France Travail fined €5M: GDPR Article 32 moves from theory to audit

Excerpt — On 22 January 2026, the CNIL fined France Travail €5M for security shortcomings (GDPR Art. 32), flagging a gap between measures listed on paper (DPIA) and those actually deployed. A direct signal for Luxembourg organizations. cnil.fr

The case

On 22 January 2026, the CNIL’s restricted committee fined FRANCE TRAVAIL (formerly Pôle emploi) €5,000,000 for “failing to ensure the security of jobseekers’ data,” following a major 2024 breach. The CNIL noted that “most appropriate security measures had been identified in the DPIAs but were not effectively implemented.” The legal basis is GDPR Article 32 (security of processing). The decision also details the calculation method: for a security breach, the legal cap does not depend on turnover but is set at €10M (GDPR Art. 83(4)). cnil.fr

The full decision SAN‑2026‑003 is available on Légifrance, detailing the infringements, the injunction with penalty payments, and the proportionality analysis. It confirms that a prior formal notice is not a prerequisite for imposing a fine. legifrance.gouv.fr

Legal reasoning

• The text. GDPR Article 32 requires “appropriate technical and organizational measures,” considering the state of the art, costs, the nature of processing, and risks to individuals, citing encryption, resilience, restoration, and regular testing. Article 33 governs 72‑hour breach notification, but the crux here is insufficient security measures. eur-lex.europa.eu
• CNIL’s interpretation. Listing measures in a DPIA is not enough; they must be effectively deployed and their efficacy demonstrated. The CNIL reiterates the applicable fine range for security failures (€10M cap, Art. 83(4)), independent of turnover. cnil.fr
• EU framework. EDPB guidelines on breach notification show, through examples, typical failures: no MFA/network segmentation, ineffective backups, no credential rotation, etc., and their impact on risk analysis and follow‑on obligations. They confirm the expectation of an operational, tested, and documented setup. edpb.europa.eu
• Luxembourg stance. The CNPD’s Chapter IV page reminds that controllers “take all measures required under Article 32” and must be able to demonstrate compliance; the same proportionality standard applies in Luxembourg. cnpd.public.lu. For NIS 2 entities, the ILR clarifies “appropriate and proportionate” measures (Art. 21) and management bodies’ responsibility (Art. 20), with guidelines of 4 March 2026. ilr.lu. Financial entities: the CSSF’s circulars (20/750, 22/806, updated 9 April 2025 for DORA alignment) reinforce ICT risk and outsourcing control. cssf.lu

Bottom line: this case cements a results‑based approach. Not intention or paperwork, but operational reality and the ability to evidence adequacy and effectiveness, is what counts.

What changes in practice

• “Pro forma” DPIAs are now a direct risk. If you identify strong MFA, network segmentation, or orphan access cleanup but fail to implement on time, you mirror the sanctioned pattern. Expect requests for proof (logs, test reports, remediation tickets). cnil.fr
• Proportionality must be evidenced. Map each measure to risks to individuals: phishing‑resistant MFA for privileged accounts; at‑rest/in‑transit encryption and environment isolation for sensitive data; immutable backups and tested restores with met RTO/RPO; “mirror” guarantees at processors (Art. 28) with proof (attestations, audits) aligned with CSSF 22/806. eur-lex.europa.eu and cssf.lu
• Management is accountable for security. Under NIS 2, it must approve measures (Art. 20) and can be held liable (Art. 21). Align GDPR governance to this standard: bimonthly security/risk committee, effectiveness KPIs (MFA rollout, vulnerability remediation, backup coverage), and documented decisions. ilr.lu
• Fines also hit public bodies. France Travail shows a public body can be fined under Art. 32, with a €10M cap for security (Art. 83(4)). Luxembourg public bodies face the same exposure under the GDPR. cnil.fr

Common audit pitfalls

1. DPIA lists “planned” measures without a dated rollout plan or evidence of deployment: assign an owner, milestone, and proof artifact per measure. cnil.fr
2. Partial MFA (VPN/mail) but missing on admin consoles, HR/CRM, and privileged access tools: weak authentication raises risk and obligations in incidents. edpb.europa.eu
3. Backups untested and not isolated: Article 32 targets the “ability to restore”; without regular tests, resilience is presumed deficient. eur-lex.europa.eu
4. Orphan/inactive accounts not purged: dormant access is a common entry point and aggravates severity; track an inactive‑accounts‑over‑90‑days KPI. edpb.europa.eu
5. Outsourcing without verifiable “sufficient guarantees”: Art. 28 clauses must be reflected in CSSF 22/806 controls (due diligence, reversibility, incident reporting); without proof, proportionality is disputable. cssf.lu

Next steps (Luxembourg)

To structure governance and control execution, an outsourced CISO for cyber steering can accelerate operational compliance and evidence of control effectiveness.

If you fall under NIS 2, align your controls and internal audit plan with local expectations and management body obligations; see our NIS 2 directive overview for essential entities. For local GDPR practice, also visit GDPR in Luxembourg and CNPD expectations.

Official sources

• CNIL — Personal data breach: €5M fine (22/01/2026). cnil.fr
• Légifrance — Deliberation SAN‑2026‑003 (22/01/2026). legifrance.gouv.fr
• GDPR (Arts. 32 and 83). eur-lex.europa.eu
• EDPB — Examples on personal data breach notification (01/2021). edpb.europa.eu
• CNPD Luxembourg — Chapter IV GDPR. cnpd.public.lu
• ILR — Security measures and supervision under NIS 2; management bodies. ilr.lu and ilr.lu
• CSSF — Circular 22/806 (updated 09/04/2025) and DORA alignment update. cssf.lu and cssf.lu

Key takeaway for May–June 2026: regulators across Europe — including Luxembourg — now look beyond policies. They verify execution, traceability, and effectiveness of Article 32 measures. A gap between DPIA and operational reality alone can trigger sanctions.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.