Table of Contents
The implementation of the GDPR on May 25, 2018, has changed how companies process their databases. This increased awareness is partly attributed to the CNIL’s (French Data Protection Authority) new powers in its audits and the penalties it imposes.
Financial penalties of up to €20 million or 4% of global turnover have significantly contributed to the extensive media coverage of the Regulation.
GDPR: Significant sanctions affecting startups and GAFA companies
Recent months have seen numerous companies and associations fined substantial amounts, some of which have been made public: https://www.cnil.fr/fr/les-sanctions-prononcees-par-la-cnil
The impact of the GDPR is all the more significant as the CNIL has sanctioned not only the GAFA companies but also smaller organizations, including associations, that failed to meet their data protection obligations.
However, the consequences of a sanction from the independent authority are not limited to simply paying a fine. Indeed, the independent authority can now impose a variety of measures on sanctioned companies, including:
- The warning,
- the formal notice,
- the financial penalty,
- the order to cease processing or the withdrawal of authorization,
- the interruption of processing and the blocking of certain data,
- the notification of the persons concerned and the publication of the sanctions.
CNIL sanctions & public information: a real blow to companies
Among the CNIL’s requirements is the obligation for companies to inform their clients of the audit conducted and any shortcomings identified by the CNIL. The CNIL also has the power to publish its sanction decision, which will inevitably be widely disseminated and commented on in the media and on social networks.
These sanctions related to a company’s image constitute a genuine penalty with considerable economic repercussions: loss of clients, potentially legal action and compensation claims, distrust among potential customers, loss of appeal, etc.
GDPR Compliance: Existing legal remedies against a CNIL decision
As the CNIL (French Data Protection Authority) has the status of an independent administrative authority, appeals against its decisions are brought directly before the Council of State, which has full jurisdiction – first and last instance. The rules for this appeal are strict: the deadline for filing an action is two months from the notification or publication of the decision.
“Article 79 of the GDPR provides for a ‘right to an effective judicial remedy against a controller or a processor.’ The data controller is defined by the European Union as the entity that determines ‘the purposes and means of the processing of personal data.’
The data controller is therefore the one who decides to implement data processing and who decides how the data processing will be carried out. For example, in the case of private individuals, this is often the companies themselves. The data processor, on the other hand, is the entity that processes personal data on behalf of the data controller, according to the conditions set by the latter.” References.
Several CNIL sanction decisions have been overturned, notably for:
– Failure to inform the CNIL of the possibility of objecting to its audits, during which it had identified the breaches that led to the sanctions (French Council of State, 7 July 2010, No. 309721).
– Publication of the decision on the authority’s website and on Légifrance without the restricted panel specifying the timeframe after which its deliberations would be anonymized (French Council of State, 28 September 2016, No. 389448).
The effectiveness of such a procedure is, however, limited, as the appeal does not have suspensive effect and requires the data controller to comply with the sanction imposed by the CNIL pending the decision of the Council of State.
Legal alternatives remain available for obtaining faster results:
– Summary proceedings for suspension, allowing, within 48 hours to one month, the partial or total suspension of the decision’s execution. This procedure requires a request for annulment or amendment justified by the urgency of the matter and serious reservations regarding the legality of the decision;
– Summary proceedings for the protection of fundamental freedoms, allowing, within 48 hours, the cessation of a serious and manifestly unlawful infringement of a fundamental freedom caused by the CNIL’s decision. This procedure is distinguished by the jurisdiction of the ordinary courts in this matter.
