimate and sensitive data, for example on the origin of the disability, the constraints of a workstation, the evolution of the situation of disability, the needs related to the compensation of disability and the recovery of the person, the limitations of abilities in the professional environment, as well as the free writing fields in which are informed, for the needs of the service, the lifestyle habits and the particular situations of the people. These data can be health data in itself or by cross-breeding. The restricted training also points out that the potential combination of all this data increases the risks posed by the disclosure of each type of data taken separately.

51. Given the characteristics of the processing and the scope of the security obligation specified above, it is up to FRANCE LABOUR to put in place the appropriate technical and organisational measures and proportionate with regard to the requirements of Article 32 of the GDPR. The level of safety provided for the treatment must make it possible to guard against these risks.

2. On the measures put in place by FRANCE TRAVAIL

(i) On terms of authentication to the user accounts of CAP EMPLOI advisors

a. On mechanisms for restricting access to the account

52. When the processing implemented leads to the establishment of a password authentication mechanism, a strong password is recommended by both the ANSSI and the Commission in its deliberation No. 2022-100 of July 21, 2022 adopting a recommendation on passwords and other shared secrets.

53. This recommendation, which is certainly not imperative, provides a relevant light on the measures that should be taken in the field of security. It provides that in order to ensure a sufficient level of security and confidentiality, in the event that authentication is based solely on an identifier and a password, the latter must either be composed of a minimum of 12 characters including capital letters, lowercase numbers, numbers and special characters to choose from a list of at least 37 possible special characters; or be of at least 14 characters including capital letters, lowercase numbers and numbers,

54. Otherwise, the Commission considers that it also makes it possible to ensure a sufficient level of security and confidentiality an authentication based on a password of a minimum length of 8 characters, composed of 3 different categories of characters, since it is accompanied by a complementary measure such as the timeout of access to the account after several failures (temporary suspension of access, the duration of which increases as the attempts increase), the establishment of a mechanism allowing the execution of access to the account after several failures (the maximum)

55. The restricted training has, on several occasions, adopted repressive measures against controllers who provided for passwords of connection of insufficient robustness (see in particular the deliberations n ° SAN-2022-020 of November 10, 2022, n ° SAN-2023-021 of December 27, 2023 and n ° SAN-2023-023 of December 29, 2023).

56. The rapporteur considers that the password authentication policy provided for by FRANCE TRAVAIL at the time of the infringement, more specifically the threshold of 50 unsuccessful authentication attempts before locking the access to virtual machines of CAP EMPLOI advisors, was insufficiently robust in relation to the recommendations and the state of the art. The rapporteur considers this threshold insufficiently proportionate in view of the volume of processing and the sensitivity of the personal data processed, thus not ensuring their security.

57. On the contrary, FRANCE TRAVAIL considers that its password policy was in line with the CNIL’s recommendations in that it provided, in addition to the criteria of length and complexity, for a threshold of blocking the account after 50 unsuccessful attempts to connect – a threshold that FRANCE TRAVAIL considers in line in the absence of a common position of the competent authorities of computer security on this point. In addition, FRANCE TRAVAIL indicates that it has planned additional measures to ensure the security of the data, such as techniques for the prevention of “password spraying” (which consists in using a selection of weak or common passwords to try to spoof an account) as well as a mechanism of permanent blocking of the account, requiring the intervention of an operator to unlock it. In any case, FRANCE TRAVAIL points out that no complexity criterion or blocking threshold could have prevented intrusions, since the attackers were in possession of the passwords.

58. In the present case, the restricted formation notes that the findings made by the control delegation made it possible to establish that, as of the date of the data breach, the policy of FRANCE TRAVAIL imposed passwords with a minimum length of 8 characters, with at least 3 different types of characters (uppercase, lowercase, number or special character), and mandatory renewal of the password every 90 days.

59. This modality corresponds to case No. 2 provided for by the recommendation of the CNIL, that is to say a password to ensure the equivalent of an entropy of at least 50 bits (with a minimum of 8 characters, of which a minimum of 3 special characters). Thus, this modality should have, as indicated in the same recommendation, should have been accompanied by a mechanism for restricting access to the account. In the present case, it was planned to lock the account after 50 unsuccessful attempts from the Internet – threshold well above the 10 maximum attempts within a given time limit recommended by the CNIL in its aforementioned deliberation No. 2022-100. No other of the restriction mechanisms listed in this recommendation (e.g. a ” captcha”) had been put in place to compensate for this excessively high threshold.

60. The restricted training also considers that the additional measures put in place, although not relevant to good practices, do not compensate for the weakness linked to the lack of restriction mechanisms. On the one hand, the prevention of “password spraying” aims to reinforce the guarantee of a complex password, while such a lack of complexity is not blamed on FRANCE TRAVAIL. On the other hand, the manual release of an account by an operator does not detract from the fact that the threshold of 50 attempts set before the blocking of the account is far too high to be able to constitute an effective protection measure of the account to which it is linked.

