Senior management and organisation
When was the head of the authority appointed?
Marie-Laure Denis was appointed in 2019.
What is the process for nominating the head of the authority?
The next president will be appointed by decree of the President of the Republic from among the CNIL members.
What was the authority’s budget for the most recently available financial year?
How many data protection/privacy-focused staff does the authority employ?
The CNIL employs 195 staff, of whom 36% are lawyers; 26% are legal assistants; and 14% are engineers/auditors.
Contacting the authority
How and where should companies or their advisers contact the authority to notify a data breach? Please specify individuals, email addresses, URLs for online forms, etc.
The companies have to notify the data breach by using the online form found at https://notifications.cnil.fr/notifications/index.
How and where should companies or their advisers contact the authority to start the binding corporate rules approval process? Please specify individuals, email addresses, URLs for online forms.
The companies should contact the CNIL at [email protected].
What other contact information should companies and their advisers be aware of?
- Press office telephone number: +33 1 53 73 22 13.
- Legal information helpline number: +33 1 53 73 22 22.
- Address: Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy, TSA 80715,75334 Paris CEDEX 07, France.
Legal and enforcement framework
What are your investigative powers?
The CNIL can monitor all data controllers. Ex post inspections are considered to be the favoured method of intervention by the CNIL to verify compliance with the law. These can be carried out online, in situ or in a hearing.
Can you search premises or force the disclosure of information without having to approach the courts?
Yes. The CNIL may require the data controller to provide all the documents (legal and technical) necessary for its investigation.
What fines can you impose on companies that breach data protection rules?
€20 million or 4% of a company’s annual worldwide sales.
What other measures can you take against companies that breach data protection rules?
Regarding inspections or complaints, the CNIL’s special committee (composed of five members and headed by someone other than the CNIL’s chair) can render various types of sanctions, including a warning, which can be made public.
If the CNIL’s chair has already officially rendered an order, and the data controller has not changed its practices to conform to the order, the special committee can render more coercive sanctions after respecting the contradictory principles within administrative procedures. These are as follows:
- monetary sanctions (except for government data processing), which can be made public; moreover, the special committee can demand the sanction be published in the press at the expense of the sanctioned organisation;
- a cease-and-desist injunction on the data processing; or
- a withdrawal of the prior authorisation given by the CNIL.
What emergency or interim measures can you take pending the full conclusion of your investigations?
In cases of immediate and grave violations of fundamental rights and freedoms, the CNIL chair can refer a request to the competent jurisdiction to order any necessary security measure. It can also denounce any violations of the French Data Protection Act before the state prosecutor.
Are you working on any further data protection/privacy guidelines or guidance, or on amending any of your current guidance? If so, what?
The CNIL is working on many areas including compulsory data protection impact assessment lists, standard regulation, certification procedure, codes of good practice, etc.