🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

How does a CNIL check on the GDPR work?

Home News How does a CNIL check on the GDPR work?

The National Commission for Information Technology and Liberties (CNIL)'s mission is to verify that organizations comply with the General Data Protection Regulation (GDPR). This is how a CNIL check takes place, from initiation to conclusion.

1. Initiation of Control

A CNIL inspection can be initiated in several ways:

  • On complaint: When an individual files a complaint with the CNIL concerning the processing of their personal data.
  • Self-referral: The CNIL may decide to carry out control over an organization on its own initiative.
  • Reporting: Based on reports received from third parties, such as other authorities or press articles.
  • Annual program: The CNIL establishes an annual control program based on identified risk criteria.

2. Notification and Preparation

The CNIL may carry out announced or unannounced checks:

  • Control announced: The CNIL informs the control organization in advance, allowing adequate preparation.
  • Unannounced check: The CNIL may arrive without notice to ensure the spontaneity of the observations.

Organizations must prepare the necessary documents and information, including data processing records, data protection policies and security measures in place.

3. Progress of the Control

CNIL controls can take several forms:

  • On site: CNIL agents go to the organization's premises to check data processing practices. They can interview managers, view IT systems and review documents.
  • On parts: The CNIL asks the organization to provide specific documents for examination.
  • Online: The CNIL can remotely audit websites and applications to verify their compliance.

Controllers can request additional explanations, verify evidence, and analyze collected data to assess compliance.

4. Findings and Report

At the end of the inspection, CNIL agents write a report detailing their findings. This report may identify non-conformities, security vulnerabilities or breaches of GDPR obligations.

The audited organization receives a copy of the report and can respond to it to provide clarification or justification on the points raised.

5. Decisions and Sanctions

Based on the control report and the organization's responses, the CNIL can make different decisions:

  • Warning: For minor or quickly rectifiable breaches.
  • Formal notice: The organization must comply within a specified time frame.
  • Financial sanctions: For serious or repeated violations, up to 20 million euros or 4% of global annual turnover.
  • Publicity of the sanction: The CNIL may decide to make the sanction public to inform the public.

6. Monitoring and Compliance

After the sanctions, the CNIL follows the corrective actions put in place by the organization. Further monitoring can be carried out to verify that the necessary measures have been implemented and that the organization is now GDPR compliant.

Conclusion

CNIL monitoring is a rigorous procedure aimed at ensuring that organizations comply with GDPR standards. It involves a series of steps, from initiation to final decision, including a thorough assessment of data processing practices. These controls are essential to ensure the protection of personal data and strengthen citizens' confidence in the digital economy. For more information, you can visit the dedicated page on CNIL website.

GDPR mission
Settle in with a coffee ☕️ or popcorn 🍿 and devour our blog to understand everything about GDPR📖

Check out our blog

Other articles
on the same subject