On January 22, 2026, the CNIL imposed a €5 million fine on France Travail (formerly Pôle Emploi), underscoring a fundamental principle: compliance with the GDPR is not merely a matter of documentary compliance, but an obligation of effective accountability. The investigation revealed a serious discrepancy between the stated procedural framework and the technical security measures actually implemented.

In this case, the CNIL found the ineffectiveness of the authentication systems and the lack of access monitoring protocols, leaving the data of millions of data subjects vulnerable. Furthermore, a penalty was imposed for non-compliance with the principle of data retention limitation: the continued storage of datasets relating to users who had been inactive for years revealed the absence of automated deletion or anonymization procedures.

Although the risks had been identified in the impact assessments, the organization failed to implement the necessary countermeasures. In addition to the fine, a penalty of 5,000 euros per day was imposed for the delay in compliance.