CNIL

The CNIL’s key priorities for upcoming dawn-raids in 2021

Every year, the French supervisory authority (the “CNIL”) publishes its key priorities for upcoming dawn-raids. In 2021, more than 50% of the CNIL’s dawn-raids will focus on: (i) websites cybersecurity, (ii) health data protection and (ii) cookies. 1. Websites cybersecurity Website security incidents are among the most common non-compliances identified by the CNIL during its …

The CNIL’s key priorities for upcoming dawn-raids in 2021 Read More »

France: New guidance for data retention

By Denise Lebeau-Marianna – Partner and  Yaël Hirsch – Senior Associate The French Supervisory Authority (the “CNIL”) has issued new updated guidelines on data retention during the month of July (the “CNIL’s Guidelines”)[1]. They provide more practical guidance and update the CNIL previous Recommendations dated 11 October 2005 on the conditions of archiving personal data[2]. …

France: New guidance for data retention Read More »

France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements

On 28 July 2020, the French Supervisory Authority (the “CNIL”) sanctioned the online shoes retail company, SPARTOO SAS, by a €250,000 fine and an injunction to comply with GDPR within 3 months under penalty for various non-compliances with the GDPR of the personal data processing related to clients, prospects and employees[1]. I. Factual background and …

France: First sanction of an online shoes company by CNIL acting as a lead authority for several infringements to GDPR requirements Read More »

Europe: ‘Right to be forgotten’, but only in Europe?

In its landmark decision of the 24th of September (C-507/17), the EU Court of Justice in Luxembourg has sided with Google over a claim by the French supervisory authority regarding the application of the so-called ‘right to be forgotten’. This right refers to the ability for individuals in Europe to demand that search engines, such …

Europe: ‘Right to be forgotten’, but only in Europe? Read More »

FRANCE: The CNIL publishes new standards on HR management and whistleblowing schemes

By Denise Lebeau-Marianna and Caroline Chancé   On 11 April 2019, the French Data Protection Supervisory Authority (CNIL) published two draft standards intending to provide practical guidance in relation to the processing of personal data for HR management and whistleblowing systems. The purposes of such standards is to: Assist businesses in their compliance process, and Help …

FRANCE: The CNIL publishes new standards on HR management and whistleblowing schemes Read More »

FRANCE: THE FIRST CNIL STANDARD REGULATION FOR BIOMETRIC SYSTEMS IN THE WORKPLACE

By Denise Lebeau-Marianna (Partner) & Alexandre Balducci (Associate) Why did the CNIL adopt a specific regulation for the use of biometric data processing in the workplace? In accordance with Article 9 (4) of the General Data Protection Regulation (GDPR) which provides that “Member States may maintain or introduce further conditions, including limitations, with regard to …

FRANCE: THE FIRST CNIL STANDARD REGULATION FOR BIOMETRIC SYSTEMS IN THE WORKPLACE Read More »

FRANCE: New cooperation agreement between the CNIL and DGCCRF

By Denise Lebeau-Marianna and Caroline Chancé   On 31 January 2019, the French Data Protection Supervisory Authority (CNIL) and the French General Directorate for Competition Policy, Consumer Affairs and Fraud Control (DGCCRF, authority in charge of consumer protection) signed a new protocol of cooperation to improve protection of personal data of consumers.   This new protocol replaces a …

FRANCE: New cooperation agreement between the CNIL and DGCCRF Read More »

FRANCE: A new phase in European privacy law enforcement – CNIL fined Google LLC 50 million euros!

By Denise Lebeau-Marianna, Caroline Chancé and Alexandre Balducci   On 21 January 2019, the restricted committee of the French Data Protection Supervisory Authority (CNIL) fined Google LLC 50 million euros for breaching GDPR for lack of transparency, inadequate information and lack of valid consent regarding personalized advertising.  This is the first decision rendered by the CNIL …

FRANCE: A new phase in European privacy law enforcement – CNIL fined Google LLC 50 million euros! Read More »

FRANCE: Marie-Laure Denis expected to become the new CNIL president

By Denise Lebeau-Marianna and Caroline Chancé   On 18 January 2019, French President Emmanuel Macron announced his intention to appoint Marie-Laure Denis as the next president of the French Data Protection Supervisory Authority (CNIL). If her nomination is confirmed by the Parliament, Marie-Laure Denis will take over the presidency of the CNIL on 1st February 2019, a position …

FRANCE: Marie-Laure Denis expected to become the new CNIL president Read More »

FRANCE: ONE MORE STEP TO ENSURE CONSISTENCY OF THE NEW FRENCH DATA PROTECTION LAW

By Denise Lebeau-Marianna and Yaël Hirsch On 12 December 2018, the French Government issued an ordinance[1] finalizing, at the legislative level[2], the alignment of the French Data Protection Law (“FDPL”) with the General Data Protection Regulation[3] (“GDPR”) and the Directive 2016/680[4]. Following-up the adoption of the GDPR, the French Law No. 2018-493 related to personal data protection[5] …

