On January 22, 2026, France’s data protection authority, the CNIL, imposed a €5 million fine on France Travail (formerly Pôle Emploi) for failing to properly secure the personal data of job seekers. The CNIL fine on France Travail highlights growing regulatory pressure across Europe to strengthen GDPR data security measures, especially when sensitive public-sector systems are involved.
The decision follows a major cyberattack in early 2024 that exposed personal information linked to millions of individuals registered with France’s national employment services over the last two decades.
CNIL Fine on France Travail After Major Job Seekers’ Data Breach
The CNIL fine on France Travail comes after hackers successfully infiltrated the organisation’s information system during the first quarter of 2024. According to investigators, the attackers relied on social engineering, a method that exploits human trust and behaviour rather than purely technical vulnerabilities.
Using these tactics, hackers were able to hijack the accounts of advisers working with CAP EMPLOI — organisations responsible for supporting employment access for people with disabilities.
This breach allowed attackers to gain entry into France Travail’s broader digital environment.
Hackers Accessed 20 Years of Personal Data
Investigations confirmed that the attackers accessed data relating to all individuals currently registered, or previously registered, with France Travail over the past 20 years. This also included individuals holding candidate accounts on the official francetravail.fr platform.
The compromised information included:
- National Insurance numbers
- Email addresses
- Postal addresses
- Telephone numbers
While the hackers did not access complete job seeker files — which may contain health-related information — the CNIL still considered the exposed dataset highly sensitive due to its scale and the nature of the identifiers involved.
The breach affected an extremely large portion of the French population, making it one of the most significant recent incidents involving a public institution.
GDPR Article 32 and Failure to Ensure Data Security
The CNIL’s decision focuses heavily on failure to ensure the security of personal data processed, a requirement under Article 32 of the GDPR.
Under GDPR data security rules, organisations must implement security measures that are appropriate to the risks involved. The CNIL concluded that France Travail’s technical and organisational safeguards were inadequate and could have made the attack more difficult if properly applied.
The restricted committee identified several key weaknesses.
Weak Authentication and Poor Monitoring Measures
One of the main concerns raised was the lack of authentication procedures for CAP EMPLOI advisers accessing the France Travail system. Weak access controls made it easier for hackers to take over adviser accounts and move through the network.
The CNIL also highlighted insufficient logging and monitoring capabilities, which reduced the organisation’s ability to detect abnormal behaviour or suspicious activity early.
Additionally, CAP EMPLOI adviser permissions were defined too broadly. Advisers could access data on individuals they were not directly supporting, significantly increasing the volume of information available once an account was compromised.
This overexposure amplified the scale of the breach.
Security Measures Were Identified but Not Implemented
In determining the sanction, the restricted committee noted that many appropriate security measures had already been identified by France Travail during earlier impact assessments. However, these measures were not actually implemented before the processing began.
This gap between awareness and execution played an important role in the CNIL’s decision to impose a multi-million-euro penalty.
As regulators increasingly stress proactive security compliance, failure to act on known risks is being treated as a serious breach of responsibility.
Beyond the financial penalty, the CNIL has ordered France Travail to justify the corrective measures taken, along with a precise implementation schedule.
If the organisation fails to meet these requirements, it will face an additional penalty of €5,000 per day of delay, increasing the pressure to demonstrate meaningful improvements quickly.
Why CNIL Fine on France Travail Is Not Based on Turnover
France Travail is a national public administrative institution funded mainly through social security contributions rather than commercial revenue.
As a result, the CNIL explained that the fine is not based on turnover, but instead falls under the GDPR framework for public-sector bodies, with a maximum limit of €10 million for a data security breach.
“All fines imposed by the CNIL, whether they concern private or public actors, are collected by the Treasury and paid into the State budget.”
CNIL’s Role for Individuals Affected
The CNIL reminded the public that it serves as France’s personal data regulator, responding to requests and complaints from both individuals and professionals.
Anyone can lodge a complaint with the CNIL when facing difficulties exercising their rights or when reporting violations of personal data protection rules. The authority can investigate organisations and issue sanctions where necessary.
However, the CNIL does not have the power to compensate affected individuals directly. Those seeking compensation may file a complaint with the police.
The France Travail data breach and subsequent CNIL sanction underline the importance of strong cybersecurity practices, especially for institutions handling large-scale citizen data. With regulators enforcing GDPR obligations more strictly, public bodies and private organisations alike are being reminded that data security is no longer optional — it is a legal and operational necessity.
