1. Home
2. Closure of the order issued against KASPR

Closure of the order issued against KASPR

06 March 2026

By deliberation of 4 March 2026, the CNIL closed the order issued against KASPR on 5 December 2024.

-

-

Background information

In December 2024, the restricted committee – the CNIL body responsible for issuing sanctions – imposed a fine of €240,000 on KASPR after investigations revealed that:

• the company collected the contact details of LinkedIn users who had expressly chosen to limit the visibility of their profiles;
• the company retained users' contact details for five years from each data update, which generally occurred when a person changed job or employer;
• until 2022, the individuals concerned were not informed that their data was being collected and, from 2022 onwards, the information provided was only available in English;

• When individuals exercised their right of access to find out the source of their data, KASPR simply told them that it had been collected from publicly available sources.
  In addition to the fine, the restricted committee had issued orders to put an end to these breaches within six months. The company was thus required to:

• cease collecting data from individuals who have chosen to limit the visibility of their contact details, and delete any data collected in this manner. Failing this, if it was impossible to distinguish the data whose visibility had been limited, the company had to – within three months – inform the individuals concerned about the processing of their data and the possibility of objecting to it, and use their data only for this purpose;

• stop the automatic renewal of the storage of personal data from LinkedIn profiles;

• inform the people whose data is collected in a language they understand;

• respond to requests for access submitted to KASPR, providing the individuals concerned with all the information it had on the sources from which their data had been collected.
  Failure to comply with these orders exposed the company to the payment of a penalty (i.e. an additional fine) of €10,000 per day of delay.

Closure of the order

In response to this order, the company provided, within the specified time frame, evidence demonstrating the effectiveness of the measures taken:

• in order to comply with the order, it chose to delete its database and cease all data collection on LinkedIn;
• it also removed the automatic renewal mechanism for data retention periods in the event of profile updates;
• it now provides information in all the official languages of the European Union and has responded to the complainants' requests for access. In view of this compliance, the restricted committee decided not to liquidate the penalty payment (i.e. not to require payment of the additional fine referred to above) and to close the order.

Texte reference

Deliberation

• Délibération SAN-2026-004 du 4 mars 2026 (in French) - Légifrance
  Texte reference

  Read more

• Data scraping: KASPR fined €240,000

• CNIL sanctions procedure
  Texte reference

  Reference texts

• Deliberation of the restricted panel N° SAN-2024-020 , 5 December 2024 (in French) – Légifrance

• Article 5.1.e of the GDPR (data retention period) - Eur-Lex

• Article 6 of the GDPR (legal basis) - Eur-Lex

• Article 12 of the GDPR (transparency) - Eur-Lex

• Article 14 of the GDPR (information to data subjects) - Eur-Lex

• Article 15 of the GDPR (right of access) - Eur-Lex

• #Injunction

• #Sanctions

This can also interest you ...

The sanctions issued by the CNIL The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.... 12 February 2026 Sanctions
Sanctions and corrective measures: CNIL’s actions in 2025 09 February 2026 Sanctions
Data breach: FRANCE TRAVAIL fined €5 million 29 January 2026 Sanctions