FRANCE: ONE MORE STEP TO ENSURE CONSISTENCY OF THE NEW FRENCH DATA PROTECTION LAW Read More »

FRANCE: CNIL PUBLISHES GUIDANCE ON DATA SHARING FOR MARKETING PURPOSES

By Denise Lebeau-Marianna and Tiphaine Caulier The French Data Supervisory Authority (the CNIL) released guidance on December 28th 2018 on the principles to be followed when an organization that collects personal data through online or hard copy forms, shares it with business partners or data brokers to send SMS or emails for marketing purposes. To comply …

FRANCE: CNIL PUBLISHES GUIDANCE ON DATA SHARING FOR MARKETING PURPOSES Read More »

FRANCE: Website publisher fined for violation of the cookie requirements

The French Council of State affirmed the EUR 25,000 fine imposed by the CNIL on Editions Croque Futur (challenges.fr) for non-compliance with French data protection law, and in particular cookie requirements. The facts go back to 2014-2015 when the French data protection authority (the CNIL) found out that French company Editions, Croque Futur, publisher of …

FRANCE: Website publisher fined for violation of the cookie requirements Read More »

FRANCE: First GDPR complaints lodged with the CNIL

Immediately after the entry into application of the GDPR, the CNIL received several complaints over “forced consent” and unlawful processing. On May 25, the non-profit European Center for Digital Rights (known as nyob for “none or your business”), founded by Max Schrems, filed four, very similar, complaints over “forced consent” against Google (Android), Instagram, WhatsApp …

FRANCE: First GDPR complaints lodged with the CNIL Read More »

FRANCE: The new data protection law under Constitutional review

The newly adopted French data protection law is already challenged by Senators who requested a constitutional review the day after the new law’s adoption. This had been announced: at least 60 Senators have referred the new French data protection law to the French Constitutional Council. Despite the accelerated procedure initiated by the Government in December …

FRANCE: The new data protection law under Constitutional review Read More »

FRANCE: Draft data protection law – one step closer to a final version

On 9 February 2018, the French National Assembly adopted at first reading the new draft data protection law implementing the EU General Data Protection Regulation (“GDPR”) and EU Data Protection Directive on Police and Criminal Justice Cooperation into French law. After two days of discussion and 180 amendments reviewed, the French National Assembly has adopted …

FRANCE: Draft data protection law – one step closer to a final version Read More »

FRANCE: CNIL GDPR guidance for data processors

By Denise Lebeau-Marianna and Caroline Chancé   On September 29, 2017, the French data protection authority (the CNIL) published practical guidance on General Data Protection Regulation (“GDPR”) requirements intended for data processors. The objective is to guide them on how to comply with their new obligations. Under the GDPR, data processors have new responsibilities and liabilities in …

FRANCE: CNIL GDPR guidance for data processors Read More »

FRANCE: CNIL adopts new single authorization on fraud prevention systems

By Florence Guthfreund-Roland and Mathilde Hallé Pursuant to several provisions of the French Code Monétaire et Financier, entities from the banking and financial sector are required to implement processes and strategies to detect, measure and manage operational risks within their group (on a consolidated basis). Fraud prevention/detection systems must be adapted to the entities’ activities and …

FRANCE: CNIL adopts new single authorization on fraud prevention systems Read More »

FRANCE: Single Authorization for the processing of personal data resulting from Sapin II Law finally applicable

By Denise Lebeau-Marianna & Mathilde Hallé The French Data Protection Authority (“CNIL”) has amended the Single Authorization No. AU-004 on whistleblowing systems.[1] These modifications largely aim to simplify the formalities applicable to the processing of personal data resulting from the implementation of the compliance procedures required by French Law (dated December 9, 2016) regarding transparency, …

FRANCE: Single Authorization for the processing of personal data resulting from Sapin II Law finally applicable Read More »

FRANCE: The French Data Protection Authority (CNIL) Publishes 6-Step Methodology For Compliance With GDPR

By Carol A.F. Umhoefer (carol.umhoefer@dlapiper.com) and Caroline Chancé (caroline.chance@dlapiper.com)   On March 15, 2017, the CNIL published a 6-step methodology for companies that want to prepare for the changes that will apply as from May 25, 2018 under the EU the General Data Protection Regulation (“GDPR”). The abolishment under GDPR of registrations and filings with …

FRANCE: The French Data Protection Authority (CNIL) Publishes 6-Step Methodology For Compliance With GDPR Read More »

FRANCE: New rules for processing patient health data

France’s Law for the Modernization of the Health System, adopted earlier this year, applies to all processing of health data for the purpose of evaluating or analyzing medical treatments and preventive actions. The Law amends the Data Protection Law of 1978, creating a new framework for obtaining authorization to process health data, as well as …

FRANCE: New rules for processing patient health data Read More »