You've received a CNIL (National Commission for Information Technology and Civil Liberties) complaint! How do you react?

Any natural or legal person can file a GDPR complaint with the CNIL (National Commission for Information Technology and Civil Liberties). Here are all the essential points to remember when you receive a complaint.

What should I do if I receive a CNIL (National Commission for Information Technology and Civil Liberties) complaint? 🔥

Any individual or legal entity can lodge a complaint with the CNIL (National Commission for Information Technology and Civil Liberties) CNIL (National Commission for Information Technology and Civil Liberties)). The main reason for lodging a complaint is a breach relating to the processing of personal data. 

In the digital world, the CNIL (National Commission for Information Technology and Civil Liberties) regulates personal data under France's Data Protection Act.

The French Data Protection Act (loi informatique et libertés) was passed in 1978 to protect individuals' personal data from misuse. It is also known as "law no. 78-17 of January 6, 1978 on data processing, data files and individual liberties".

The complaint must specify the grounds (non-compliant privacy policy, inconsistency between the cookie policy and the actual cookies used, etc.) and the organization (company, association, etc.) against which it is lodged. Anyone can lodge a complaint online! This makes it very accessible when someone finds that personal data protection is not being respected.

 What should I do if I receive a complaint?

🕐 The hours following receipt of a complaint are critical. Depending on the response, the CNIL (National Commission for Information Technology and Civil Liberties) will decide whether to follow up, lead to recommendations or launch an investigation that could lead to a fine of up to 4% of your turnover.

📕 Here are 5 key points to know when receiving a CNIL (National Commission for Information Technology and Civil Liberties) ) complaint:

The deadline for replying is 30 days!⏰

If you receive a formal notice from the CNIL (National Commission for Information Technology and Civil Liberties) indicating the reason for the complaint and all the explanations to be provided, you must respond as soon as possible, and within one month at most.

The deadline for replying is 30 days!

This is an extremely tight deadline for the CNIL (National Commission for Information Technology and Civil Liberties)) to come up with satisfactory answers.

Where does the CNIL (National Commission for Information Technology and Civil Liberties) complaint come from? 📢

You will not be informed who lodged the complaint, even after the procedure has been completed.

In most cases, it's an employee, a union or a client. But it can also be a competitor who wants to weaken you! You don't need to have suffered a loss to lodge a complaint. Anyone can file a complaint with the CNIL (National Commission for Information Technology and Civil Liberties) as soon as they identify a breach.

That's why it's important to comply with the General Data Protection RegulationGDPR). This compliance allows you to secure and strengthen data processing within the organization.

The origin of data processing 🚀

The main complexity is to identify, in a short space of time, the reality of the facts and the origin of the non-compliant data processing highlighted in the complaint.

In fact, the treatment at the origin of the complaint may not be referenced and practiced in a general way by the company, but rather represents the practice of an isolated department or individuale.g : RATP fined €400,000 in 2021 because HR department employees had integrated political elements into career-related files).

As a result, a technical audit is sometimes necessary. It is also often necessary to interview people. All these points require organization, step-by-step progress and the necessary time.

It is important to appoint a Data Protection Officer (DPO) within the company.

He or she will be the orchestra conductor for the processing of personal data. A DPO can be costly, which is why it's a good idea to use an external DPO who will register with the CNIL (National Commission for Information Technology and Civil Liberties) and deal with the company's issues.

Raising your employees' awareness ✅

It's key to make your employees aware of the subject beforehand, and to keep evidence of it. You can't monitor the practices of all your employees, every day. In fact, there are a number of rules to respect: the most common is the duration of Data retention .

It's important that your employees are aware of certain rules (deleting a candidate's CV after 3 years, saving professional documents in a cloud to prevent data leaks, etc.).

On the other hand, you can regularly disseminate best practices and what is not allowed.

In this case, you'll be able to prove to the CNIL (National Commission for Information Technology and Civil Liberties) ) that you've done everything possible to avoid isolated non-compliant processing operations, which will reduce or eliminate the risk of sanctions.

Evidence of GDPR compliance beyond the scope of the complaint 🔥

The CNIL (National Commission for Information Technology and Civil Liberties) is likely to ask for evidence of GDPR compliance beyond the scope of the complaint, across all company departments.

If you haven't already, you must become GDPR compliant within these 30 days!

This deadline will be very complex to meet, particularly in parallel with the processing of the complaint. It is therefore fundamental to become GDPR compliant today in order to prevent this risk, which will necessarily arrive one day.

Previously complex and costly, particularly for SMEs, start-ups and associations, compliance offers are evolving. In particular, Dipeeo offers a comprehensive RGDP compliance service that is simple, accessible and validated by lawyers and DPOs.

How do I file a complaint with the CNIL (National Commission for Information Technology and Civil Liberties) )?

The Commission Nationale de l'Informatique et des LibertésCNIL (National Commission for Information Technology and Civil Liberties)- NationalCNIL (National Commission for Information Technology and Civil Liberties)) is the body responsible for protecting personal data in France. If you feel that a company or institution is not complying with data protection laws, you can lodge a complaint. You can file a complaint online on the CNIL (National Commission for Information Technology and Civil Liberties)) website, or by sending a letter to the organization's head office.

Before filing your request with the CNIL (National Commission for Information Technology and Civil Liberties), make sure you have exercised your rights to Information Technology and Civil Liberties. You can consult your rights in this article, which explains privacy policy. Once you have consulted these rights, identify the organization's Data Protection Officer (DPO) in order to exercise your rights.

If the organization doesn't respect data protection rules, doesn't respond within a month, or the response is incomplete or erroneous, challenge the response! This may be enough to solve the problem. If that's not enough, you can lodge a complaint by clicking here.

It is important to keep all traces and evidence when filing a complaint.