CNIL (France): Difference between revisions

From GDPRhub
 
(4 intermediate revisions by 3 users not shown)
Line 30: Line 30:
|Translated Decisions:||[[:Category:CNIL (France)]]
|Translated Decisions:||[[:Category:CNIL (France)]]
|-
|-
|Head Count:||225<ref>https://www.data.gouv.fr/fr/datasets/r/50efdf95-7d6e-489c-a3ad-ad14243e6e24</ref>
|Head Count:||245<ref>https://www.data.gouv.fr/fr/datasets/r/50efdf95-7d6e-489c-a3ad-ad14243e6e24</ref>
|-
|-
|Budget:||20,143,890 € in 2020<ref>https://www.data.gouv.fr/fr/datasets/r/50b040ea-569a-4d53-8a2d-83013a6f723f</ref>
|Budget:||21,507,033 € in 2021<ref>https://www.data.gouv.fr/fr/datasets/r/50b040ea-569a-4d53-8a2d-83013a6f723f</ref>
|}
|}


Line 47: Line 47:


==Procedural Information==
==Procedural Information==
In April 2022, the CNIL [https://www.cnil.fr/fr/reforme-des-procedures-correctrices-de-la-cnil-vers-une-action-repressive-simplifiee announced a simplified procedure] for less complex cases, to better face the growing number of complaints and focus more on significant cases. The simplified sanction procedure follows the same ''stages'' as the ordinary procedure (for deadlines, adversarial procedure, etc.), but its ''implementation methods'' are reduced.
===Applicable Procedural Law===
===Applicable Procedural Law===
The CNIL operates under the law "''Informatique et Libertés''" under the conditions laid down by Articles 19 to 29. See the law [https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460 here], in French. The law "''informatique et Libertés''" has to be read jointly with the [https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038528420&fastPos=1&fastReqId=562981948&categorieLien=cid&oldAction=rechTexte Decree n° 2019-536 of May 29].
The CNIL operates under the law "''Informatique et Libertés''" under the conditions laid down by Articles 19 to 29. See the law [https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000000886460 here], in French. The law "''informatique et Libertés''" has to be read jointly with the [https://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000038528420&fastPos=1&fastReqId=562981948&categorieLien=cid&oldAction=rechTexte Decree n° 2019-536 of May 29].
Line 71: Line 73:
===Known Problems===
===Known Problems===


*The CNIL takes the view that the data subject is not a party to a complaints procedure.
*The CNIL takes the view that the data subject is not a party to a complaints procedure. It only informs the data subject about the status of its complaint ("waiting", "in process" or "closed") althrough the complainant can send an access request according to Article 15 GDPR to the CNIL DPO to get more informations. CNIL is known to be slow to answer such request and often respond just before the deadline of 1 month. That means that if you want to appeal a decision, you've only one month to do so as there's a delay of 2 month after the closure of a complaint for it to be appealed, and the first month is dedicated to waiting for the DPO answer.


''You can help us filling this section!''
''You can help us filling this section!''

Latest revision as of 22:52, 27 February 2024

Commission nationale de l'informatique et des libertés
LogoFR.png
Name: Commission nationale de l'informatique et des libertés
Abbreviation : CNIL
Jurisdiction: France
Head: Marie-Laure Denis
Secretary general: Louis Dutheillet de Lamothe
Adress: 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07
Webpage: cnil.fr
Fax: +33 1 53 73 22 00
Phone: +33 1 53 73 22 22
Twitter: @CNIL and @CNIL_en
Procedural Law: n/a
Decision Database: Legifrance
Translated Decisions: Category:CNIL (France)
Head Count: 245[1]
Budget: 21,507,033 € in 2021[2]

The CNIL is the Data Protection Authority for France. The authority is established in Paris and is in charge of enforcing GDPR for France, as well as the national law for data protection "Loi Informatique et Libertés".

Structure

The CNIL was established in 1978 with the law "Informatique et Libertés". It is an independent administrative authority led by a college of 18 members and a contract staff team. Twelve out of eighteen members are elected or designated by the national authorities and courts to which they belong (i.e. Senate, National Parliament, Economic and Social Committee, Supreme Civil and Administrative Courts, Court of Auditors and the Commission of Access to Administrative Documents). The CNIL's president can freely recruit its other staff.

