Investigating and issuing sanctions
The CNIL shall conduct investigations following the lodging of a complaint, allegations of infringements brought to its knowledge or because it decides to address a specific issue. If an infringement of the regulation is established, the Chair of the CNIL may render an order to comply or the CNIL’s restricted committee can take different measures or sanctions.
The steps of the CNIL's law enforcement process
The CNIL has a complete law enforcement toolkit enabling it to collect reports of infringements through different channels in order to carry out investigations, which can lead to issuing sanctions or rendering orders to comply.
How does the CNIL conduct its investigations?
These investigations can be carried out on site, document-based, through a hearing or online. They are essential to monitor the enforcement of the French Data Protection Act as well as the General Data Protection Regulation (GDPR) by data…
The sanctions procedure
Following investigations, complaints or in case of breaches of the GDPR or of the Data Protection Act, the CNIL restricted committee may issue sanctions to controllers or processors.
The sanctions issued by the CNIL
The sanctions issued by the CNIL’s restricted committee since the entering into force of the GDPR.