61. Indeed, allowing attackers to test 50 different passwords before blocking the account increases the risk that one of his attempts will give him access to the account. The fact that ANSSI does not propose, as the CNIL does, a specific threshold for the number of unsuccessful attempts at which the user account should be blocked, cannot confirm FRANCE JOVAL in its choice of a threshold set at 50 attempts. The efficiency of such a mechanism depends on the number of unsuccessful attempts at connection retained triggering the blockage, a threshold that is too high that can deprive it of any useful effect. This threshold must also be assessed in the light of the risks presented by the treatment.

62. ANSSI also contributed to the aforementioned deliberation No. 2022-100 of 21 July 2022 during the public consultation carried out by the Commission on this occasion, involving its European counterparts and experts in the field. ANSSI also stresses the importance of a temporary blocking mechanism “of authentication attempts for several seconds or even minutes (linearly or exponentially) after a number of unsuccessful trials” in its “recommendations on multi-factor authentication and passwords”.

63. Finally, while the restricted training notes that this vulnerability has not been exploited by the attackers in the context of the data breach, the fact remains that it constitutes a breach of the security obligation, which it is up to it to punish.

64. In view of the sensitivity, the volume of the processing, and the risk posed by the lack of consideration of the recommendations for the robustness of the passwords of the agents, the restricted training considers that the measures provided for by FRANCE TRAVAIL in connection with the authentication modalities of the CAP EMPLOI advisors did not make it possible to ensure the security of the data processed.

65. FRANCE TRAVAIL has since planned an evolution of its password policy in the first quarter of 2026, to impose the use of a password of 12 characters, with at least 3 different types of characters (upper, lowercase, lowering or special character), as well as a lowering to 10 of the threshold of unsuccessful connection attempts in 5 minutes before blocking the account.

b. With regard to the lack of multi-factor authentication for access to accounts

66. The Commission points out in its above-mentioned deliberation No. 2022-100 that “actors can implement other security measures than those described in this recommendation if they are able to show that they guarantee at least equivalent level of security” and that it has “in particular always considered that other means of authentication, such as double-factor authentication or electronic certificates, offer more security than the password”. In addition, in its practical guide on the security of personal data, the CNIL recommends giving priority to multi-factor authentication where possible, in particular when the connection is accessible from outside the organization’s network.

67. The rapporteur considers that FRANCE TRAVAIL has not implemented measures complementary to the sufficiently robust password policy to ensure the security of the data processed. He believes that this security of the data should have been ensured – among other things – by the implementation of a multi-factor authentication, a measure of which the AIPDs carried out by FRANCE TRAVAIL planned the implementation from 2023, but that it had finally postponed to April 2024 in view of the difficulties encountered.

68. In defence, FRANCE JOVAIL maintains that the deployment of multi-factor authentication has been delayed by the CAP EMPLOI, on which the burden of ensuring “the investment and operating costs of information systems, made necessary to access the information system […]” is contractually based. FRANCE TRAVAIL submits that, under the division of responsibilities, the software part is its responsibility while the hardware part (including the supply of mobile phones as a second terminal for multi-factor authentication) was based on CAP EMPLOYMENT. The latter having been unable to have a second terminal or to enlist it with the authentication system, and then having refused the alternative solution of a multi-factor software authentication, FRANCE TRAVAIL maintains that it cannot be accused of having not compensated for the non-compliance with the obligations that did not fall within the scope of its own responsibility.

69. FRANCE TRAVAIL adds that suspending the treatment or delaying the accession of CAP EMPLOYMENT until they justified conditions of access in accordance with their commitments were not possible in view of the need to allow the support of job seekers benefiting from the employment obligation. The risk of lack of multi-factor authentication was considered only theoretical because of the other strong security measures put in place. In any case, FRANCE TRAVAIL points out that a multi-factor authentication would not have made it possible to thwart the attack conducted by “social engineering”.

70. The restricted training also notes that in its deliberation No. 2025-019 of 20 March 2025 adopting a recommendation on multi-factor authentication, the CNIL advocates the use of multi-factor authentication for “sensitive data processing, within the meaning of Article 9 of the GDPR (e.g. the processing of health data), and processing or operations at risk for the data subjects” because such authentication “significantly reduces the likelihood of the risk of data. Although recent, this deliberation is part of a previously established doctrine. The need for multi-factor authentication had already been highlighted by ANSSI in 2021 (recommendations on multi-factor authentication and passwords), by the CNIL in 2022 (deliberation n° 2022-100 mentioned above) and in 2024 (guide on the security of personal data mentioned above). The restricted training has also already considered that the implementation of a multi-factor authentication measure would have been likely to prevent a data breach (CNIL, FR, December 19, 2018, Sanction, No. SAN-2018-011, published). Thus this doctrine is known to the actors and is particularly necessary for the processing of sensitive data and the processing or operations at risk for the persons concerned.

