CNIL sanctions since 2014!
Let’s review some figures from the CNIL: the number of inspections and sanctions carried out by the CNIL in the last 5 years, the period since the adoption of the GDPR.
CNIL inspections and sanctions: how has it evolved since 2014?
The Commission Nationale de l’Informatique et des Libertés (CNIL) can control files that record personal data. This control can be exercised:
- On the premises of the data controller
- When summoned by the CNIL
- By request for documents
- Since 2014, also online with an inspection of its website.
This graph represents the evolution of all CNIL controls over the last 5 years. It can be seen that the arrival of the General Data Protection Regulation in May 2018 has led to an increase in CNIL controls.
Reminder: the GDPR is the reference text on the protection of European citizens’ data.
Since its entry into force, companies that process personal data have been required to be compliant*, to raise awareness among their teams and to demonstrate their accountability**. The aim is to comply with the GDPR but also to maintain their level of compliance in the long term.
*Compliance: to comply with the General Data Protection Regulation.
**Accountability refers to the obligation of companies to implement internal mechanisms and procedures, technical and organisational measures to demonstrate that processing operations are carried out in accordance with this Regulation. These measures represent compliance with data protection rules.
What can we learn from this analysis?
- The number of checks carried out by the CNIL is decreasing. Looking at the graph, we see that only 2 categories of checks have been subject to fewer checks than before: online checks and checks related to video protection.
- The number of financial penalties*, after a slight decrease, is back up to 10 in 2018, the year in which the GDPR came into force.
- As mentioned, the number of controls is decreasing. However, the number of sanctions is stable or even increasing. This is particularly interesting. 2 hypotheses may be the reason:
- Either the inspected data controllers were not (or less!) compliant or less cooperative with the CNIL
- Or the CNIL has become stricter in its controls.
The two explanations are undoubtedly complementary insofar as the entry into force of the GDPR seeks to evaluate data controllers and tightens the CNIL’s control rules.
What types of organisations can be monitored?
Any type of organisation can be monitored by the CNIL and can be subject to a sanction in case of non-compliance with the GDPR. Indeed, they can be large groups such as Google, Amazon and Carrefour, or smaller companies such as SMEs or private doctors.
How to anticipate a CNIL control?
Do you process personal data? You must comply with the GDPR! The CNIL can control you and sanction you if you are not in compliance.
Example of personal data processing:
- I have employees, I process personal data.
- I work in BtoB or BtoC, I process personal data.
- I work with subcontractors, I process personal data.
- I have an e-commerce, I process personal data.
- I have a website and track traffic through Google Analytics, e.g. I process personal data.
Our sources :
- The CNIL’s 2019 activity report
- Sanctions published on the CNIL website by year