search
Where Thought Leaders go for Growth
Reference a solution

RGPD and sanctions: don't miss out on compliance!

RGPD and sanctions: don't miss out on compliance!

By Nathalie Pouillard

Published: 28 October 2024

RGPD and sanctions: two terms that have sent shivers down the spines of businesses since 25 May 2018, when the General Data Protection Regulation came into force. European in scope, it aims to provide a framework for the security, confidentiality and traceability of personal data in an increasingly digital environment. Businesses are seeing their obligations increase, set out in very concrete terms in a law, on pain of administrative and criminal penalties. But what exactly are these obligations? And above all, how can they be avoided? Let's take a look at what's involved, and what you can do about it...

Definitions and context of the RGPD

From the Data Protection Act to the RGPD

You are already familiar with the French law on information technology, files and freedoms, known as the " Loi Informatique et Libertés " (law no. 78-17 of 6 January 1978), which regulates the freedom to collect, process and use personal data, and sets out obligations in terms of the right of access, the right to portability and the right to be forgotten.

The RGPD is a sort of extension of this law, brought to European level:

The General Data Protection Regulation (GDPR) is a European regulatory text that governs the processing of data equally throughout the European Union.

le portail de l’Économie, des Finances, de l’Action et des Comptes publics (economie.gouv.fr)

In fact, the Data Protection Act was updated on 1 June 2019 to transpose the new European regulations into French law. This new version has been in force since 16 July 2019.

The aims of implementing the RGPD are to

  • to strengthen the rights of consumers and users
  • make companies (data controllers) and subcontractors handling personal data (prospects, customers, employees, etc.) more accountable,
  • harmonise national regulations within Europe,
  • consolidate cooperation between the various data protection authorities.

GDPR and competent authorities

The European Data Protection Committee

The mission of the European Data Protection Board (EDPS) is to ensure the consistent application of the RGPD for the purposes of :

  • prevention and detection of criminal offences
  • investigation, prosecution and enforcement of criminal penalties.

It is made up of the heads of the RGPD authorities of each Member State, representatives of the authorities of Norway, Iceland and Liechtenstein (without voting rights), and representatives of the European Commission. They are chaired for the first 5 years by Ms Andréa Jelinek, head of the Austrian authority.

Each Member State therefore has its own competent authority, with the same tasks and powers to ensure uniform application of the RGPD across Europe, particularly for cross-border disputes. In France, it is still the CNIL, an independent public administrative authority.

The European protection authorities are currently cooperating on 345 cross-border complaints. The CNIL is involved in 187 cases and is the lead authority for 15 cases. These complaints notably raise questions about consent.

baromètre CNIL/ Ifop 2018.

CNIL's missions

Information and prevention

  • Informing employees, individuals and companies about the protection of personal data,
  • Provision of documentation,
  • Raising awareness.

Support and advice

  • Support for members of parliament,
  • Issuing opinions and recommendations on draft legislation and decrees.

Control

  • Carrying out on-site inspections, document inspections, hearings or online inspections,
  • According to a pre-established programme, but also on the basis of reports or complaints,
  • Particular attention is paid to establishments that have already been given formal notice and to video surveillance/video protection systems.

Penalties

In the event of non-compliance observed during the inspection of a company, the CNIL may, via its select committee dedicated to sanctions :

  • report the infringement to the Public Prosecutor,
  • impose an administrative financial penalty,
  • decide to publish the penalties imposed.

Anticipation

The CNIL has set up a committee of experts from the public and private sectors to anticipate new technological trends and their potential impact on freedoms (emerging issues).

Obligations of companies

RGPD compliance: who is affected?

All companies :

  • private or public,
  • collecting or processing personal data,
  • regardless of their sector of activity or size,
  • located in the European Union or whose activity concerns European residents.

They must protect "individuals, regardless of their nationality or place of residence".

4 steps to compliance

As a data controller, the company must be able to provide all the evidence of compliance with data protection, such as the processing register, the impact analysis (in the case of management of highly sensitive data, sometimes at the request of the supervisory authorities) and proof of consent.

📑 The register of data processing activities

Provided for in Article 30 of the RGPD, this inventory and analysis document centralises your data processing in various departments: recruitment, payroll management, training, badge and access management, sales statistics, customer and prospect management, etc.
It lists

  • the parties involved in data processing (data controller, DPO where applicable, subcontractors, joint controllers),
  • the IT tools and services that interact at each stage of data processing,
  • the categories of data processed (ages, socio-professional categories, emails, etc.),
  • the means of collection (GPS, cookies, forms, etc.),
  • the purpose for which the data is collected (loyalty, canvassing, etc.),
  • how the data is used (by whom), communicated (to whom), who else has access to the data (hosts, intermediary service providers, etc.),
  • how long it is kept,
  • the security measures put in place for data storage.