71. In the present case, the restricted training notes that the control delegation was informed of the absence of a multi-factor authentication for access to the accounts of CAP EMPLOI users, even though the risks associated with the absence of such a measure had been identified from the AIPD (“the connection on the virtual machine for Cap emploi advisors is made by simple authentication (identifier and unique password): if an external attacker has been identified as soon as the AIPD (“the connection on the virtual machine for Cap emploi is made by simple authentication (identifier and unique password): if an external attacker has been able to access the These same AIPDs provided for the implementation of a two-factor authentication solution for 2023, which the Commission welcomed in its opinion No. 2022-050 of 21 April 2022.

72. The restricted training notes that it is precisely the exploitation of this vulnerability that may have led – or at least did not prevent – the violation of data by usurpation of the accounts of CAP EMPLOI advisors. The restricted training cannot support the argument of FRANCE LABOUR that the implementation of a multi-factor authentication would have been ineffective in the event of an attack by “social engineering”. Indeed, although it is not possible, as already agreed, to guard against all such attacks, in this case multi-factor authentication would have made it extremely difficult to authenticate the attackers to the FRANCE LABOUR information system. For example, for multi-factor authentication based on a dedicated mobile application (with a second “possession” factor allowing CAP EMPLOI employees to receive a code on a phone), this would have involved attackers stealing the phone, manage to unlock it, then know and enter the code within the application to generate a single-use code to finally access the MAP tool.

73. In addition, if it is clear from the contractual documents that the CAP EMPLOYMENT was responsible for ensuring the investment and operating costs necessary to access the information system, as well as liability for the material part, the restricted training recalled above that it considers FRANCE TRAVAIL as responsible for the steering of the implementation of the security rules applicable to its information system (see point II.A. of this deliberation). It was thus the responsibility of FRANCE TRAVAIL, in its capacity as developer and host of the tool it opens to CAP EMPLOI, to assess the feasibility of implementing the chosen solution, and to adapt it according to the respective constraints. The difficulty of using a telephone as a second factor, because of the independence of CAP EMPLOI, could have been overcome by other measures, for example by the distribution of OTP (One-Time Password) calculators to employees of CAP EMPLOYMENT.

74. Finally, it must be noted that the risk associated with the absence of multi-factor authentication was not only theoretical as indicated by FRANCE TRAVAIL. The restricted training considers that France TRAVAIL should therefore have taken more account of this real risk when balancing it with the need for continuity of the public service and the support of job seekers benefiting from the employment obligation, even though there were alternative or intermediate solutions. The choice made by France TRAVAIL has led to the compromise of personal data of more than 36.8 million people, including data subject to special protection such as the NIR (taking into account the risks of usurpation or interconnection that it presents because of its meaningful, unique and sustainable nature).

75. FRANCE TRAVAIL reports on the implementation of a multi-factor authentication after the data breach, based on […].

(ii) On the tracking of the activity logs of the tool […]

76. In its recommendation of 14 October 2021 n° 2021-122 on logging, the CNIL recommends that “the operations of creation, consultation, modification and deletion of personal data and information contained in the processing to which the logging is applied be the subject of a recording including the individually identified author, the time stamping, the nature of the operation carried out as well as the reference of the data concerned by the operation” and “to implement a process of the process of the process and the processing of the data concerned by the operation”

77. ANSSI also recalls in its “Safety Recommendations for the Architecture of a Journaling System” of January 28, 2022, that “the continuous analysis of event logs makes it possible to identify unusual activities, while the archiving of newspapers makes possible the removal of doubts a posteriori. In this sense, logging is also the prerequisite for the implementation of a capacity for detection, analysis and response to security incidents. “

78. In other words, the simple collection of logging data is not enough to secure an information system. The logging device is effective only if an entity is able to process the information recorded in the logs in order to be able, if necessary, to quickly detect suspicious behavior.

79. The Commission therefore recommends, in its above-mentioned recommendation, “to implement a system for the processing and analysis of the data collected and to formalise a process for generating alerts and processing them in the event of suspicion of abnormal behaviour. This data may also be used ex post when a data breach (in particular by consultation, transmission or illegal use of the data) is found and the controller seeks to establish the responsibility. “

80. The European Data Protection Board also considers in its guidelines 9/2022 on the notification of personal data breaches under the GDPR that “the ability to detect, remedy and report a breach as soon as possible should be considered an essential element”.

81. The rapporteur criticises FRANCE LABOUR for the lack of regular automatic monitoring of logs to detect and analyse security incidents and to provide them with a rapid and effective response. He believes that the implementation of such logging measures would have made it possible to detect more quickly the attack suffered by FRANCE JOVAL.

