🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays

How does a GDPR check from the CNIL work?

There CNIL has the right to exercise GDPR control over all institutions that process personal data. In this way, private companies, associations and even public bodies can be controlled by the CNIL. These reviews can be carried out on site, on documents, during hearings or on the Internet. These investigative tasks are the main way to verify whether data controllers and subcontractors comply with the revised law of January 6, 1978 and the european Data Protection Regulation (GDPR) from April 27, 2016.

Who is affected by a GDPR control from the CNIL?

The CNIL may control any organization processing personal data in France or about a person residing in France. These GDPR checks may be carried out in cooperation with other data protection authorities, if the organization has several companies in the EU and/or processes the personal data of several data subjects in the EU. The GDPR also allows the CNIL to carry out due diligence on behalf of the institutions in charge of processing (e.g. hosting, services). But also for that of external service providers in charge of processing.

How does the CNIL decide to carry out a GDPR check?

The surveillance missions that the CNIL carries out throughout the year can have a diverse framework:

The annual GDPR control plan. The CNIL decides to focus on the main issues identified each year. And in particular their impact on the private lives of many people. These questions will attract public attention and the CNIL will be required to report at the end of the annual plan on the methods observed during the audit.
Complaints and reports. The CNIL receives complaints (declarations) and complaints (sometimes anonymous). These draw attention to facts and the rules for protecting personal data call into question their compliance. If applicable, please respect the applicant's rights.
Initiatives. Investigations can be carried out in the context of an attack. And in particular for current events likely to pose problems linked to the protection of personal data.
Video surveillance equipment. In accordance with the "internal security code (CSI)", the CNIL has the right to control cameras that shoot videos in public places (such as shopping centers, museums, etc.). Moreover, it reserves part of their surveillance activities each year.
Closed control procedures, formal notice, and sanctions. Investigations can be carried out after closed GDPR control procedures, formal notices or sanctions. And in particular to verify the GDPR compliance measures taken by the company.

What form can a CNIL GDPR control take?

The commission can choose four different forms of controls at the discretion of its president:

GDPR checks on site. Send CNIL delegations directly to data controllers or subcontractors. These delegations handle requests for information on the processing of personal data.
Trigger the GDPR hearing. A letter is sent to the data controller or subcontractor requesting a representative of the organization to appear at the premises of the CNIL at a given time to answer questions about the processing method examined and allow them to access if necessary to the company's IT resources.
Online CNIL control. The CNIL carries out remote GDPR control on data freely available on the Internet, including through negligence or data provided by a third party. These checks can be carried out on websites, mobile applications or connected products.
Document control. The CNIL agent sends a letter with a questionnaire to assess the conformity of the processing carried out by the data controller or subcontractor. The organization must provide an answer by attaching useful documents that justify their validity. Each of these control methods can be used in different ways. Thus, the CNIL can, for example, begin its examination online and continue to conduct it on site. This can also be done before the on-site inspection. In addition to documentary checks, any check must prepare reports, in which CNIL agents actually record all the information they already know.

Who carries out the CNIL’s control missions?

The authorization issued by the Commission to agents of its services
In accordance with article 19 of the law of January 6, 1978, the representatives of the CNIL invited to participate in the GDPR control mission were authorized by the commission to carry out these surveillance tasks. If the designated officer has not been sentenced to the criminal sanctions listed in Article 2 of the criminal record, the approval period is five years. Only if the agent has no direct or indirect interest in the organization within three years before the review can the agency carry out GDPR checks on the organization.

Approval of CNIL agents by the Prime Minister.
Commission officials responsible for the control of personal data relating to national security, national defense and public security, or persons whose aim is to prevent, investigate, monitor or prosecute criminal offenses, apply criminal judgments or security measures as part of the control task, protect confidential information, must be authorized by the Prime Minister. From November 6, 2020, certain CNIL agents are authorized to carry out CNIL access or controls linked to processing operations in accordance with article 31 of the Data Protection Act.

What happens before the CNIL GDPR control?

