GDPR: Two-person small business is fined €7,300

The CNIL punishes a company accused of sending spam email in the French. The company is fined €7,300 by the CNIL for breaching of the GDPR on December 31, 2020.

The CNIL is the federal Data Protection Authority for France. The authority is established in Paris and is in charge of enforcing GDPR for France.

The CNIL requires that companies collect the consent before sending prospecting emails and to be able to prove the consent.

The very small company employs only two people sent commercial prospecting emails without proof of the prior consent.

Five breaches were identified following checks carried out by the supervisory authority CNIL:

1. A breach of the obligation to obtain the consent before sending prospecting emails (article L. 34-5 of the CPCE)
2. A breach of the principle of data minimisation (article 5.1.c of the GDPR)
3. A breach in terms of data retention period (article 5.1.e of the GDPR)
4. A breach of the obligation to properly inform people (article 14 of the GDPR)
5. A breach of people's right to object (article 21 of the GDPR)

The company must comply within 2 months otherwise it is exposed to the payment of a fine of €1,000 per day of delay.