82. In defence, FRANCE TRAVAIL argues that the rapporteur underestimates the difficulty of analysing the newspapers of an information system as complex as his own and that it is always easier, as the rapporteur does, to analyse a post-exteriori situation. In the present case at the time of the infringement, FRANCE TRAVAIL indicates that it would have been very difficult to detect illegitimate traffic even though the attack took place via legitimate accounts. France LABOUR states that it is appropriate to place itself at the time of the attack and from its own point of view, in order to assess whether measures adapted to the risk had been put in place – an obligation which the body considers to have fulfilled in the present case.

83. The restricted training recalls first of all that the retention of traceability data is a basic security measure of a treatment, in favor of which recommendations were published by the CNIL in 2021 (recommendation n ° 2021-122 mentioned above) and by the ANSSI from 2013 (security recommendations for the architecture of a logging system of 2 December 2013, updated in 2022). These recommendations argue that logging is above all justified by the objective of securing the treatment and that it must be “active”, that is to say, allow a continuous and real-time detection of abnormal operations in order to remedy it quickly. The restricted training of the CNIL has already sanctioned different actors for lack of effective journalization.

84. In the present case, the restricted training notes that FRANCE TRAVAIL had, at the time of the data breach, a system of logging with a technical internal identifier and time stamping of the actions carried out by the agents who kept these data for a year, as well as a security operations center (SOC) monitoring the traffic on its information system.

85. It is clear from the investigation that the attackers, although appearing as a legitimate user once connected to the information system of FRANCE TRAVAIL, had abnormal behavior, not corresponding to the working habits of employees.

86. Indeed, the restricted training emphasizes that if the attack actually took place through legitimate accounts of CAP EMPLOI employees, the activity of these accounts had many suspicious characteristics that should have triggered alerts. The operations carried out were highly abnormal in terms of schedules and frequency of requests, the considerable volume of data extracted (25 GB of “text” type data), the error rate of certain requests (69% on one of the spoofed accounts, probably corresponding to a phase of testing and attempt to modify the javascript code by the attackers, and the very fact that the data were extracted while the activity of the advisors was extracted only

87. However, despite all these anomalies, the device put in place by FRANCE TRAVAIL did not make it possible to detect the follow-up measures of the activity logs of the tool, in particular by generating an alert to remedy it.

88. Given these elements, the restricted formation cannot support the argument of FRANCE TRAVAIL that the attack was not easily detectable. Moreover, the fact that its information system is extremely complex and regularly attacked should have led FRANCE TRAVAIL to set up a system of logging that meets this risk and, above all, to ensure its efficient exploitation.

89. This circumstance is aggravated by the fact that the Commission had already alerted FRANCE LABOUR to the need to set up a trace analysis system in its deliberation No. 2022-050 of 21 April 2022.

90. The restricted training takes note of the new measures put in place by FRANCE TRAVAIL, including the triggering of alerts according to predefined and constantly reassessed error thresholds and requests, as well as the conduct of intrusion tests evaluating the detection and response capabilities of security incidents.

(iii) Management of personal data access authorisations

91. The rapporteur considers that by allowing CAP EMPLOI employees to access all the people present in the database of FRANCE TRAVAIL, all the data of […], FRANCE JOVAIL did not limit access to the data only to people who need to know about it.

92. In defence, FRANCE TRAVAIL maintains that this access is necessary for the support of job seekers benefiting from the employment obligation. The operator points out that while CAP EMPLOI advisors have access to all the data of all the people present in […], they have access only to the complete records of the accompanied persons. Finally, FRANCE TRAVAIL points out that the accounts of CAP EMPLOI agents are set according to three authorization profiles and on the principle of the least privilege.

93. The restricted training recalls that pursuant to Article 32 of the GDPR, the data controller must put in place appropriate measures to ensure the confidentiality of the data and prevent them from being treated unlawfully by persons who do not need to know about it. The management of the authorizations to be consulted or used an information system must aim to limit access to the only personal data that a user needs for the performance of his tasks (CNIL, FR, 29 October 2021, Sanction, no. SAN-2021-019). In determining the level of fineness of the authorizations, account should be taken of the quantity and nature of the data processed, the more or less intertwined nature of the different processing purposes, as well as the technical and human means of the controller.

94. In this case, the restricted training notes that CAP EMPLOI employees have access in consultation to all data present in […] (see list of these data in paragraph 13). They have access to this data for all job seekers, including those who are not beneficiaries of the employment obligation. On the other hand, they have access to complete records (i.e. all follow-up information, including health data) only for accompanied persons. The restricted training also notes that if the CAP EMPLOI advisors have access by default to the data of the people present in their reference region, they can, at their own initiative, modify the scope of the search without geographical limitation.

