CNIL Fines Political Candidates for Privacy Breaches
French privacy watchdog CNIL slapped five political candidates with fines totaling 23,500 euros ($27,000) for GDPR breaches, it said Thursday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The violations involved sending political canvassing messages to voters before the 2024 European and French legislative elections, the DPA said, according to a translation.
Prior to the elections, CNIL set up an election observatory, where citizens could report issues arising from the receipt of political solicitation messages. Investigations into the activities of the five candidates, who were not named, showed several breaches of personal data protection rules, it said.
Several GDPR obligations were involved. CNIL said some candidates weren't able to prove they had consent for their messages or could rely on a legitimate interest. One candidate, a health care professional, had used patients' phone numbers to send SMS messages promoting the candidacy, breaching the GDPR provision that data be used only for the purpose for which it was collected, the DPA said.
Some candidates failed to give people all the information required by the GDPR, CNIL said, and two had no processes to effectively ensure data subjects' right to object to being contacted, such as a STOP SMS system or a link allowing them to resume further marketing messages.
Another privacy violation involved one candidate's failure to respond to a request to exercise data access rights, CNIL said.
The audit also showed that one candidate sent a prospective email to several hundred recipients, all members of the same political party, without using the "BCC" feature to ensure the confidentiality of email addresses, CNIL said.