The CNIL on Thursday sentenced the RATP to a fine of 400,000 euros after noting that several bus centers had counted the number of days of strikes by agents in a file used to prepare the promotion choices. “The indication of the number of days of absence was sufficient here, without it being necessary to specify the reason for the absence linked to the exercise of the right to strike”, considered the restricted formation of the CNIL, in a press release .
The French gendarme of personal data was seized in May 2020 by a trade union organization. Following this complaint, the Autonomous Paris Transport Authority, which operates part of public transport in Paris and its suburbs, told the Cnil that four bus centers were affected by this practice, the commission said. “The RATP recognized the illegal nature of these files and argued that such a practice was contrary to its general policy,” she said.
Files with too long retention
The checks carried out by the CNIL found that the practice also existed in at least two other centers, alongside other shortcomings concerning the conservation and security of personal data. “The use of data relating to the number of days of strike action by agents was not necessary to achieve the objectives set within the framework of the preparation of the classification committees”, estimated the institution, in application of the principle of minimization of personal data.
The staff evaluation files were also kept “for more than 3 years after the advancement committee” for which they are established, while their conservation was only necessary for 18 months. Finally, the authorized agents could access all the data of all the agents, including those working in other centers, and even “extract all the data contained in the tool”, noted the CNIL.
“The RATP wishes to emphasize that the disputed tables reported were produced by the bus centers concerned on their own initiative and in formal contradiction with the rules in force within the company”, reacted the management in a declaration sent to the company. ‘AFP. “The general management of the company has clearly condemned such practices through disciplinary and managerial sanctions”, she added, also affirming that “the breaches sanctioned had no impact on the advancement of employees. “.