95. Restricted training does not call into question the need for these accesses, whose effectiveness it admits to accompanying people. Nevertheless, it considers that the scope of the searchable data – both on the nature of the data and on the geographical areas – extends far beyond what is strictly necessary for the performance of the tasks of the CAP EMPLOI employees. Indeed, it does not seem essential that these advisors have access to so much data, for all job seekers and for such a wide geographical scope, which is confirmed by the fact that FRANCE TRAVAIL has indicated in its writings to provide for a review of the rules of access authorizations – without this seeming to hinder the follow-up of beneficiaries.

96. The restricted training considers that the access by the CAP EMPLOI advisors to a significant number of data of all the job seekers present in […] has been able to expand the scope of the data breach, since the attacks were carried out via accounts of CAP EMPLOI advisors, who had access to all […] of all the people present in the database of FRANCE TRAVAIL, and not only to the data of the job seekers who have been the subject of a decision

97. The restricted training nevertheless notes that measures of minimization and restriction of access are provided for by FRANCE TRAVAIL, which will make it possible to limit the requests made on […] by the employees CAP EMPLOI (geographical limits, limitation on the types of profiles displayed, exclusion from the NIR in certain cases).

98. In conclusion, the restricted training considers that the operator has not implemented the appropriate technical and organisational measures proportionate in relation to the requirements provided for in Article 32 of the GDPR, even though FRANCE TRAVAIL had identified most of these risks prior to the implementation of the processing. The restricted training highlights in particular the importance of robust authentication, effective logging and an adapted empowerment policy, in a context of increasing massive data breaches of which FRANCE TRAVAIL was aware and at a time when, as indicated by FRANCE TRAVAIL, its information system is intended to be open to more actors in the employment network.

99. Therefore, the restricted training considers that FRANCE TRAVAIL has failed to comply with its obligations under Article 32 of the GDPR.

III. On corrective measures

100. Article 20-IV of Law No. 78-17 of 6 January 1978 amended provides that: “where the controller or its processor does not comply with the obligations arising from Regulation (EU) 2016/679 of 27 April 2016 or this Law, the President of the National Commission for Informatics and Freedoms may refer the matter to the restricted formation of the commission with a view to the pronouncement, after contradictory proceedings, of one or more of the following measures

101. 7° With the exception of cases where the treatment is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the total global annual turnover of the previous financial year, the highest amount being retained. In the cases referred to in Article 83 of Article 83 of Regulation (EU) 2016/679 of 27 April 2016, these ceilings are increased to 20 million euro and 4 % of that turnover respectively. The restricted training shall take into account, in determining the amount of the fine, the criteria specified in the same Article 83 “.

102. Article 22, paragraph 2 of the Data Protection Act, then provides that “restricted training may make public the measures it takes”.

103. The restricted training recalls that, in order to assess the appropriateness of pronouncing a fine, it must take into account the criteria specified in Article 83 of the GDPR such as the nature, the seriousness and duration of the infringement, the scope or purpose of the processing concerned, the number of data subjects, the measures taken by the controller to mitigate the damage suffered by the data subjects, the fact that the violation was committed by negligence, the degree of cooperation with the supervisory authority.

104. The CJEU recalled in this regard that “only an administrative fine the amount of which is determined on the basis of the real or material economic capacity of its recipient […] is likely to meet the three conditions set out in Article 83(1) of the GDPR, namely to be both effective, proportionate and dissuasive” (CJEU, Grand Chamber, 5 December 2023, C-807/21, “Detekus Wohnen”; CJEU, Fifth Chamber

105. In addition, the restricted formation points out that, if the imposition of an administrative fine is conditional on the establishment of a faulty violation on the part of the body prosecuted, this fault may result from deliberate conduct but also from negligence, pursuant to subparagraph (b) of Article 83(2) of the GDPR (CJEU, Grand Chamber, 5 December 2023, “Deuts Deutsche Wohnen SE e.a”. “, C- 683/21).

106. Finally, it recalls that, pursuant to Article 83 of the GDPR, administrative fines must be dissuasive and proportionate.

A. On the pronouncement of an administrative fine and its amount

107. The restricted training recalls that it is necessary to examine the relevant criteria of Article 83 of the GDPR in deciding whether to impose an administrative fine on the body and, where appropriate, to determine its amount.

108. The rapporteur proposes that the restricted training to pronounce an administrative fine against FRANCE LABOUR in the light of the failure set out in Article 32 of the GDPR.

1. On the possibility of imposing a fine

109. The rapporteur considers that it is possible for the restricted training to impose a financial penalty against FRANCE TRAVAIL, in its capacity as independent operator of the State.

