This is a lawyer at the Grasse bar linked to real estate

Take 1st Consultation 30 min = €45

Tel. + 33 (0)6 21 69 91 77

Steps to follow when the CNIL requests explanations on the processing of personal data: risks and recommendations

When a company receives a letter from the French Data Protection Authority (CNIL) requesting explanations about its personal data processing practices, it is faced with a delicate situation that requires a rapid, rigorous response that complies with the requirements of the General Data Protection Regulation (GDPR). Indeed, an inadequate response can lead to serious consequences, including administrative penalties of up to €20 million or €4.1 billion of annual global turnover (Article 83 of the GDPR). This article examines the steps to take when faced with such a letter, the risks involved, the opportunity to submit a Data Protection Impact Assessment (DPIA), as well as the three key elements to provide in the response to avoid litigation.

1. Steps to follow in response to a letter from the CNIL

The CNIL, as the supervisory authority responsible for ensuring compliance with data protection laws, can send a letter to companies to obtain information on the processing of personal data that they carry out. This letter may have different motivations: a complaint from an individual, a scheduled inspection, or a verification linked to a report. Whatever the reasons, it is essential to treat the request seriously and quickly.

a. Carefully analyze the contents of the mail

The first step is to carefully read the application for the CNILThe letter may request specific information on certain data processing, the justification of their legal basis, the security measures implemented, or even details on the internal procedures allowing the exercise of rights of the persons concerned. It is crucial to understand what is expected, the response times indicated, and the documents to be provided.

b. Prepare a complete file to respond to the request

After identifying the requested information, a complete and documented file should be put together. This file must include in particular:

  • The data processing register (Article 30 of the GDPR): this document lists the processing carried out by the company, the purposes of this processing, the categories of data processed, the legal bases used, and any subcontractors involved.
  • Internal data protection policies : they demonstrate that the company has implemented organizational measures to comply with data protection principles (minimization, limitation of conservation, security, etc.).
  • The technical and organizational measures adopted to ensure data security, in accordance with Article 32 of the GDPR, such as encryption, pseudonymization, access control, and security incident management procedures.

c. Consult the Data Protection Officer (DPO)

If the company has appointed a Data Protection Officer (DPO), it is imperative to involve him/her in the process of responding to the CNIL. The DPO plays a key role in

 

 

assistance with the organization's compliance and in managing relations with the supervisory authority. Its mission includes supervising data processing, raising employee awareness, and advising on responses to requests from the authorities. Its consultation is therefore a guarantee of good faith and diligence in the context of dialogue with the CNIL.

2. Risks in the event of non-compliance or insufficient response

An inadequate response or lack of response to a request for explanations from the CNIL can lead to various risks for the company, ranging from financial penalties to restrictions on data processing.

a. Risk of administrative sanctions

Article 83 of the GDPR provides for administrative fines proportionate to the seriousness of the violation. Breaches of basic data protection principles, data subject rights, or security obligations can result in fines of up to €20 million or €4 billion of the company’s worldwide annual turnover, whichever is higher.

b. Risk of formal notice or injunction to comply

If the CNIL considers that the data processing does not comply with the requirements of the GDPR, it can send the company a formal notice to comply within a specific time limit. In the absence of regularization, the authority may take coercive measures such as an injunction to cease processing or to limit its purposes.

c. Suspension of data processing

In the most serious cases, the CNIL can order the temporary or permanent suspension of processing activities, which can significantly affect the company's activity. For example, an e-commerce company could be prevented from using its customer databases, which would directly harm its turnover.

3. Submitting an AIPD: when and why?

The AIPD (Data Protection Impact Analysis) is an assessment of the risks for rights and freedoms of persons concerned by processing of data. It is required when the processing presents a high risk, in particular in the following cases:

  • Large-scale profiling ;
  • Systematic surveillance of an area accessible to the public ;
  • Processing of special categories of data on a large scale (sensitive data, health data, etc.).

 

 

If the AIPD has been carried out for the processing concerned, it is recommended to send it to the CNIL in response to the letter. This makes it possible to demonstrate that the company has assessed the risks upstream and put in place appropriate measures to mitigate them (articles 35 and 36 of the GDPR). If no AIPD has been carried out, it is necessary to justify why the processing did not present a high risk justifying such an analysis.

