More than 14,000 complaints filed with the CNIL in 2021
When processing personal data on your website, you must be sure to follow a number of rules and recommendations. If you do not, you expose yourself to fines and procedures.
The Commission Nationale Informatique et Libertés (CNIL) is an independent administrative authority in charge of protecting users personal data. It must ensure that information technology's purpose is to serve the citizens and does not infringe on human identity, human rights, privacy, individual or public liberties.
The CNIL has a monitoring and information role but it also has the power to control and sanction. This authority can monitor proper implementation of the various measures implemented by the General Data Protection Regulation (GDPR).
The CNIL defines 4 main axes to comply with their recommendations:
- Establish a register of your data processing activities
- Sort out your data
- Respect individuals rights
- Secure your data
Some key figures:
Increase in controls in 2021
In 2021, the total number of controls carried out by the CNIL equaled 384 (compared to 247 controls in 2020) including: 173 online controls, 118 on-site controls, 65 controls on documents, 28 controls under hearing. As a result of these controls, the CNIL imposed more than €214 million in financial penalties (compared to €138 million in 2020). More than 14,000 complaints were received by the CNIL, resulting in 18 sanctions and 135 formal notices.
The number of complaints filed and the number of inspections continue to increase, forcing the CNIL to take new corrective measures. The objective of the latest reform of April 8, 2022 is to simplify the repressive actions and to be able to increase the processing capacity of the files. The President of the CNIL can now decide, depending on the complexity of the cases, on a so-called simplified sanctioning procedure.
The President of the CNIL will then refer the matter to the President of the restricted panel and appoint a rapporteur from among the CNIL staff who will be responsible for examining the case. The simplified sanction procedure is simpler than a traditional procedure. The Chairman of the restricted panel, or a member designated by him, will rule alone and no public meeting will be necessary.
Increase in monetary sanctions
The decided sanctions will not be made public and the maximum amount of fines is capped at €20,000. With the GDPR, the amount of the sanctions can go up to 20 millions euros or, if necessary, for a company to 4% of the annual worldwide turnover. For example, a famous social network has been fined €60 million on December 31, 2021 for not respecting the GDPR terms and conditions related to cookie refusal as well as a bad treatment of personal data.
The formal notice procedure has also been adjusted. The president of the CNIL can now issue letters of formal notice without waiting for a written response from the targeted companies. The company will therefore be obliged to comply with the GDPR within a period determined by the President. The company is no longer required to send elements to the CNIL attesting of its compliance but the regulator stipulates that other means will be available for verification (such as a subsequent audit).
In specific situations, the previous 6-months limit disappears to give companies more time to put their compliance programs into action.
The CNIL's intention through these simplified procedures is to significantly increase its controls and sanctions volume.
It should also be noted that the CNIL is the competent French authority for the application of the GDPR. Other entities and other legislations also exist (CCPA for California, LGPD for Brazil, PDPA for Thailand,...). When a company has an audience coming from other countries, it is better to opt for effective international solutions. For example, Secure Privacy uses a technology capable of respecting the different legislations according to the place of connection and offers an interface matching different recommendations in force in the country of connection, all of this in more than 70 languages.
The key takeaway is that no company, no matter how small it is, will be spared from the simplified penalty procedure. A proactive rather than reactive approach will always be valued by the different authorities in case of control. This will allow you to show several actions you did towards transparency and compliance at scale.
Do not hesitate to reach out to us. We will help you in understanding where you are and where you should go.
Five Problems that GDPR DPOs Face and How to Solve Them
DPOs often have more than one job in an organization, so it's clear that they can't always keep up with the latest legal and technological changes that are important to their work. Even though they aren't lawyers, they are expected to know the GDPR inside and out. Though they may lack technical expertise, these individuals are frequently tasked with advising on how organizations should use cutting-edge security measures to secure sensitive data. In other words, it's not a simple task.
- Data Protection
Three Free DPIA Templates and How to Use Them
In this article, you will find three DPIA templates: one from the UK, one from the French DPA, and one from the IAPP, the International Association of Privacy Professionals. Because of their expertise, we can rely on the templates they provide.
- Data Protection
What is a Consent Management Platform?
Consent Management Platform (CMP) is a software tool that makes it easy for websites to follow cookie regulations. Before a user gives consent, your website needs to block cookies. In this article, we'll discuss how websites can use CMPs to keep track of the consent they ask for.
- Data Protection