The CNIL issues orders and imposes fines within a restricted formation, meaning one president and five others elected members, pursuant to Article 9 of the Law "Informatique et Libertés". The CNIL's internal rules indicate that, unless otherwise justified, the pronunciation of fines is public.

Anyone can ask for the agenda of the hearing and attend. You can find the CNIL's public agenda here.

The composition, nomination and the organisational structure is laid down by Articles 9 to 18 of the Law "Informatique et Libertés". You can find the organizational chart here.

Procedural Information

In April 2022, the CNIL announced a simplified procedure for less complex cases, to better face the growing number of complaints and focus more on significant cases. The simplified sanction procedure follows the same stages as the ordinary procedure (for deadlines, adversarial procedure, etc.), but its implementation methods are reduced.

Applicable Procedural Law

The CNIL operates under the law "Informatique et Libertés" under the conditions laid down by Articles 19 to 29. See the law here, in French. The law "informatique et Libertés" has to be read jointly with the Decree n° 2019-536 of May 29.

Complaints Procedure under Art 77 GDPR

According to Article 8(I)(2)(d) of the loi "Informatique et Liberté", a data subject or their representative(s) can lodge a complaint with the CNIL regarding an alleged infringement of the GDPR.

According to Article 10 of the Decree n°2019-536, the complaint will be deemed rejected if the CNIL did not reach the author of the complaint within a three months period, regarding its complaint - whatever the means-.

Ex Officio Procedures under Art 57 GDPR

The CNIL can run ex officio procedures out of its own motion. Its powers are described under Article 8 of the law "Informatique et Libertés".

Appeals

Under Article R311-1(4) of the French code of administrative justice, acts taken by the CNIL can be appealed directly before the highest administrative court (Conseil d'État). This applies to sanctions, guidelines or any decision of the authority.

Decisions by the Conseil d'État are final and cannot be appealed.

Practical Information

Filing with the DPA

The CNIL provides an online service to submit a complaint (in French) here.

You can help us filling this section further!

Known Problems

  • The CNIL takes the view that the data subject is not a party to a complaints procedure. It only informs the data subject about the status of its complaint ("waiting", "in process" or "closed") althrough the complainant can send an access request according to Article 15 GDPR to the CNIL DPO to get more informations. CNIL is known to be slow to answer such request and often respond just before the deadline of 1 month. That means that if you want to appeal a decision, you've only one month to do so as there's a delay of 2 month after the closure of a complaint for it to be appealed, and the first month is dedicated to waiting for the DPO answer.

You can help us filling this section!

Filing an Appeal

The Conseil d'État have an online procedure:

- for citizen and private organization: https://citoyens.telerecours.fr/ ;

- for Lawyers and public organizations: https://www.telerecours.conseil-etat.fr/


You can help us filling this section!

Decision Database

Every publicly available decision of the CNIL is published on Legifrance, the French database regarding Law. Decisions can be either anonymised from publication or nominative, with anonymisation being applied two years after the decision was published.

Decisions of the CNIL are available here.

Statistics

The CNIL publishes open source data related to its activity, including statistics on complaints, controls and sanctions. The CNIL also publishes the list of all French organizations which have designated a DPO.

You can find open source data published by the CNIL here.

Funding

The budget of the CNIL is decided by the Parliament as part of the annual finance act. data on the budget since 2000 can be found here.

Personal

You can help us filling this section!

Caseload

You can help us filling this section!

Fines

You can help us filling this section!

Annual Reports

As required by article 8 of the law "Informatique et Liberté", the CNIL publishes an annual activities report. You can find all the reports published since 2007 here.

EU/EEA/UK Data Protection Authorities
Austria · Belgium · Bulgaria · Croatia · Cyprus · Czech Republic · Denmark · Estonia · Finland (Åland) · France · Germany (Baden-Württemberg · Bavaria, private sector · Bavaria, public sector · Berlin · Brandenburg · Bremen · Hamburg · Hesse · Lower Saxony · Mecklenburg-Vorpommern · North Rhine-Westphalia · Rhineland-Palatinate · Saarland · Saxony · Saxony-Anhalt · Schleswig-Holstein · Thuringia ) · Greece · Hungary · Ireland · Italy · Latvia · Lithuania · Luxembourg · Malta · Netherlands · Poland · Portugal · Romania · Slovakia · Slovenia · Spain (Basque Country · Catalonia · AndalusiaSweden
Iceland · Liechtenstein · Norway · United Kingdom EDPS · EDPB