☞ Appointing a Data Protection Officer ( DPO ) is compulsory for public bodies and for those that process data, particularly sensitive data, requiring regular monitoring on a large scale. The DPO supports the organisation by steering the governance of personal data, which is the responsibility of the company.
He or she may be external to the company (such as a lawyer) or internal (this task may be carried out by the Data Protection Correspondent already in place, for example).

☞ You must have the consent of the people whose data you are collecting. Ideally, you should also keep a register of consents documenting the conditions of collection and the evidence.

♻️ Data sorting

  • Eliminate all unnecessary information from your collection forms and databases;
  • Define automatic deletion or archiving rules after a certain period in your applications and software;
  • Check that access rights to data are limited to certain people, listed in the register.

You can help yourself by answering these questions:

  • Is the data necessary for your business?
  • Is it sensitive (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic, biometric, health or sexual data)?
  • Is the management of access rights compliant?
  • Do you have old data that should no longer be in your possession?
    → Personal data of people who have been inactive for 3 years or more (former employees, former customers),
    → Consent from visitors to your website to process cookies that has not been renewed for 13 months or more, etc.

💡 Respect for individuals' rights.

Data subjects are:

  • informed of who collects their data, who has access to it, to whom it is communicated, for what reasons and for how long it is kept,
  • free to object, easily, thanks to clearly stated procedures (via a personal space, by email, etc.),
  • have their requests for modification or deletion met within a maximum of one month.

66% of French people say they are "more sensitive than in recent years to the protection of their personal data". Their concerns: data theft, social network hacking, spam/prospecting.

baromètre CNIL/ Ifop 2018.

🔒 Data security

The company is obliged to guarantee the integrity of your data assets by reducing the risks of loss and hacking. To do this, you must:

  • ensure that access to your premises is secure,
  • ensure that external and internal user accounts are protected with sufficient complexity
  • keep your software and antivirus software up to date
  • change your passwords frequently,
  • encrypt sensitive data,
  • set up a data backup and recovery procedure.

    The role of the CNIL

    Depending on the outcome of the CNIL inspection, a number of actions may be taken.
    If the inspection :

    • is satisfactory, the Chairman of the CNIL will send a letter to the company to close the file;
    • reveals minor breaches (e.g. data retention period slightly exceeded), the Chairman of the CNIL will send a letter to the company to close the file with recommendations;
    • identifies more serious breaches, the CNIL Chairman may give formal notice to the organisation to comply within a specified period, and/or refer the case to the CNIL's Restricted Section, which will impose the penalties provided for in the articles of the RGPD ;
    • notes the absence of a response or corrective measures following a formal notice, the CNIL's select committee responsible for sanctions may take up the case, make its decisions public, and notify the Public Prosecutor's Office in the most serious cases.

    Penalties applicable

    Administrative sanctions

    The CNIL's select committee may decide to impose administrative sanctions, in ascending order:

    • a call to order
    • an injunction to comply, possibly with penalties for delay based on a deadline (subject to a fine),
    • temporary or permanent restriction of data processing,
    • suspension of data flows,
    • an order to comply with requests from rights holders, with penalties for delay depending on the deadline,
    • an administrative fine.

    Depending on the duration, seriousness and nature of the infringement, the administrative fine may represent :

    • up to 2% of the company's worldwide annual turnover in N-1 or €10 million* (for failure to keep a register of processing operations, for example),
    • up to 4% of the company's worldwide annual turnover in N-1 or 20 million euros* (for failure to obtain the consent of data subjects, refusal to cooperate with the CNIL, etc.).

    * Between the calculation of the percentage and the sum, the higher amount is used.

    From the date of notification of the CNIL's decision, the company has two months in which to lodge an appeal with the Conseil d'État.

    Criminal penalties

    Member States may decide to apply a criminal penalty in addition to the administrative penalty, to punish breaches not covered by Article 83 of the GDPR.

    Failure to process personal data correctly, even through negligence, is punishable by 5 years' imprisonment and a fine of €300,000 (articles 226 16 to 226 24 of the Criminal Code).

    Damages and interest

    People whose rights have been violated can also lodge a complaint and claim compensation in the form of damages. This sanction, in the event of legal action, is in addition to any administrative or criminal penalties.

    Some key articles of the RGPD

    As we mentioned above, here is a brief overview...

    Articles 45 and 46 of the RGPD

    These deal with transfers of personal data to third countries or international organisations.

    A data controller does not need to request authorisation from the CNIL and cannot be penalised for transferring personal data to a third country or an international organisation, if the security conditions applied there are satisfactory in terms of the RGPD.
    The CNIL publishes a list of validated or blacklisted third countries and international organisations in the Official Journal of the European Union and on its website.

    If the recipient is not verified, the controller or processor may not transfer personal data to a third country or to an international organisation, unless it has provided contractual guarantees and the individuals concerned have "enforceable rights and effective legal remedies".

    Excerpts from Article 83 of the GDPR

    This article sets out the general conditions for imposing administrative fines.