110. FRANCE TRAVAIL first of all contests the very principle of the pronouncement of a fine against it, considering that the provisions of Article 20 of the Data Protection Act do not allow restricted training to punish financially the processing carried out by the State. This would amount to the state imposing a fine on itself, particularly for FRANCE LABOUR whose budget is directly and indirectly abounded by the State. In addition, FRANCE TRAVAIL calls on the restricted training to give priority to the use of a preventive measure, such as a reminder of the law or a formal notice, since the shortcomings were likely to be subject to compliance. FRANCE TRAVAIL argues in this respect that the intention of the legislator was to provide for a gradation of the penalties listed in Article 20 of the Data Protection Act, the administrative fine appearing in the last position.

111. In the first place, the restricted formation notes that the Council of State has held that “it is clear from these provisions [Article 45 of the Law of 6 January 1978, which has become Article 20 of the same Act] that the pronouncement of a sanction by the restricted formation of the CNIL is not subject to the prior intervention of a formal notice of the controller or his subcontractor by the president of the CNIL” (Council of the CNIL” (Council

112. Secondly, the restricted training cannot support the argument of FRANCE TRAVAIL that the legislator wished to exempt from fine or periodic penalty payment public administrative institutions such as FRANCE TRAVAIL.

113. Indeed, if it is clear from the provisions of Article 20 of the Data Protection Act that the pronouncement of an administrative fine by restricted training is excluded in the case of processing “implemented by the State”, this exception, which must be interpreted strictly, is not provided for in the case of processing “implemented on behalf of the State” – a concept also used by the legislator (in particular in the same article 20 of the law).

114. In the present case, FRANCE TRAVAIL is, under Article L. 5312-1 of the Labour Code, a public national institution with legal personality and therefore a entity distinct from the State.

115. The restricted training also notes that if FRANCE TRAVAIL has its general guidelines defined by the State (in particular in a multiannual agreement of objectives and management concluded between the State, the United and FRANCE TRAVAIL), it is an operator who has a significant margin of initiative to decline these objectives in concrete actions. Moreover, FRANCE TRAVAIL has financial autonomy, with a budget that is financed only up to one third by the State. The rest is financed by compulsory contributions and contributions of employers; even if they are supervised by the State, it cannot be argued that these are direct resources of the State.

116. In total, the processing concerned is thus not implemented by the State but by FRANCE LABOUR “on behalf of the State”. It is therefore not subject to the exclusion provided for in 7 ° of the IV of article 20 of the Data Protection Act.

117. Thus, the provisions of Article 20 of the Data Protection Act do not prevent an administrative fine from being imposed on an administrative public institution, which the restricted training underlines that it has already done in the past (deliberation of the restricted training n° SAN-2019-004 of 31 January 2019, not published; decision of the president of the restricted training n° SANPS-2024-023 of 23 May 2024, not published).

118. In the light of all these elements, the restricted formation considers that the conditions for the production of a fine are met.

2. Taking into account the criteria relevant for the production of a fine

119. FRANCE TRAVAIL argues that the administrative fine proposed by the rapporteur is manifestly disproportionate to the criteria of Article 83 of the GDPR. First of all, the body contests the seriousness of the breach, considering that the rapporteur appreciates it as if FRANCE LABOR were the perpetrator of the violation and not a victim, therefore amplifying the seriousness attributed to this failure. Secondly, FRANCE TRAVAIL maintains that it has deployed strong security measures, particularly on the part of the processing containing sensitive data, and in any case on that of the joint processing under its responsibility. Finally, FRANCE LABOUR maintains that the negligence attributed to it – as opposed to deliberate nature – should ease its responsibility rather than increase it.

120. In the first place, the restricted training considers that the criterion provided for in Article 83(2)(a) of the GDPR relating to the nature, seriousness and duration of the infringement should be applied, taking into account the nature, scope or purpose of the processing processing concerned and the number of persons concerned.

121. The restricted training recalls that the fact that attackers have infringed the information system of France TRAVAIL does not affect its obligation to secure the means resulting from Article 32 of the GDPR. It considers that the breach found is serious and that the lack of awareness of the security principles by FRANCE TRAVAIL has put a risk to the security of personal data of the millions of data subjects.

122. In addition, with regard to the assessment of the seriousness of the breach, the fact that the processing concerns in part vulnerable persons within the meaning of the Guidelines on Data Protection Impact Assessment (DIA) and how to determine whether the processing is “likely to create a high risk” for the purposes of Regulation (EU) 2016/679.

123. The restricted training also recalls that the data breach concerned the persons registered during the last 20 years (durations provided for in Article R. 3212-44 of the Labour Code, in its version in force at the time of the control; which has since been modified to reduce and refine the retention periods according to the purposes), as well as the data of people not registered on the list of job seekers but having a candidate space on the website ” It also underlines again the wealth of data processed in […] to which the attackers have had access, as well as the many other data processed by FRANCE TRAVAIL (including health data, and data relating to disability), which accentuates both the invasion of the privacy of the data subjects and the risks that result for them from the violation.