The president of the CNIL decides to carry out the GDPR control mission. When the GDPR control is carried out on site, the decision of the president of the CNIL will inform the person in charge of the premises. Upon hearing, the interviewee must receive the summons at least 8 days before the date of the review. In particular, this summons reminds the defendant that he has the right to choose the lawyer of his choice. As part of a check by the public prosecutor, the time and purpose of the surveillance is specified 24 hours before the launch of the CNIL check. The CNIL agent participating in the inspection is authorized under the conditions provided for in article 19 of the revised law and in article 57-60 of the decree of October 20, 2005. You can get help from experts such as doctors. Some GDPR controls require special permissions, especially for files protected by security secrets.

What happens during the CNIL check?

The aim of the review is to ensure that the processing process is linked to the organization and implementation of the GDPR and the Data Protection Act of 1978.

When carrying out GDPR checks, agents must carry with them copies of all technical and legal information in order to assess the conditions for processing personal data. The CNIL delegation may request the transfer of all documents necessary for implementation. CNIL agents can meet any employee with useful information to assess their compliance with the rules governing personal data (for example, by communication with managers, operators or IT experts). GDPR control agents can access computer programs and data and request their decryption for GDPR control. Delegations may request copies of contracts (e.g. rental contracts, IT outsourcing contracts), forms, paper documents, databases, etc.

At the end of the audit, a report will be drawn up and all information collected by the delegation and its results will be recorded. As part of an on-site GDPR check, if the site manager objects to the delegation's visit, the president of the commission may ask the judge of freedoms and detention to continue the check. Furthermore, if the urgency of the CNIL control, the seriousness of the events, or the risk of deterioration or ambiguity of the documents justify it, the president of the CNIL may ask the JLD of the territorially competent TGI to exercise preventive authorization to carry out activities outside the control perimeter without the company manager having been informed. Article 51 of the law of January 6, 1978, in its version currently in force, presents that if the opening of a CNIL inspection is hindered, one year of imprisonment and a fine of 15,000 euros will be imposed. Obstruction of the CNIL procedure represents in the following situations: refusal of CNIL control under authorization of the judge of freedoms and detention; refuses to exchange with the CNIl, hides or destroys information and documents useful for the GDPR control task, transmission of information not in conformity with the content of the recordings as it was at the time the CNIl request was made, or presentation of information that is not accessible.

As part of the investigations carried out, the organization cannot impose professional secrecy on CNIL controllers to justify in particular a refusal to allow them access to computer programs or communicate documents to them, unless the data relates to correspondence between a lawyer and his client, or are covered by the secrecy of journalistic processing. Representatives of the CNIL are required to respect professional secrecy for all facts, actions or information to which they may have access during the exercise of their functions under penalty of criminal prosecution (article 20 of the law of January 6, 1978 as amended).

What happens after the CNIL GDPR check?

After verification, the CNIL consults the inspection report and inspects the copies of the documents to assess the conditions of processing according to the Data Protection Act, the GDPR, the CSI and the CPCE. Concerning the analysis carried out by the CNIL, several follow-up actions can be taken:

If there is no particular observation, the monitoring procedure ends with a letter from the president of the CNIL;
In the case of a minor infraction, the control procedure ends with a letter from the President of the CNIL with recommendations and observations to be put in place quickly.
If the GDPR checks carried out indicate that there are more serious violations, the president of the CNIL may decide to issue formal notice, formally inform the company so that they can, within a limited period, comply, implement sanctions in accordance with Articles 45 and 46 of the Freedom of Information Act and Article 83 of the GDPR. In the absence of a response to a formal notice or a court decision, the file may also be sent to the restricted formation of the CNIL for additional sanction. This transmission to the restricted panel is not exclusive of a denunciation to the Public Prosecutor's Office (article 40 of the code of criminal procedure)

You can calmly approach your control with Data Comply One (formerly Mission RGPD), to find out more.

Don't waste any more time, it's so simple!

Other articles
on the same subject

The AI, Cyber & Data return to school: what not to miss (Newsletter September 2025)

Read the article

GDPR and AI Act: a synergistic interaction for ethical governance of AI

The interaction between the GDPR and the AI Act (the future European regulation on artificial intelligence) aims... Read the article

Simplification of the GDPR: what will (perhaps) change

Discover the changes proposed to simplify the GDPR: registry exemptions, relief of obligations for... Read the article