GDPR sanctions: inspections by the CNIL are becoming more stringent

The number of GDPR inspections conducted by the CNIL is on the rise. Recap of the different types of inspection.

Published on 10/12/2019 at 9:44 am, Updated on 12/12/2019 by CTN France

After giving companies and organisations an adjustment period following the entry into force of the EU General Data Protection Regulation (GDPR) on 25 May 2018, the CNIL intends to step up its inspections and sanctions in the coming months. The objective? Incite businesses to upgrade their systems in order to be compliant more quickly.
The GDPR applies to large groups, SMEs, start-ups, associations and professions, whatever their level of development or whoever processes their personal data, i.e. who collects, stores and uses it.

The CNIL is the supervisory authority in France for the GDPR. Each year, it defines an annual inspection programme. In 2019, the priorities were to respect the rights of individuals, allocate responsibilities between sub-contractors and contractors and process the data of under-18s. The CNIL can also decide to carry out an inspection following a complaint or a report on a particular company.

CNIL agents can carry out several types of inspection

  • an on-site inspection in the company. The CNIL does not have the obligation to notify the business manager in advance that an audit will be conducted;
  • documentary inspection (communication of the processing register, etc) ;
  • an interview with the head of the company;
  • an online inspection, e.g. the company’s website and cookie policy.

Inspections can entail various types of measure depending on the infringement. When an insignificant breach is recorded by the CNIL, it can send comments to the business manager by post. On the other hand, when the breach is more significant, the CNIL sends a formal notification to the company asking it can make corrections or applying sanctions.

There are different types of GDPR sanctions

They can consist of the following, including but not limited to:

  • a call to order;
  • an injunction to bring the processing into compliance with the GDPR, including the payment of a penalty of as much as €100,000 per day of violation;
  • an administrative fine of €10 million or 2% of total annual worldwide turnover for the previous financial year, whichever is greater. In certain cases, these thresholds can be raised to €20 million and 4% of said turnover.

To help you comply, CTN France provides assistance and places real specialists at your disposal.

Contact Us

Leave us a message and we will get back to you as soon as possible.