[et_pb_section fb_built=\u00a0\u00bb1″ _builder_version=\u00a0\u00bb4.27.2″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb global_colors_info=\u00a0\u00bb{}\u00a0\u00bb][et_pb_row _builder_version=\u00a0\u00bb4.27.2″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb global_colors_info=\u00a0\u00bb{}\u00a0\u00bb][et_pb_column type=\u00a0\u00bb4_4″ _builder_version=\u00a0\u00bb4.27.2″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb global_colors_info=\u00a0\u00bb{}\u00a0\u00bb][et_pb_text _builder_version=\u00a0\u00bb4.27.2″ _module_preset=\u00a0\u00bbdefault\u00a0\u00bb global_colors_info=\u00a0\u00bb{}\u00a0\u00bb]<\/p>\n
When a company receives a letter from the French Data Protection Authority (CNIL) requesting explanations about its personal data processing practices, it is faced with a delicate situation that requires a rapid, rigorous response that complies with the requirements of the General Data Protection Regulation (GDPR). Indeed, an inadequate response can lead to serious consequences, including administrative penalties of up to \u20ac20 million or \u20ac4.1 billion of annual global turnover (Article 83 of the GDPR). This article examines the steps to take when faced with such a letter, the risks involved, the opportunity to submit a Data Protection Impact Assessment (DPIA), as well as the three key elements to provide in the response to avoid litigation.<\/strong><\/p>\n The CNIL, as the supervisory authority responsible for ensuring compliance with data protection laws, can send a letter to companies to obtain information on the processing of personal data that they carry out. This letter may have different motivations: a complaint from an individual, a scheduled inspection, or a verification linked to a report. Whatever the reasons, it is essential to treat the request seriously and quickly.<\/p>\n The first step is to carefully read the application for the CNIL<\/a>The letter may request specific information on certain data processing, the justification of their legal basis, the security measures implemented, or even details on the internal procedures allowing the exercise of rights<\/a> of the persons concerned. It is crucial to understand what is expected, the response times indicated, and the documents to be provided.<\/p>\n After identifying the requested information, a complete and documented file should be put together. This file must include in particular:<\/p>\n If the company has appointed a Data Protection Officer (DPO), it is imperative to involve him\/her in the process of responding to the CNIL. The DPO plays a key role in<\/p>\n <\/p>\n <\/p>\n assistance with the organization's compliance and in managing relations with the supervisory authority. Its mission includes supervising data processing, raising employee awareness, and advising on responses to requests from the authorities. Its consultation is therefore a guarantee of good faith and diligence in the context of dialogue with the CNIL.<\/p>\n An inadequate response or lack of response to a request for explanations from the CNIL can lead to various risks for the company, ranging from financial penalties to restrictions on data processing.<\/p>\n Article 83 of the GDPR provides for administrative fines proportionate to the seriousness of the violation. Breaches of basic data protection principles, data subject rights, or security obligations can result in fines of up to \u20ac20 million or \u20ac4 billion of the company\u2019s worldwide annual turnover, whichever is higher.<\/p>\n If the CNIL considers that the data processing does not comply with the requirements of the GDPR, it can send the company a formal notice<\/a> to comply within a specific time limit. In the absence of regularization, the authority may take coercive measures such as an injunction to cease processing or to limit its purposes.<\/p>\n In the most serious cases, the CNIL can order the temporary or permanent suspension of processing activities, which can significantly affect the company's activity. For example, an e-commerce company could be prevented from using its customer databases, which would directly harm its turnover.<\/p>\n1. Steps to follow in response to a letter from the CNIL<\/strong><\/h2>\n
a. Carefully analyze the contents of the mail<\/em><\/h3>\n
b. Prepare a complete file to respond to the request<\/em><\/h3>\n
\n
c. Consult the Data Protection Officer (DPO)<\/em><\/h3>\n
2. Risks in the event of non-compliance or insufficient response<\/strong><\/h2>\n
a. Risk of administrative sanctions<\/em><\/h3>\n
b. Risk of formal notice or injunction to comply<\/em><\/h3>\n
c. Suspension of data processing<\/em><\/h3>\n
3. Submitting an AIPD: when and why?<\/strong><\/h2>\n