The French Data Protection Authority – CNIL – has just published:

• its enforcement report for 2025 presenting the sanctions and corrective measures against violations of the GDPR and the French Data Protection Act – available here, and
• its enforcement priorities for 2026 with a list of priority areas for controls this year – available here.

2026 CNIL enforcement priorities

2026 CNIL enforcement priorities. The CNIL conducts several hundred controls annually, triggered by complaints, past actions, reports, or current events. Around 20% of these controls follow annual priority themes linked to key data protection risks. For 2026, the key identified themes are:

1. Recruitment practices: following the CNIL’s 2023 guide on candidate data, the CNIL will verify the implementation of this guide, with a particular focus on automated decision-making, candidate information, and data retention. Large companies and recruitment firms are primarily targeted due to the volume of applications processed.
2. Single Electoral Register (REU): the CNIL will verify lawful use of voters’ data and detect any misuse of this centralized database managed by INSEE.
3. Sports federations: following 2024 Paris Olympic and Paralympic Games and the increase in registrations at sports clubs and federations, the CNIL intends to check the relevance of the data collected, its retention period, and the security measures in place, as the sector has been a particular target of recent cyberattacks.
4. Information and Transparency: as part of the fifth action under the Coordinated Enforcement Framework (CEF), the CNIL and its European counterparts will conduct controls regarding the transparency and comprehensiveness of the information provided to data subjects.

CNIL strategic plan for 2025–2028. In its strategic plan for 2025–2028 (accessible here), the CNIL had also identified AI as one of its main regulatory priorities alongside cybersecurity and the protection of minors online. The CNIL intends to strengthen compliance and enforcement capabilities regarding AI systems to ensure compliance with the GDPR.

2025 CNIL enforcement Key information

Key figures. In 2025, the CNIL issued 259 decisions, including 83 sanctions, among which 10 were made public. Total fines reached approximately €486.8 million. In 2024, CNIL issued 331 decisions including 87 sanctions for a total amount of €55.2 million, while in 2023, the CNIL adopted 42 fines totaling nearly 90 million euros.

Recurrent themes. The most frequent violations concerned:

• misuse of cookies and tracking devices;
• employee monitoring; and
• infringement of obligations upon data processors (Article 28 GDPR).

Simplified procedure. Among 83 sanctions, 67 sanctions followed the simplified procedure established by Article 22-1 of the French Data protection Act, in force since 2022. Under such simplified procedure, the President of the Restricted Committee—or a member designated by the President— can issue a sanction decision alone, after written observations have been exchanged between the CNIL and the defendant. The decisionmaker may impose a formal reprimand, a compliance order, or an administrative fine of up to €20,000.

Focus: 2025 enforcement related to video-monitoring of employees

Monitoring of employees in the workplace is an important area of focus for the CNIL. In 2025, 16 organizations were sanctioned for issues linked to employee videosurveillance – 20% of all 2025 sanctions. Typical violations of employees’ rights included:

• continuous monitoring of employees;
• cameras directly filming workstations (market counters, offices, etc.);
• hidden cameras;
• failure to inform employees or visitors about the surveillance.

Excessive employee monitoring. Continuous employee monitoring infringes data protection rights of employees, unless exceptional circumstances related to theft or security are demonstrated.

Hidden cameras. The CNIL adopted a €100,000 fine against a retail company that installed hidden cameras disguised as smoke detectors, which also recorded audio. The CNIL considers that hidden cameras may only be used in exceptional circumstances, where a strong justification exists and privacy rights of employees are carefully balanced. Such systems may be temporary for instance. Hidden cameras must be deployed only pursuant to thorough analysis of their compliance with GDPR, based on detailed circumstances.