124. Secondly, the restricted training considers that the criterion provided for in Article 83(2)(b) of the GDPR, relating to the fact that the breach was committed deliberately or negligently, should be taken into account.

125. The restricted training notes that while the doctrine requires the characterization of a “misconduct” to impose an administrative fine, this concept covers a violation committed deliberately but also those committed by negligence and implies that “the controller could not ignore the infringement of his behaviour, whether or not he was aware of the provisions of the GDPR” (CJEU, “Nacionalinis visuomenės”, paragraph 81).

126. The restricted formation considers that the failure results from gross negligence on the part of FRANCE TRAVAIL, which failed to take into account the state of the art, the constant doctrine of the CNIL and the ANSSI, as well as the recommendations made to it. She adds that the vulnerabilities were known and identified by FRANCE LABOUR from the moment the treatment was implemented, the AIPDs having listed the exact risks that materialized more than two years after the start of the implementation of the treatment and during the data breach. The Commission had also drawn its attention to these issues in its deliberation n° 2022-050 of 21 April 2022.

127. Thirdly, the restricted training considers that it is necessary to take into account, pursuant to Article 83(2)(d) of the GDPR, the degree of responsibility of the controller, taking into account the technical and organisational measures it has implemented pursuant to Articles 25 and 32 of the GDPR.

128. However, as demonstrated as regards the responsibility of FRANCE TRAVAIL with regard to the processing in question (II.A.) and on the absence of multi-factor authentication for access to the accounts of CAP EMPLOI (II.B.2-(i)-b)), the restricted training considers that FRANCE TRAVAIL cannot be relieved of its responsibilities of implementing technical and organizational measures adapted for its system.

129. Fourthly, the restricted training aims to take into account the categories of personal data concerned by the breach, pursuant to Article 83(2)(g) GDPR.

130. The restricted training recalls that the processing in question includes data relating to health, and in particular to disability, which are particular categories of data within the meaning of Article 9 of the GDPR, referred to as sensitive data (see paragraphs 4 to 9). The restricted training emphasizes that while the complete records of people, including health data and disability data, have not been compromised, the fact remains that the security gaps have identified a definite risk to the confidentiality of these “sensitive” data.

131. Finally, it is also the cumulation of all the data processed that makes it possible to provide precise and complete information on the privacy of the data subjects. In the present case, the restricted training recalls that the violation concerned data making it possible to identify precisely the person to whom they relate (use name, birth name, first name, gender, date of birth, NIR, address, postal code, telephone number, e-mail address, geographical address (region of belonging), individual reference, employment seeker status (registered, cancelled or identified), date of start and end of registration). Certain data such as the NIR are subject to special protection and are likely to allow fraudulent actions, especially to the detriment of the data subjects.

132. In the light of all these elements, the restricted formation considers that the pronouncement of a fine is justified.

3. On the amount of the fine

133. In defence, FRANCE TRAVAIL maintains that the proposed fine is excessive for an administrative public institution that works in the general interest, that it would weigh heavily on its budget and therefore also on the means allocated to the compliance of the salaries, and that it would be much stricter than fines imposed by the restricted formation against companies that make profits.

134. Furthermore, FRANCE TRAVAIL maintains that the principle of the legality of offences and penalties imposes a transparency in the calculation of the proposed fine against it, in order to be able to prepare its defence usefully. In the present case, the rapporteur has not detailed the calculation method used, which FRANCE TRAVAIL considers wrong in that it does not take into account the specificity of the economic functioning of an administrative public institution. FRANCE TRAVAIL emphasizes that its budget is not comparable to a turnover and that its budget is based solely on public allocations.

135. The restricted training recalls first of all that Article 83 of the GDPR provides, for a controller who is not a company, an administrative fine of up to ten million (10 000 000) euros in the event of a breach of Article 32 of the GDPR. It recalls that administrative fines must be dissuasive and proportionate.

136. The restricted training also recalls that the requirement to state the reasons for an administrative sanction does not require either restricted training or the rapporteur to decide on all the criteria provided for in Article 83 of the GDPR, and that it does not imply that the numerical elements relating to the method of determining the amount of the proposed or pronounced sanction are indicated (EC, 10th/9th, 19 June 2020, No. 430810; EC, 10

137. As regards comparison with fines imposed in other proceedings, FRANCE TRAVAIL cannot usefully compare its situation with those of other bodies which have been punished for alleged similar breaches, in so far as the amount of a fine must be determined on a case-by-case basis. The Council of State held that “the fact that fines of a smaller amount, in proportion to their global turnover, have been pronounced by the restricted formation of the CNIL against other companies has no bearing on the proportionality of the sanction imposed on the applicant company” (EC, 10th and 9th Chamber meeting, 14 May 2024, VOODOO company, no. 472221).

