Guidance from the CNIL: What to Expect During an Investigation
The French data protection watchdog, Commission Nationale de l’Informatique et des Libertés (CNIL) has been in charge of overseeing the application of laws around the processing of personal data since the French Data Protection Act of 1978 was created.
The CNIL supports businesses in implementing the rules and oversees compliance, as well as assisting citizens with the exercising of their rights under the laws, relating to French data protection laws and the General Data Protection Regulation (GDPR). It has issued guidance on its investigation procedures, and in this article we examine what to expect if the CNIL exercises its control over a business. After much popular demand we thought we would create our French series on this matter in English - since whilst issued from France, given the cross-border co-operation in GDPR matters, the guidance is helpful wherever you are based.
The CNIL and personal data processing
According to the CNIL, data processing is an operation or set of operations involving “collecting, recording, organising, storing, modifying, extracting, consulting, using, communicating, re-using or even erasing data.”
Under French data protection laws, any processing of personal data carried out could give rise to a business being deemed to be a data controller. This is regardless of whether the processing is carried out in France or abroad, so long as the organisation has activity in France. The CNIL is also able to exercise its powers under the GDPR over any businesses carrying out processing relating to a French citizen, whether or not the business is based in France. The CNIL will have powers over both this business, and any subcontractors it has engaged in order to carry out processing on its behalf.
When exercising its control, the CNIL will take into account a number of factors such as the nature of data that has been collected and whether it is sensitive, the purpose of collecting data and methods that have been used to do this, and the retention periods for the data that has been collected. Businesses also need to demonstrate to the CNIL that they have appropriate technical and security measures in place to protect this data.
The CNIL has various broad aims when it is exercising its powers, such as:
Annual priorities which are deemed especially sensitive because of the impact they have on societies privacy, which are determined in advance each year and published on the CNIL website;
A way for data subjects to exercise their rights, such as by reviewing complaints addressed to the CNIL concerning non-compliance with the rules relating to the protection of personal data (these complaints alone represent more than 40% of the checks that are carried out by the CNIL);
Initiatives following a large-scale problem that has been identified, to assist with compliance;
The regulation of video devices placed in public spaces, which they have jurisdictional control of under the French Internal Security Code; and
Private procedures relating to their control, such as formal notices and sanctions which are often followed by follow-up investigations to ensure the businesses that have been fined follow the CNIL’s advice to comply with the rules.
The ways in which the CNIL can exercise its powers
The CNIL can carry out an on-site inspection, directly investigate a business by inspecting its website, , call businesses on summons for a hearing or even organise for an inspection off-site, interviewing all staff by sending a questionnaire throughout the company.
On-site inspections
On-site inspections will often be carried out without notifying the business being inspected in advance. They carry out these checks in 3 steps:
1. Interviews are held in order to collect information relating to the business and the data processing practices it has implemented;
2. The businesses internal documents will be collected and reviewed to assess compliance with French data protection laws and the GDPR; and
3. The findings will be drafted and the person overseeing the investigation will create a final report, including all of the CNIL’s observations.
A notice will then be authorised by a French judge, and the CNIL may even be accompanied by police to oversee the next steps of the CNIL operation.
It is possible for businesses to appeal against these notice orders before a Judge in a Court of Appeal, however, this will not prevent the execution of the CNIL notice.
Online inspections
When the CNIL is carrying out an online inspection, it will put in place specific measures to ensure that a true search of a business’ own, authentic website is carried out. They ensure to use a computer and internet connection which is dedicated solely to this search. Their primary objective is to review the technical and legal measures that a business has put in place on their website, to ensure the collection and processing of personal data is carried out in accordance with the law. Therefore, like any data subject using a website, the CNIL is able to complete online forms, test unsubscribe links, and check the procedures a company actually uses for its data subjects to be able to exercise their rights.
Screening officers can use a concealed identity for the inspections, and at the end of this, a report will be drawn up to consider whether a notice has to be served.