4. The three essential elements to provide in the response to avoid litigation

An adequate response to the CNIL must include specific information to demonstrate the company's compliance and avoid escalation to litigation. Here are the three key elements to provide:

a. Describe the compliance measures implemented

It is essential to demonstrate that the company complies with the basic principles of the GDPR (Article 5), including lawfulness, transparency, purpose limitation, and data minimization. This includes:

  • Justification of the legal bases on which the processing is based (Article 6 of the GDPR).
  • Providing information to data subjects on the processing of their data, including their rights of access, rectification, opposition, and erasure (articles 12 to 22 of the GDPR).

b. Explain the security measures adopted to protect data

Article 32 of the GDPR requires companies to implement appropriate security measures based on the risks associated with the processing. In the response to the CNIL, it is appropriate to:

  • Detail the technical and organizational measures such as access control, data encryption, and incident management procedures.
  • Justify security choices in connection with the AIPD, if it has been carried out, or with the risk assessment.

c. Transmit the AIPD or justify its absence

If the processing involves high risks, providing a DPIA can demonstrate that the company has taken the necessary precautions. In cases where a DPIA was not required, it is essential to explain the reasons why the processing did not present sufficient risks to require such an analysis (Articles 35 and 36).

In short, the response to a letter from the CNIL must be prepared with the greatest care, providing precise and justified information to demonstrate the company's compliance. Transparency approaches, collaboration with the DPO, and complete documentation of the measures implemented are essential elements to reduce the risk of sanctions and strengthen trust with the supervisory authority.

 

 

A well-reasoned response, supported by relevant documents, may be enough to convince the CNIL of the company's good faith and avoid costly litigation.

 

1st Consultation = €45 / video or telephone
4.9/5 - (2524 votes)
Ghyslaine Pansier
Ghyslaine Pansier
1770046018
Thank you Master for these clear explanations. Your analysis and your professionalism. I strongly recommend
Aurelie Munier
Aurelie Munier
1760349475
I asked Master Zakine to support me with questions in real estate law. I was particularly satisfied with her responsiveness and her advice. I highly recommend her!
Corinne Khoury
Corinne Khoury
1758133841
One can only underline the seriousness and professionalism with which she carries out her mission, Master Zakine Cecile demonstrates great legal rigour, a fine analytical capacity and a strategic sense that inspires confidence. Always attentive, she knows how to translate sometimes complex situations into clear and effective solutions; her commitment, her availability and her tenacity demonstrate that she does not merely defend: she truly supports; her work combines competence, humanity and determination, all qualities that make the difference and deserve to be recognised.
F et C Durietz
F et C Durietz
1758051447
The best for managing real estate law!!!! Thank you so much for curing my financial cancer faced with corrupt banks! My life is becoming normal again thanks to you
Franklin
Franklin
1758051020
Master Zakine is the only lawyer to have won in civil court in the Apollonia case. This case involving more than a thousand victims, more than a thousand ongoing proceedings!!!! This lawyer listened to me with such empathy, professionalism, expertise!! Throughout the proceedings, Master Zakine thwarted all obstacles in our path and was able to plead my case with such sincerity! All aspects of my case were mastered by this lawyer. No hesitation, she is the lawyer you need in real estate law!
Jo Jo
Jo Jo
1748935089
Hello new client and very good she provides telephone appointments given Master's availability unlike some who tell you they'll call back and don't 😉
Giovanni DIMA
Giovanni DIMA
1748095724
SEVERINE BOURGEOIS
SEVERINE BOURGEOIS
1741372514
Very good consultation with Ms. Zakine. Thank you very much for your advice which we will apply. Your explanations were very clear. Very pleasant person. I recommend
Benj Benj
Benj Benj
1741110893
I strongly recommend Master Zakine who was able to provide me with her expertise and clear advice regarding the resolution of my dispute. She demonstrated professionalism and rigour, promptness in her analysis of the situation, as well as a great capacity for listening and empathy.
SERVE STE
SERVE STE
1737050792
Cristiana Luciani
Cristiana Luciani
1734475847
Consulted for advice on VEFA. Master Zakine was a valuable source of information for me. She was also very responsive and available in our exchanges
Laurent Paule
Laurent Paule
1726989674
I made an appointment with Maître Zakine for a 1-hour consultation in his office. I needed clarification regarding a dispute with my trustee. Punctual and courteous, Maître Zakine took my problem into consideration and proved to be very professional, giving me excellent advice. I initially thought that we would have covered the issue in half an hour; but the hour ultimately passed quickly. To be recommended without reservation.
Bastien TOURBEAUX
Bastien TOURBEAUX
1725364856
Maître Zakine is very professional. I recommend this person to help you with your legal appeals.
paolo costa
paolo costa
1719309338
Efficient service, fast and concrete communication. Serious, kind and helpful professional. Very positive experience!!
Emmanuel Baudino
Emmanuel Baudino
1716616685
Master Céline Zakine was very efficient, her sound advice was very useful to me and I thank her for her benevolent support, her empathy and her professionalism.
Cyril Soulier
Cyril Soulier
1714465799
Very good lawyer gives the best advice in any situation! Moreover, we can say that he is a pugnacious lawyer! Thank you for accompanying me during my dispute!
Alexandre MILLIERE
Alexandre MILLIERE
1713443798
×
js_loader