How to predict and manage a CNIL inspection?

The CNIL, an independent authority in France created in 1978 by the Data Protection Act, conducts several hundred company reviews each year to ensure proper application and compliance with the GDPR. These controls occur based on complaints and claims from persons concerned, articles published in the media, data breach notices, video protection devices, or beyond the control of a subcontractor or according to on the priority themes it chooses. on its own initiative.

This year, the three themes chosen were: commercial search, teleworking context tracking tools and cloud services. Suffice it to say that almost all companies are likely to be screened.

So how to expect a control?

There are four different types of checks that can follow and complement each other:

  • online control, to all visible elements of an organization (cookies, confidentiality policy, information notices on data collection forms, password security, etc.). The CNIL may obtain a presumed identity.
  • On-site control where CNIL presents itself in any area of ​​the organization where the processing of personal data is conducted, including in the area of ​​a subcontractor.
  • Summons hearingby a letter meeting with representatives of an organization on a specific date to hear them on the processing being reviewed.
  • The control of the components, by a letter attached to a questionnaire sent to an organization, with the aim of checking compliance in its processing.

Regardless of the form of control, all documents likely to be requested by the CNIL must be in the hands of the audited company. Therefore, it is important to document its compliance and keep this documentation up to date. Notably this includes conducting impact reviews when it needs processing, drafting and updating the processing register, the register of violations, contracts, confidentiality policies, a conservation of duration policy , and an internal doctrine related to the management of personal data.

It also includes the drafting and implementation of procedures (e.g. privacy by design), an annual report that tracks last year’s actions and the steps planned to cover the risks, and an annual action plan that considering the CNIL’s annual inspection program, to determine sector priorities and inspection topics for the coming year. It is particularly important to add to its 2022 action plan the updating of Standard Contractual Clauses based on the new models adopted by the Commission.

To anticipate a CNIL inspection and ensure its best management when it occurs, it is important to prepare for it in advance by drafting and communicating a “CNIL inspection management” procedure. It is also possible to set up a crisis unit and conduct mock tests to ensure the organization is ready to respond.

It is important to identify the people who may be involved in an inspection, to raise the awareness of employees who may be involved and to be audited in the event of an inspection. It is also necessary to specify the equipment that will be needed during the control, for example a dedicated meeting room. All awareness sessions conducted should be recorded and the organization should keep proof of them. It is also part of the organizational measures that justify organizational compliance. A description of the aforementioned steps should be found in an organization’s “managing a CNIL control” procedure.

How to manage control when this happens? Focus on on-site inspection

As part of an on-site inspection, CNIL agents may go to the organization’s premises from 6:00 am to 9:00 pm, without prior notice from the inspection organization. Upon their arrival, it is important for security reasons to check the identity of the agents, the mission letter presented as well as their authorization to carry out the check. As a point of contact with the authorities that oversee and guarantee compliance with the GDPR, the DPO should be notified of the arrival of CNIL agents. Its role is to support, manage and present documentation to demonstrate the implementation of actions that ensure effective compliance. In the absence of a DPO, the competent person to oversee control must be identified upstream.

During the check, CNIL authorized agents may be required to summon persons who can provide them with relevant information on the processing being reviewed. Data controllers and processors, as well as their representatives, have an obligation to cooperate with the administrative authority at its request. Lack of cooperation can increase the risk of punishment. This is the case this year for the New Society of the French directory, which – in particular – for lack of cooperation with the CNIL was imposed a penalty of 3,000 euros. Note that the offense of obstructing a CNIL inspection is punishable by a fine of € 15,000 and one year imprisonment.

CNIL agents may request access to and obtain a copy of any document required for the assessment of organizational conformity: registers, procedures, policies, contracts, software, databases, etc. Care should be taken to provide them with any useful document for this purpose and to provide them with information justifying the implementation of appropriate technical and organizational measures. But be careful to only provide information requested or deemed necessary, to respect the scope of control.

An organization may not refuse to communicate documents under the scope of professional confidentiality, unless the information relates to relationships between an attorney and his or her client, or is subject to the confidentiality of journalistic processing. Regarding individual data subject to medical confidentiality, they can only be disclosed in the presence and under the authority of a physician.

At the end of each day of inspection, a report is drawn up by the CNIL containing all the elements collected, the findings are judged and copies of the documents are presented. The report must be signed by the authorized agents and by the representative of the inspection body. Proofreading minutes before signing is required to generate any observations and comments about the control. Following a check, the CNIL may request communication of additional information or conduct additional visits.

The CNIL conducted 384 inspections in 2021. It resulted in 135 formal notices and 18 penalties, including 12 public, worth more than 214 million euros. And the authority has no intention of lowering its guard. So it becomes more than necessary for companies to do what is necessary to comply with the GDPR, but also prepare for a possible control so as not to get caught on guard and be able to go through this exercise peacefully.

Leave a Comment