As we have already informed you, the National Commission on Informatics and Liberty (CNIL) has entered what it calls a year of repression. Indeed, the number of complaints has multiplied since the General Data Protection Regulation (GDPR) came into force more than a year ago, leaving more room for administrative authority to carry out more controls.
So, it would be good to remind them how they work.
Where do CNIL controls begin?
First, it should be noted that the Commission carries out hundreds of controls each year. However, not all of them are initiated by the administrative authority itself.
Indeed, every year, the CNIL defines several major themes that it will closely monitor and carry out controls if it suspects anything, which is of its own accord.
As a reminder, the three major themes of this year, 2019, are:
- Respect for the rights of individuals: when citizens request a company (such as the right to erasure, rectification, or access to their data), the company must respond within a given period. Here, the CNIL ensures that a clear and complete response is given to citizens.
- The processing of minors’ data.
The distribution of responsibilities between data controllers and subcontractors: before, the Commission could sanction only data controllers. Since the arrival of the GDPR, subcontractors also have their share of responsibility, which allows for a fairer distribution of sanctions in case of problems.
- However, claims and reports from individuals like you and me are also the origins of many controls. When an organization is cited several times, the alarm bell is sounded, and the CNIL will likely look into the matter.
Video protection devices and investigations following closed procedures are added to see if the sanctioned organizations have adopted compliance. You will have an overview of the factors triggering a CNIL control.
Who can be the target of CNIL control?
Simply put, the administrative authority has the right to control any organization required to process personal data, including many establishments on national territory.
What are the different possible forms of CNIL control?
When the Commission decides, it can carry out controls, and these are divided into four types:
- On-site controls: representatives of the administrative authority go to the premises of the targeted establishment and investigate the processing of the company’s data.
- Online controls: here, CNIL agents carry out a remote control, observing the freely accessible data they can find online. In case of visible failure at a distance, the Commission may proceed with a report.
- Summons controls: unlike on-site controls, this time, the leaders of the targeted establishments must go to a summons sent by mail. The objective remains to verify data processing through questions or requesting direct access to the company’s computer resources.
Document controls no physical meeting for these, just a letter sent to a data controller or subcontractor, accompanied by a questionnaire to evaluate the conformity of the processing implemented by those concerned. This questionnaire is generally accompanied by requests for documents supporting the integrity of the responses obtained.
- Each of these controls requires drafting a report so that the Commission’s agents can report factually on the information they have become aware of, except document controls.
These four forms of controls can be carried out independently but can also be complementary. Thus, the administrative authority can initiate its steps with an online control, then carry out a document control followed by an on-site control if necessary.
And if I decide to oppose CNIL control?
I would certainly advise against opposing a CNIL control as it is a risky path to take.
At best, opposing a control will only delay the process. The Commission will have to ask for permission to pursue the management from the judge for liberties and detention (JLD), who will undoubtedly authorize the continuation of the control.
However, it is also possible that the CNIL has decreed that a situation is qualified as urgent due to the severity of the facts at the origin of the control or the risk of destruction and concealment of documents. Always asking the JLD for permission beforehand, the administrative authority can carry out its power without informing the responsible person of the controlled establishment, making opposition impossible.
In addition to not escaping control, anyone attempting to oppose it may be punished with one year of imprisonment and a fine of €15,000 for obstructing the action of the CNIL.
Opposing the proper conduct of the Commission’s missions when a judge has authorized a visit is therefore considered to be obstruction, but also:
- Refusal to communicate, concealment, or destruction of valuable information for the control
- Communication of non-compliant details with the content of the recordings as it was at the time of the CNIL request.
And finally, what happens after a CNIL control?
There are no or few observations, in which case the file is closed, and a letter is sent.
Or there is a severe breach, and in this case, two situations are possible:
- The President of the CNIL may issue a warning. From then on, the organization must comply within a period defined by the CNIL. If there is still a breach, a sanction will be imposed.
- The restricted formation (the body of the CNIL responsible for imposing sanctions) may, without warning, directly issue a sanction to the organization in question.
In both cases, the sanction may be non-pecuniary, as a simple reminder, an injunction under penalty… Or financial, in which case the amount can go up to 4% of the company’s global turnover, or €20 million.
Finally, in the long run, the Commission may decide to make its decisions public or not, through an article on its website, for example.
Indeed, all of this doesn’t seem very pleasant if it happens to you… However, there is a simple way to avoid such sanctions: compliance, and at Axeptio, we take care of that!
