How does the CNIL conduct its investigations?

22 December 2020

The CNIL has the possibility to investigate any processor of personal data, including private companies, non-profit organizations or public bodies.

These investigations can be carried out on site, document-based, through a hearing or online. They are essential to monitor the enforcement of the French Data Protection Act as well as the General Data Protection Regulation (GDPR) by data controllers and processors. They also allow the CNIL to concretely assess the emerging issues regarding personal data protection.

Who can be investigated by the CNIL?

The CNIL may investigate any body which is processing personal data and which has an establishment in France, or which is processing personal data concerning data subjects residing in France.

If this body is established in more than one Member State of the European Union and/or if their data processing affects data subjects in more than one Member State, these missions can be conducted in cooperation with other data protection authorities.

The GDPR also allows the CNIL to investigate data on a processor in charge of the implementation of a data processing on behalf of a data controller (e.g. hosting, maintenance).

How does the CNIL decide to investigate a specific organisation?

Investigations may originate, to an equivalent extent, from:

  • The annual workprogramme

Every year, the CNIL targets some topics because of their impact on individuals. Each year, a review of the practices observed and the themes for the following year are disclosed to the public.

  • Complaints and reports of infringements

Complaints and reports of infringements (which can be anonymous) related possible breaches of GDPR are addressed to the CNIL. Investigations are conducted to check these practices and ensure, if applicable, that the rights of the complainants have been complied with.

  • CNIL’s initiative

CNIL can conduct investigations on its own volition, in relation to issues of concern.

Videosurveillance systems (CCTV):

In accordance with the French security code, the CNIL is competent to inspect the compliance of videosurveillance systems that are filming spaces open to the public like malls or museums. Every year, the CNIL dedicates a part of its inspection activity to look into these devices.

Closed procedures, orders and sanctions

Even after an investigation procedure is closed, or after a fine has been issued, new investigations may be carried out to ensure that the concerned organization is now compliant.

What type of investigations does the CNIL carry out?

Upon decision of the Chair of the CNIL, the CNIL may carry out 4 different types of investigations:

  • On site investigation: a delegation of the CNIL goes directly to any controller’s or processor’s professional premises, in order to investigate personal data processing operations.
  • Hearing: the controller or processor receives a letter from the CNIL, asking them to present themselves, at a certain date, in the CNIL’s premises. The controller or processor’s representatives will have to answer questions in relation with the data processing that is being investigated, and, if needed, provide access to their organization’s information system.
  • Online investigations: the CNIL’s personnel conduct investigations, from the CNIL’s premises, by consulting in particular data freely accessible on the internet, or made accessible on line. These investigations are conducted on an online communication service with the public (i.e. a website, a mobile application or a connected object) and, where appropriate, can be carried out under an assumed identity.
  • Document-based investigations: the CNIL’s personnel send a letter with a questionnaire aiming at assessing the compliance of the data processing operations. The organization must answer the questionnaire and provide the CNIL with supporting evidence justifying its answers.

These investigation modalities can be combined. For example, the CNIL can initiate an online investigation and go on-site later. A document-based investigation can also be carried out prior to an on-site investigation.

Except for document-based investigation, every investigation requires a written report in which the CNIL’s personnel transcribe in an objective manner the information that was brought to their knowledge during their investigation, and what they observed.

Who is authorized to carry out the CNIL’s investigations?

The accreditation issued by the CNIL to its personnel

Article 19 of the amended French Data Protection Act states that the CNIL’s personnel who may participate in investigation procedures are accredited by the CNIL. The CNIL commissioners also can be appointed to carry out these investigations.

The accreditation is granted for a renewable period of five years provided that the concerned personnel has never been sentenced to a correctional or criminal sentence registered on the bulletin n° 2 of the criminal record and, they don’t or didn’t have any direct or indirect interest with the organization concerned by the investigation over the past 3 years.

The accreditation issued by the Prime Minister to the CNIL personnel

The CNIL’s commissioners that may carry out investigations on personal data processing involving national security issues, defense, public security or whose purpose is to prevent, to investigate, to detect or to prosecute criminal offences, to execute criminal convictions or security measures, have to be accredited by the Prime Minister.

Likewise, the CNIL’s commissioners who shall have access, during an investigation, to classified information, must receive a specific accreditation from the Prime Minister.

Prior to a CNIL investigation

  • The decision to carry out a control mission is taken by the Chair of the CNIL, on a proposal from the CNIL departments.
  • In case of an onsite checking, the decision of the Chair of the CNIL is notified at the beginning of the investigation to the person responsible of the premises where personal data processing are processed and that will be investigated.
  • In the case of a hearing, the decision of the Chair of the CNIL must be provided to the questioned person at least eight days before the audit. In particular, the invitation reminds the summoned person his or her right to be assisted by a counsel of his or her choice.
  • In the case of an onsite investigation, the geographically competent State prosecutor, shall be informed about the date, the hour and the purpose of the investigation 24 hours before it starts.
  • The investigated organization can be solicited beforehand to provide documents such as IT resources, flowcharts, …
  • The CNIL’s personnel who may investigate are accredited in the conditions provided for in article 19 of the Amended Act of 6. January 1978 and in articles 57 to 60 of the amended Decree of 20. October 2005. They can be assisted by experts, such as doctors.
  • Some investigations require a specific accreditation, in particular to investigate data processing related to “secret defense” matters.

