

What should I do if I receive a CNIL complaint ?
The 5 key points to be aware

You've received a formal notice from the data authority ! What should you do?

Any individual or legal entity can file an GDPR complaint with the CNIL. Here are all the essentials to remember when you receive a complaint.

What should I do if I receive a CNIL complaint?

Any individual or legal entity can lodge a CNIL complaint with the Commission Nationale de l’informatique et des libertés (CNIL). The main reason for filing a complaint is a breach relating to the processing of personal data. In the digital world, the CNIL is the regulator of personal data under France’s Data Protection Act.

The French Data Protection Act (loi informatique et libertés) was passed in 1978, with the aim of protecting individuals’ personal data from misuse. It is also known as “loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés”.

The complaint must specify the grounds (non-compliant privacy policy, inconsistency between the cookie policy and the actual cookies used, etc.) and the organization (company, association, etc.) against which it is lodged. Anyone can lodge a complaint online! This makes it very accessible when someone finds that personal data protection is not being respected.

What should I do if I receive a complaint?

The hours following receipt of a complaint are critical. Depending on the response given, the CNIL will decide whether to follow up, lead to recommendations or launch an investigation that could lead to a fine of up to 4% of your turnover.

Here are 5 key points to be aware of when receiving a CNIL complaint.

The deadline for replying is 30 days!

If you receive a formal notice from the CNIL indicating the grounds for the complaint and all the explanations to be provided, you must respond as soon as possible, and within one month at most.

The deadline for replying is 30 days!

This is an extremely short time to provide satisfactory answers to the CNIL.

Where does the CNIL complaint come from?

You will not be informed who has filed the complaint, even after the procedure has been completed.

In most cases, it’s an employee, a union or a customer. However, it can also be a competitor who wants to weaken you! You don’t need to have suffered any damage to lodge a complaint. Anyone can lodge a complaint with the CNIL as soon as they identify a flaw.

That’s why it’s important to comply with the General Data Protection Regulation (GDPR). This compliance allows you to secure and strengthen data processing within the organization.

Origin of data processing

The main complexity is to identify the reality of the facts and the origin of the non-compliant data processing highlighted in the complaint.

Indeed, the data processing at the origin of the complaint may not be referenced and practiced by the company as a whole, but rather represents the practice of an isolated department or individual (e.g.: RATP fined €400,000 in 2021 because HR department employees had integrated political elements into career-related files).

As a result, a technical audit is sometimes necessary. It is also often necessary to interview individuals. All these points require organization, a step-by-step approach and the necessary time.

It is important to appoint a Data Protection Officer (DPO) within the company. He or she will be the orchestra conductor for personal data processing. A DPO can be costly, so it’s a good idea to use an external DPO who will register with the CNIL and deal with the company’s issues.

Raising your employees' awareness

It’s key to make your employees aware of the subject beforehand, and to keep evidence of it. You can’t monitor the practices of all your employees, every day. The most common is the length of time personal data is kept. It’s important that your employees are aware of certain rules (deleting a candidate’s CV after 3 years, saving professional documents in a cloud to prevent data leaks, etc.).

On the other hand, you can regularly disseminate best practices and what is not allowed.

In this case, you will be able to prove to the CNIL that you have done everything possible to avoid isolated non-compliant processing operations, which will reduce or eliminate the risk of sanctions.

Evidence of GDPR compliance beyond the scope of the complaint

The CNIL is likely to ask for evidence of GDPR compliance beyond the scope of the complaint, across all company departments.

If you haven’t already done so, you must become GDPR compliant within these 30 days! This deadline will be very complex to meet, particularly in parallel with the processing of the complaint. It is therefore fundamental to become GDPR compliant today in order to prevent this risk, which will necessarily arrive one day.

Previously complex and costly, particularly for SME-ETI players, startups or associations, compliance offers are evolving. In particular, Dipeeo offers a comprehensive RGDP compliance service that is simple, accessible and validated by lawyers and DPOs.

How do I file a complaint with the CNIL?

The Commission Nationale de l’Informatique et des Libertés (CNIL) is France’s data protection watchdog. If you feel that a company or institution is not complying with data protection laws, you can lodge a complaint. You can file a complaint online on the CNIL website, or by sending a letter to the organization’s head office.

Before lodging a complaint with the CNIL, make sure you have exercised your rights to data protection. You can consult your rights in this article, which explains the essentials of our privacy policy. Once you have consulted these rights, identify the organization’s Data Protection Officer (DPO) in order to exercise your rights.

If the organization does not comply with the data protection rules, does not respond within one month, or the response is incomplete or erroneous, challenge the response! This may be enough to solve the problem. If that’s not enough, you can lodge a complaint by clicking here.

Please note that it’s important to keep all traces and evidence when filing a complaint.

2nd DPO
in France

+20 new clients
per month

3 years
of existence

1.8M euros
raised in 2024

They trust us

Client Dipeeo - L'EXPRESS a été mis en conformité par Dipeeo qui est son DPO externe
RATP Dev d'insertion a été mis en conformité par Dipeeo qui est son DPO externe
Pour vous contacter, nous devons traiter vos données. Pour plus d’infos, consultez notre Politique de confidentialité.