Hearings
For hearings, a letter of summons would be drafted and sent to the business at least 8 days before the date of the hearing. The letter will indicate the purpose of the hearing, the date, time and place of the hearing, and the right for the business to be assisted by legal counsel of its choice. Normally, the hearing will take place at the CNIL offices in Paris. Then, the three steps (described above) carried out in on-site inspections would be discussed and carried out.
Off-site inspections
Finally, for off-site inspections, the CNIL would send a questionnaire to the business concerned, by registered mail and with acknowledgement of receipt. The questionnaire includes a letter explaining the purpose of the investigation, the time limit for answering the questionnaire and sending the requested documents, as well as the possibility for the to send any other supporting documents. A response can then either be sent by the business by registered letter, or by electronic means such as with a USB key or DVD.
Rights and responsibilities during an investigation
CNIL control officers sit with the CNIL for 5 years at a time, under Article 19 of the French Data Protection Act. In certain cases, they can receive special powers from the Prime Minister, in particular when their investigations will involve the processing of personal data related to state security public safety, or the prevention, investigation or prosecution of criminal offences.
Officers are bound by professional secrecy for the information they view, under penalty of criminal prosecution. In the event of any conflict of interest (for example, if they have had in the 3 years preceding the investigation a direct or indirect interest in a matter being investigated) they would not be permitted to participate in the investigation.
Once an investigation has been finished, the documents will be destroyed at least 5 years after the conclusion of the investigation, subject to the exercise of remedies related to the deadlines.
Can a body refuse to be investigated?
It is not possible to object to an investigation. In fact, bodies being investigated are bound by an obligation of cooperation, by facilitating access to their documents.
Nevertheless, the person in charge of the premises being investigated can oppose a visit from the CNIL if they are a private company. However, the CNIL may be able to challenge this if they hold a warrant issued by a Judge. Public bodies are not allowed to oppose an audit from the CNIL.
What about obligations of secrecy?
During an audit, professional secrecy can prevent the CNIL from viewing certain information when it concerns legally regulated confidential information, such as information between a lawyer and client or certain journalistic material. This opposition would be mentioned in the report that was finally drawn up by the CNIL.
Sanctions in the event of preventing a CNIL investigation
If a person tries to create an obstacle to a CNIL investigation, they can receive a 1-year prison sentence, and a fine of up to €15,000 under Articles 226-22-2 of the French Penal Code.
An obstacle will be created if a business opposes the investigation despite warrants and mandates issued by the judge, if they refuse to supply the requested documents, or even if they send information which is not accessible and stalls the investigation.
After the inspection
After an inspection has been carried out by the CNIL, a report is sent to the data controller of the body under investigation by registered mail with acknowledgment of receipt. The CNIL will analyse the collected documents in order to determine the level of compliance with the relevant provisions of the GDPR and French Data Protection Act. The body under investigation may, during the investigation phase or after the audit, send extra information to the CNIL and keep it informed of any changes it has made.
Following an inspection, the CNIL can either end the investigation, or order corrective measures and impose sanctions. Whatever the decision, it can follow up with the body concerned to re-check its practices at any time. The time limit for compliance can be anything between 24 hours (in an extreme emergency) and 6 months. Following this, the organisation must provide a substantiated response and supporting documents to demonstrate its compliance.
If things are taken further, an injunction for compliance can be issued, accompanied by a fine of up to €10,000 per day for any delays. An administrative fine can also be issued on top of this, the amount of which can be up to 20 million euros, or 4% of the worldwide annual turnover of the organisation.
What to remember?
The principles of good conduct during a CNIL investigation (or indeed by any data protection authority) are as follows:
Respond to questions asked in a timely manner and cooperate with the CNIL
Supply the documents and explanations that are requested within a reasonable time frame;
Maintain a neutral and professional attitude during the investigation.
If you have any questions relating to your compliance of the GDPR or national data protection laws, please do not hesitate to get in touch!
Article by Lily Morrison and Manon Coste @ Gerrish Legal, November 2020 / Cover photo by Touann Gatouillat Vergos on Unsplash