Personal data: CNIL condemns RATP to a fine of 400,000 euros

At least six bus centers have notified the number of strike days of agents in a file used to prepare promotional choices.

Le Monde with AFP

The National Committee on Informatics and Freedoms (CNIL) condemned Thursday, 4 November the autonomous transport of Paris transport (RATP) to a fine of 400,000 euros, after finding that several bus centers had noticed the Number of days of strikes agents in a file used to prepare promotional choices.

“The RATP [a] failed to its obligations, in particular because only the data strictly necessary for the evaluation of the agents should have been included in these files, explains the French Constable of the personal data In a communiqué . The indication of the number of days of absence was sufficient here, without the need to clarify the reason for the absence of the exercise of the right to strike.”

Facts denounced by a union

The CNIL had been seized at the mid-2020 by the CGT-RATP. Following this complaint, the RATP, which exploits part of the public transport in Paris and in its suburbs, told the CNIL that four bus centers were concerned with this practice (Marne’s banks, Seine Quay, Paris South -Now and north shores). “The RATP recognized the illegal nature of these files and argued that such a practice was contrary to its general policy,” she said.

CNIL’s verifications found that the practice also existed in at least two other centers (Aubervilliers and Vitry-sur-Seine), alongside other failures concerning the conservation and security of personal data.

The evaluation files of the agents were, for example, kept “for more than three years after the commission of progress” for which they are established, while their conservation was necessary only for eighteen months.

Finally, the authorized agents could access all the data of all agents, including those who exercised in other centers, and even “extract all the data contained in the tool”, noted the CNIL . “Such a configuration did not allow to prevent a possible misuse of the data, and thus to guarantee their confidentiality” she alerts.

According to the communiqué, the RATP expressed during the measurement procedure taken to correct these failures. The RATP group used about 65,000 employees in 2019. His “bus” department counted about 16,000 drivers.

All the failures identified by the CNIL rely on the General Data Protection Regulations (RGDP), set up in May 2018 to strengthen the protection of personal data in the European Union.

/Media reports.