The cooperation with the other European supervisory authorities
In certain cases, it is necessary to cooperate with the other European authorities, within a procedure of sanction or an order to comply.
How to identify the lead authorities for cross-border’s cases?
If during an investigation or the examination of a complaint, the personal data processing is a cross-border one, a European cooperation is initiated.
A processing is considered as cross-border in one of the following situations:
- data processings that are carried out by a company with several undertakings in several European States (i.e. European Union, Liechtenstein, Iceland or Norway); or
- data processing is carried out by a company established in a single State, but substantially affects individuals in more than one Member State.
The CNIL has to identify who is the lead supervisory authority: itself or another European authority.
If the main establishment or the single establishment of the controller or the processor is established in France, the CNIL is the lead authority. In this case, it informs the other European authorities concerned by the cross-border processing of its competence, proposes the follow-up to be given and coordinates the decision-making in consultation with the different countries concerned.
If not, the CNIL can declare itself as a “concerned supervisory authority”.
What is the European cooperation?
As part of the procedure of cooperation, the concerned supervisory authorities receive all the relevant documents communicated within the procedure of sanction initiated before the CNIL’s restricted committee. Therefore the CNIL communicates them:
- the report proposing to adopt corrective measures (which can be a monetary penalty or an order) against the organization;
- any relevant information, such as reports or investigation reports and observations from the incriminated organization.
The concerned supervisory authorities may attend the restricted committee’s session. If not, a report shall be prepared for them.
The draft decision of the restricted committee is then sent to the supervisory authorities concerned that may raise objections. Then, the CNIL’s restricted committee may rectify its draft decision in order to take these objections into account.
If the CNIL decides not to take the objections into account, it has to refer to the European Data Protection Board (EDPB) in order that it gives an opinion on the draft decision and the objections formulated.