138. Therefore, while taking into account the specificities of FRANCE TRAVAIL in its capacity as a public administrative institution, the restricted training considers, in the light of the responsibility of this operator, its financial capacity and the relevant criteria of Article 83(2) of the GDPR mentioned above, that an administrative fine of five million euros (5 000 000 €) euros, in view of the breach constituted in Article 32 of the GDPR.

B. On the pronouncement of an injunction

139. The rapporteur had initially requested the pronouncement of an injunction to provide for a strict policy of authorizations and reflecting the business needs of the advisors of the CAP EMPLOI structures. The operator FRANCE TRAVAIL having indicated a change in its policy of authorization, the rapporteur has abandoned the request for injunction in his writings of 22 October 2025.

140. FRANCE TRAVAIL asks the restricted training, rather than issuing an administrative fine, to order it to allocate a certain amount to the security of its information system.

141. The restricted formation reminds us that the injunction and the fine have different objects. If the administrative fine is imposed to punish breaches, which may be passed, the injunction is intended for the controller to cease the practice observed. Moreover, the restricted training emphasizes that it is not up to the organization to decline the budgetary responsibilities of the organization.

142. The restricted training also notes that FRANCE TRAVAIL indicates that it has made corrections on all the vulnerabilities identified as a result of the data breach and that the rapporteur has abandoned his request for an injunction. However, it notes that no supporting documents have been transmitted in support of the statements made by FRANCE LABOUR. Therefore, the restricted training considers it necessary to issue an injunction in order to ensure the effective implementation of the corrective measures by FRANCE TRAVAIL.

143. With regard to the modalities of the injunction with periodic penalty, the restricted formation notes that in order to retain the penalty payment of its comminatory function, its amount must be both proportionate to the seriousness of the breaches committed and adapted to the financial capacities of the controller.

144. In the light of these elements, the restricted formation considers as justified the pronouncement of a penalty of five thousand euros (5 000 €) per day of delay and liquidable after a period of one (1) month following the notification of this deliberation, for the measures that FRANCE TRAVAIL indicates to have already implemented, and […].

C. On the advertising of the sanction

145. The operator FRANCE TRAVAIL contests the rapporteur’s proposal to make this deliberation public, stressing that remediation measures were put in place immediately after the violation and even before the intervention of the CNIL, that no malicious or voluntary act has tainted its action, and that the shortcomings fall under an environment that was not under its sole control. FRANCE TRAVAIL adds that the data subjects have already been informed of the data breach, and that such advertising could aggravate the relationships already experienced by its advisors by users.

146. The restricted training considers that it is not a complaint to FRANCE TRAVAIL that it has not informed the data subjects of the data breach, and that, regardless of this information, the publicity is justified by the seriousness of the breach in question, the nature of the controller, the tasks of public interest entrusted to it, the sensitivity of the data processed, the very large number of data subjects and the absence of choice for them to submit their data.

147. Regarding the impact of this advertising on the behaviour of users vis-à-vis the advisors FRANCE TRAVAIL, the restricted training considers that many other parameters foreign to it are involved in the characterization of these relations.

148. The restricted training considers that this measure appears proportionate since the decision will no longer identify the organisation by name after a period of two years from its publication.

BY THESE REASONS

The restricted formation of the CNIL, after having deliberated:

– pronounces against FRANCE TRAVAIL, an administrative fine of five million euros (5 000 000 €) in view of the failure constituted in Article 32 of the GDPR;

– pronounces against FRANCE TRAVAIL an injunction to justify the implementation of the measures to comply with Article 32 of the GDPR:

1. with regard to the robustness of passwords, justify compliance through the implementation of a password policy providing for mechanisms for restricting access to the account;

2. with regard to the terms of authentication to the user accounts of CAP EMPLOI advisors, justify compliance by implementing multi-factor authentication;

3. with regard to the monitoring of the activity logs of the MAP tool, justify compliance with the new measures put in place;

4. with regard to the management of authorisations for access to personal data, justify compliance by restrictions on data access.

– accompanied the injunction of a penalty payment of five thousand euros (5 000 €) per day of delay at the end of a period

o one month following the notification of this deliberation, for the measures indicated as already implemented by FRANCE LABOUR […]

o […]

proof of compliance to be addressed to restricted training within this period;

– decides to make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify by name FRANCE TRAVAIL at the expiration of a period of two years from its publication.

The President

Philippe-Pierre CABOURDIN

This decision may be appealed to the Council of State within two months of its notification.
Return to top of page

About this version Legal notices Privacy Policy Sitemap Open data and API Accessibility : partially compliant Frequently Asked Questions API

service-public.gouv.fr vie-publique.fr data.gouv.fr Digital Labour Code info.gouv.fr
</pre>

KHO – 391/2024

FTC Secures Landmark Settlement with Express Scripts to Lower Drug Costs for American Patients