mail

[email protected]

telephone

+33 (0) 6 21 69 91 77

booking a lawyer consultation

Book a 1st consultation

real estate lawyer

Steps to follow when the CNIL requests explanations on the processing of personal data: risks and recommendations

When a company receives a letter from the French Data Protection Authority (CNIL) requesting explanations about its personal data processing practices, it is faced with a delicate situation that requires a rapid, rigorous response that complies with the requirements of the General Data Protection Regulation (GDPR). Indeed, an inadequate response can lead to serious consequences, including administrative penalties of up to €20 million or €4.1 billion of annual global turnover (Article 83 of the GDPR). This article examines the steps to take when faced with such a letter, the risks involved, the opportunity to submit a Data Protection Impact Assessment (DPIA), as well as the three key elements to provide in the response to avoid litigation.

1. Steps to follow in response to a letter from the CNIL

The CNIL, as the supervisory authority responsible for ensuring compliance with data protection laws, can send a letter to companies to obtain information on the processing of personal data that they carry out. This letter may have different motivations: a complaint from an individual, a scheduled inspection, or a verification linked to a report. Whatever the reasons, it is essential to treat the request seriously and quickly.

a. Carefully analyze the contents of the mail

The first step is to carefully read the application for the CNILThe letter may request specific information on certain data processing, the justification of their legal basis, the security measures implemented, or even details on the internal procedures allowing the exercise of rights of the persons concerned. It is crucial to understand what is expected, the response times indicated, and the documents to be provided.

b. Prepare a complete file to respond to the request

After identifying the requested information, a complete and documented file should be put together. This file must include in particular:

  • The data processing register (Article 30 of the GDPR): this document lists the processing carried out by the company, the purposes of this processing, the categories of data processed, the legal bases used, and any subcontractors involved.
  • Internal data protection policies : they demonstrate that the company has implemented organizational measures to comply with data protection principles (minimization, limitation of conservation, security, etc.).
  • The technical and organizational measures adopted to ensure data security, in accordance with Article 32 of the GDPR, such as encryption, pseudonymization, access control, and security incident management procedures.

c. Consult the Data Protection Officer (DPO)

If the company has appointed a Data Protection Officer (DPO), it is imperative to involve him/her in the process of responding to the CNIL. The DPO plays a key role in

 

 

assistance with the organization's compliance and in managing relations with the supervisory authority. Its mission includes supervising data processing, raising employee awareness, and advising on responses to requests from the authorities. Its consultation is therefore a guarantee of good faith and diligence in the context of dialogue with the CNIL.

2. Risks in the event of non-compliance or insufficient response

An inadequate response or lack of response to a request for explanations from the CNIL can lead to various risks for the company, ranging from financial penalties to restrictions on data processing.

a. Risk of administrative sanctions

Article 83 of the GDPR provides for administrative fines proportionate to the seriousness of the violation. Breaches of basic data protection principles, data subject rights, or security obligations can result in fines of up to €20 million or €4 billion of the company’s worldwide annual turnover, whichever is higher.

b. Risk of formal notice or injunction to comply

If the CNIL considers that the data processing does not comply with the requirements of the GDPR, it can send the company a formal notice to comply within a specific time limit. In the absence of regularization, the authority may take coercive measures such as an injunction to cease processing or to limit its purposes.

c. Suspension of data processing

In the most serious cases, the CNIL can order the temporary or permanent suspension of processing activities, which can significantly affect the company's activity. For example, an e-commerce company could be prevented from using its customer databases, which would directly harm its turnover.

3. Submitting an AIPD: when and why?

The AIPD (Data Protection Impact Analysis) is an assessment of the risks for rights and freedoms of persons concerned by processing of data. It is required when the processing presents a high risk, in particular in the following cases:

  • Large-scale profiling ;
  • Systematic surveillance of an area accessible to the public ;
  • Processing of special categories of data on a large scale (sensitive data, health data, etc.).

 

 

If the AIPD has been carried out for the processing concerned, it is recommended to send it to the CNIL in response to the letter. This makes it possible to demonstrate that the company has assessed the risks upstream and put in place appropriate measures to mitigate them (articles 35 and 36 of the GDPR). If no AIPD has been carried out, it is necessary to justify why the processing did not present a high risk justifying such an analysis.

4. The three essential elements to provide in the response to avoid litigation

An adequate response to the CNIL must include specific information to demonstrate the company's compliance and avoid escalation to litigation. Here are the three key elements to provide:

a. Describe the compliance measures implemented

It is essential to demonstrate that the company complies with the basic principles of the GDPR (Article 5), including lawfulness, transparency, purpose limitation, and data minimization. This includes:

  • Justification of the legal bases on which the processing is based (Article 6 of the GDPR).
  • Providing information to data subjects on the processing of their data, including their rights of access, rectification, opposition, and erasure (articles 12 to 22 of the GDPR).

b. Explain the security measures adopted to protect data

Article 32 of the GDPR requires companies to implement appropriate security measures based on the risks associated with the processing. In the response to the CNIL, it is appropriate to:

  • Detail the technical and organizational measures such as access control, data encryption, and incident management procedures.
  • Justify security choices in connection with the AIPD, if it has been carried out, or with the risk assessment.

c. Transmit the AIPD or justify its absence

If the processing involves high risks, providing a DPIA can demonstrate that the company has taken the necessary precautions. In cases where a DPIA was not required, it is essential to explain the reasons why the processing did not present sufficient risks to require such an analysis (Articles 35 and 36).