During a CNIL investigation

The purpose of an investigation is to be examine whether the data processing operations implemented by the organization comply with the provisions of the French Data Protection Act and the General Data Protection Regulation (GDPR) that came into effect on  25. May, 2018.

The investigation can also aim at examining the compliance of a videosurveillance system (CCTV), in accordance with the French Internal Security Code (ISC), and the compliance of the marketing implemented files, by means of an automated electronic communications system in accordance with the Post and Electronic Communications Code (Code des postes et des communications électroniques – CPCE).

During an investigation, the CNIL’s personnel will take copies of any technical or legal information in order to appreciate the conditions in which the processing of personal data is implemented.

The CNIL delegation can request any necessary document required for the investigation, in any format, and take copies of it.

The CNIL personnel can interview any employee who may have useful information in order to assess the compliance of the personal data processing (i.g. to discuss with a manager, with operational or IT staff).

The CNIL personnel can access to computer programs and personal data; and ask for their transcription for the purposes of the investigation.

The CNIL personnel ask for a copy of the concerned contracts (i.g. file leasing contracts, IT provider contracts), forms, paper documents, databases, etc.

A written transcript is drafted at the end of the investigation, summarizing all the information gathered by the CNIL personnel and observations that were made. It lists in an appendix all the documents copied during the mission.

When the CNIL is prevented from investigating

In the course of an onsite investigation, if the person in charge of the premises opposes the presence of the CNIL personnel, the Chair of the CNIL can request an authorization to pursue its mission from the liberty and custody judge (juge des libertés et de la détention – JLD) of the Regional Court geographically competent.

Furthermore, when the emergency, the seriousness of the facts which triggered the investigation, or the risk of destruction or concealment of documents justifies it, the Chair of the CNIL can request a preventive authorization to proceed to the investigation from the liberty and custody judge (juge des libertés et de la détention – JLD) of the Regional Court (tribunal judiciaire) geographically competent, without prior information of the person in charge of the premises and with no possibility for them to oppose the presence of the CNIL personnel.

Article 51 of the amended Act of 6. January 1978 prescribes a penalty of one year’s imprisonment and a fine up to 15 000 euros, for impeding the CNIL’s action.

Impediment of the CNIL’s action occur in case of:

  • opposition to an investigation mission that was authorized by liberty and detention judge (juge des libertés et de la détention).
  • refusal to communicate, concealment or destruction of information and documents useful for the investigation;
  • communication of information which is not matching with the records such as they were at the moment of the CNIL’s request, or presentation of content in a format that is not directly accessible.

Types of secrecy which may be invoked

During the course of their investigations, the organization cannot invoke professional secrecy to justify, in particular, a refusal to grant access to software or to communicate documents, unless the data are covered by attorney-client privilege or journalists secrecy. Moreover, the CNIL’s personnel can only access individual medical information covered by the medical confidentiality, in the presence and under the authority of a doctor.

The professional secrecy of the CNIL’s personnel

The CNIL’s personnel are subject to a duty of professional secrecy regarding any fact, act or information which has come to their knowledge in the course of the performance of their tasks, on pain of criminal proceedings (article 20 of the amended Act of 6 January 1978).

Personnel can only access documents gathered in the course of the investigation on a need to know basis.

What happens following a CNIL investigation?

Following the investigation, the CNIL studies the investigation written report and analyzes the collected in order to assess the modalities of implementation of the data processing in regards to compliance of the processing of personal data checked with the French Data Protection Act, the GDPR, the French Internal Security Code (Code de la sécurité intérieure – CSI) and the Post and Electronic Communications Code (Code des postes et des communications électroniques – CPCE).

Depending on the CNIL’s analysis, different actions may be taken:

  • If the gathered elements do not call for any specific observations, the procedure is terminated by a letter from the Chair of the CNIL.
  • If the investigation shows that non-significant breaches are established, the procedure is terminated by a letter from the Chair of the CNIL including some observations (for instance, modification of the storage period, security measures, information of the data subject, etc.).
  • If some more serious breaches have been observed, the Chair of the CNIL can render an order asking the organization to adopt corrective measures within a specified time to come into compliance and/or can to transfer the case to the CNIL’s sanctions committee who can impose a sanction in accordance with articles 45 and 46 of the French Data Protection Act and article 83 of the GDPR.
  • The order can be made public, depending on the circumstances (i.e high number of data subjects, high impact on the privacy of the data subjects, etc.).
  • In the absence of a response to the order or in case of non-compliance with its injunctions, the case may also be transferred to the CNIL’s sanctions committee, which may issue sanctions. The transfer to the sanctions committee does not exclude the submission of a report to the public prosecution authorities (article 40 of the Code of Criminal Procedure (Code de procédure pénale).