On January 21, 2019, the CNIL (Commission Nationale de l’Informatique et des Libertés, the French Data Protection Authority), restricted committee, for the first time applies the new sanctions limit provided by the GDPR and sanctions Google for EUR 50 million for two GDPR violations:
1. “violation of the obligations of transparency and information“
“First, the restricted committee notices that the information provided by GOOGLE is not easily accessible for users. … Moreover, the restricted committee observes that some information is not always clear nor comprehensive. …Finally, the restricted committee notices that the information about the retention period is not provided for some data.”
2. “violation of the obligation to have a legal basis for ads personalization processing”
(see “The CNIL’s restricted committee imposes a financial penalty of 50 Million euros against GOOGLE LLC” available here)
The sanction originates from two complaints received on 25 and 28 May 2018 from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”), which complained, among others, that Google di not have a valid legal basis to process the personal data of its users, with particular reference to ads personalization purposes. Read here the statement of NOYB.
More information here