In short, the response to a letter from the CNIL must be prepared with the greatest care, providing precise and justified information to demonstrate the company's compliance. Transparency approaches, collaboration with the DPO, and complete documentation of the measures implemented are essential elements to reduce the risk of sanctions and strengthen trust with the supervisory authority.

 

 

A well-reasoned response, supported by relevant documents, may be enough to convince the CNIL of the company's good faith and avoid costly litigation.

 

1st Consultation = €45 / video or telephone
4.8/5 - (479 votes)
Laurent Paule
Laurent Paule
1726989674
I made an appointment with Maître Zakine for a 1-hour consultation in his office. I needed clarification regarding a dispute with my trustee. Punctual and courteous, Maître Zakine took my problem into consideration and proved to be very professional, giving me excellent advice. I initially thought that we would have covered the issue in half an hour; but the hour ultimately passed quickly. To be recommended without reservation.
Thomas Liebig
Thomas Liebig
1726067882
Video Kosultation wie sie sein sollte - sehr einfaches Buchungssystem, Zahlung mit Paypal, Erinnerung per Email, technische Abwicklung sehr gut, gute Verständigung. Inhaltlich also sehr zielführend. Die Beratung erfolgte auf Englisch, was in Frankreich keine Selbstverständlichkeit ist, hier aber exzellent funktioniert hat. Ist rundum zu empfehlen, insbesondere für eine erste Kontaktaufnahme und Eingangsberatung. Ich werde es wieder nutszen.
Bastien TOURBEAUX
Bastien TOURBEAUX
1725364856
Maître Zakine is very professional. I recommend this person to help you with your legal appeals.
paolo costa
paolo costa
1719309338
Efficient service, fast and concrete communication. Serious, kind and helpful professional. Very positive experience!!
Charly B.
Charly B.
1719239503
Maître Zakine has a perfect command of the aspects of CCMI and VEFA contracts. She was able to answer my questions without ambiguity. 👍
Emmanuel Baudino
Emmanuel Baudino
1716616685
Maître Céline Zakine was very efficient, her wise advice was very useful to me and I thank her for her caring support, her empathy and her professionalism.
Cyril Soulier
Cyril Soulier
1714465799
Very good lawyer gives the best advice in any situation! Moreover, we can say that he is a pugnacious lawyer! Thank you for accompanying me during my dispute!
Alexandre MILLIERE
Alexandre MILLIERE
1713443798
CEAN SEAS
CEAN SEAS
1711529461
Very professional, competent and responsive
Samia B
Samia B
1710354426
Really helpful lawyer who will take the time to explain everything in details.She will not overcharge unnecessary.Recommending for any issue you may have with your tenants.Thank you!
Joe Nookye
Joe Nookye
1709236133
I contacted Me Zakine for a difficult matter. I am satisfied to have benefited from his services. I highly recommend this advice
Wenchao Zhao
Wenchao Zhao
1708007222
very professional!
Sofia Ouahbi
Sofia Ouahbi
1702991281
Master Zakine listens and gives good advice, I recommend
Between 2 Genepi (entre2genepi)
Between 2 Genepi (entre2genepi)
1702980039
Pugnacious lawyer! Helped a lot with our problem on Worthy Baths. We recommend to 100%
Nino Abeade
Nino Abeade
1702798085
Thank you for your GDPR intervention in Paris! Pugnacious lawyer I recommend
Laurent Praud
Laurent Praud
1702630613
Thank you again Master for your responsiveness and efficiency. I dealt with this lawyer in the context of a Parisian case. The lawyer followed the file perfectly and the outcome was in our favor. Best wishes
Oro “Oro Pa” Pa
Oro “Oro Pa” Pa
1702549050
Thanks to Master Zakine for his intervention in Metz.
antonin debono
antonin debono
1702037244
Was able to help us in our efforts and immediately understood our problem. Very competent and warm. I highly recommend.
alain carrere
alain carrere
1701703680
Ms. ZAKINE is of impeccable professionalism, a lawyer who listens and guides you and supports you throughout the case. Thank you for coming to Toulouse.
William Bianchi
William Bianchi
1700665199
I confirm the great professionalism of Maître ZAKINE, who was able to listen to my problem and quickly direct me towards precise and effective actions.
Gilles Fraysse
Gilles Fraysse
1698147527
Excellent contact and excellent involvement from Maître Zakine, including during the first advice-taking videoconference. I can highly recommend him!
×
js_loader