Insight
October 10, 2024

Navigating New CNIL Sanctions: What You Need to Know

The Commission Nationale de l’Informatique et des Libertés (CNIL) is an independent French administrative regulatory body whose mission is to ensure that the collection, storage, and use of personal data comply with data privacy law. This simplified procedure, established in law since 2022 at the initiative of the CNIL, allows for the imposition of swift penalties for cases that do not present particular difficulties, compared with so-called “ordinary” sanctions.

When a breach of the General Data Protection Regulation (GDPR) or the French Data Protection Act is identified, the CNIL may initiate a simplified sanction procedure against an organization if the case does not pose any particular challenges. Simplified sanctions are not made public, and the amount of fines that can be imposed cannot exceed €20,000.

Since June 2024, under this procedure, the CNIL has issued eleven new sanction decisions, resulting in a total fine amount of €129,000 euros. Beyond financial penalties, formal notices also contribute to ensuring GDPR compliance: In 2023, the CNIL issued 168 formal notices against public and private organizations.

Furthermore, the CNIL actively cooperates with European data protection authorities. This cooperation has led to strengthened corrective measures in recent years, as illustrated by the €290 million fine imposed on Uber by the Dutch authority, in collaboration with the CNIL, on July 22, 2024.

Compliance can also be achieved without formal notices or penalties. During the handling of complaints, interventions by the CNIL’s services with data controllers can lead to compliance, such as during a discussion with the data protection officer aimed at satisfying a request to exercise data subject rights.

The main breaches concern the failure to comply with the principle of data minimization, whether in terms of employee video surveillance or the systematic and full recording of telephone conversations, as well as the absence of a processing-activities register.

Breaches of the Principle of Data Minimization

The principle of minimization requires that personal data must be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. This principle is defined in Article 5 of the GDPR.

Several of the sanctions issued relate to breaches of this principle in the context of employee video surveillance or the systematic and complete recording of telephone conversations between call center agents and prospects or customers.

Employee Video Surveillance
The CNIL has repeatedly stated that continuous video surveillance of employees at their workstations, not justified by exceptional circumstances related to security or theft, violates the principle of data minimization.

For video surveillance to comply with data minimization, the following provisions must be taken into account:

  • Cameras should be installed at building entrances and exits, emergency exits, and circulation areas. They may also monitor areas where goods or valuable items are stored.  
  • Cameras cannot film employees at their workstations unless under specific circumstances (e.g., handling money).  
  • Cameras must not film employee break or rest areas, or bathrooms.  
  • It is also prohibited to film union premises or employee representative areas, or access to such areas if the access leads only to these premises.

Only individuals authorized by the employer, in the context of their duties, may view the recorded images. Access to the images must be secured to prevent unauthorized viewing.

The employer must define the retention period for camera footage, which should be linked to the cameras’ intended purpose. In principle, this period should not exceed one month. The maximum retention period must not be based solely on the storage capacity of the recording device.

Recording and Listening to Telephone Calls
This system must be proportionate to the objective pursued and must not excessively infringe on the privacy of the individuals being recorded.

For example, the goal of improving sales or employee training does not justify the systematic and complete recording of telephone conversations if a more targeted and random recording of outgoing calls could be implemented.

The same applies if the objective is to collect “evidence.” Outside of cases where recording is mandated by law, systematic recording of telephone conversations is justified, provided it is necessary, only when it serves as evidence of a contract or the performance of a contract concluded with a consumer.

Breaches Related to the Processing Activities Register

Maintaining a processing activities register is required under Article 30 of the GDPR. It helps to track, among other things, what data is collected and for what purpose, and who has access to it. This is a tool for managing and demonstrating the data controller’s compliance with the GDPR and must be regularly updated according to functional and technical changes in data processing activities. This document should accurately identify:

  • Stakeholders  
  • Categories of data processed  
  • The purpose for which the data is processed, who has access to it, and to whom it is disclosed  
  • How the data is secured

The CNIL has sanctioned two companies with fewer than 250 employees for failing to maintain a processing-activities register because the processing activities in question were not occasional.Even though the CNIL is the French regulator, under the GDPR, each member state of the European Union is required to have its own regulator to ensure compliance with the principles of this regulation.

At Goodwin, we are committed to navigating the complexities of EU law and its regulatory landscape. Our team of experts specializes in EU law and is well equipped to engage with regulators in each EU member state to ensure compliance with relevant regulations.

We provide comprehensive support to help you navigate the intricate regulatory framework established by EU law. Understanding and adhering to these regulations is crucial for your operations. Our legal experts are skilled in drafting clear and effective contracts with clients, ensuring that all terms are transparent and compliant with EU regulations.

Lawyers play a crucial role in helping companies navigate data privacy regulations enforced by the CNIL and other European authorities.

At Goodwin we assist in conducting data protection impact assessments (DPIAs) to identify and mitigate risks associated with data processing. By developing comprehensive data protection policies, we ensure that businesses have clear procedures for handling personal data, including retention and access controls.

Additionally, we can design tailored training programs to raise employee awareness about data protection principles and legal implications. We help companies prepare for potential data breaches by creating incident response plans that comply with reporting obligations.

Legal support is also provided in drafting and negotiating data processing agreements with third-party vendors to uphold data protection standards. Regular audits of data processing activities are conducted to ensure ongoing compliance with privacy laws, with recommendations for corrective actions when needed.

In cases of sanctions or investigations, we can represent our clients in negotiations and appeals, mitigating penalties and resolving issues effectively. By proactively addressing these areas, we not only help companies avoid sanctions but also foster a culture of compliance that enhances trust and reputation with customers.

 

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee a similar outcome.