    Several criteria are taken into account when deciding whether to impose an administrative fine and how much it should be:

    • the nature, seriousness and duration of the breach,
    • whether it was deliberate or negligent
    • the corrective measures put in place
    • the degree of responsibility,
    • previous breaches,
    • the degree of cooperation with the supervisory authority,
    • the type of data concerned,
    • how the competent authority learned of the breach,
    • aggravating circumstances (financial benefits obtained or losses avoided, directly or indirectly).

    If the controller or processor breaches more than one rule of the RGPD, "the total amount of the administrative fine may not exceed the amount set for the most serious breach".

    First RGPD sanctions and companies penalised

    The most notable cases include:

    • Bouygues Telecom: €250,000 for insufficient data protection for B&You customers, with customer contracts and invoices accessible by simply changing a URL address on the website (more than 2 million customers impacted for 2 years) ;
    • Facebook and its subsidiary WhatsApp are under threat of a complaint from the Internet Society (ISOC): despite being condemned by the CNIL in 2017 (€150,000), the company continues to collect sensitive information;
    • Google: €50,000,000 for lack of transparency, unsatisfactory information and absence of valid consent for personalised advertising, following collective complaints from None Of Your Business and La Quadrature du Net.

    RGPD and software: a few points to watch out for

    Third-party applications not covered by the RGPD

    In legal terms, a software publisher is a subcontractor for the purposes of the RGPD. It processes personal data on behalf of a customer, who is referred to as the data controller.

    The software publisher sometimes offers additional functions, via third-party applications, for which compliance with the European regulation must be verified. For example, OCR (optical character recognition) technologies sometimes come from American or Russian solutions, which are not subject to the RGPD. French software publishers integrating them into their solutions must propose an RGPD compliance rider.

    The RGPD allows the CNIL to carry out checks on subcontractors responsible for implementing processing on behalf of an organisation responsible for processing (e.g. hosting, maintenance).

    CNIL



    ⚠️ Publishers outside the GDPR zone, particularly in the US, sometimes offer "Data Processing Addendums" for GDPR compliance, which in the end do not guarantee compliance.

    The principle of privacy by design

    From the moment a website or CRM is designed, the principle of privacy by design must be applied, to meet the need to protect privacy from the moment the tool is created.

    What solutions should you adopt to ensure RGPD compliance?

    The benefits of compliance software

    An irreproachable information systems department (ISD), a designated DPO, consulted lawyers - all these stakeholders can prove indispensable thanks to their legal and IT expertise.
    But if you want to ensure that your compliance is complete, seamless and straightforward, the support of a software platform can really make all the difference, saving you time and grey hairs.

    An RGPD solution can, for example, enable :

    • keep a compulsory register, a veritable map of the processing of users' personal data,
    • manage compliance audits carried out regularly by the DPO,
    • storing proof of user or customer consent ,
    • categorising data, such as sensitive data and its purpose,
    • implementing risk management to prevent data leaks,
    • verification of encryption procedures and technologies to guarantee data security,
    • providing information tools and models for consumers,
    • identifying any data transfers to countries outside the European Union,
    • checking that contracts with subcontractors inside and outside the RGPD zone are compliant and up-to-date,
    • keeping abreast of the latest news on the European regulation,
    • managing and displaying the results of Data Protection Impact Assessments (DPIAs).
      The CNIL has developed open source software, PIA (for Privacy Impact Assessment), to guide companies through this particular task.

    We have selected several solutions to help you with your data governance.

    Captain DPO

    Captain DPO is a collaborative solution for DPOs, enabling agile and fluid project management.

    The Data Protection Officer, whether internal or external to a structure, oversees the compliance of his or her organisation or that of his or her customers, monitors data protection and documents the measures put in place in the event of an audit.
    All stakeholders (data controller, information systems security officer, etc.) are called upon to ensure full and effective compliance. Subcontractors also have access to the platform to receive instructions from your company and submit their own processing reports.

    Features include

    • Interactive dashboard,
    • multiple processing registers
    • application mapping
    • risk mapping
    • management of rectification requests,
    • integration of CNIL software for impact analyses,
    • RGPD self-diagnosis,
    • document space and versioning,
    • performance monitoring indicators,
    • company directory, etc.

    Data Legal Drive

    Particularly suited to SMEs and SMIs, Data Legal Drive is designed to offer secure, intuitive and collaborative software, whether you have an internal or external DPO, or none at all.

    The solution was developed thanks to the extensive legal expertise in information technology of our partner publishers and lawyers. It was named best Legal Tech at the Trophées du Droit and Victoires de l'innovation juridique awards in 2019.

    It helps companies to accelerate their compliance from a legal, organisational and technical point of view. You can centralise your procedures while having access to cutting-edge documentation. To-do lists, alerts and progress reports give you a practical guideline for meeting all the legal criteria.

    Features include

    • mapping of processing and risks
    • compilation of registers
    • compliance diagnostics using interactive questionnaires,
    • management and monitoring of contracts, amendments and other RGPD compliance documents,
    • management of requests from data subjects,
    • management of personal data breaches, identified internally or reported by your subcontractors,
    • monitoring training to raise awareness of RGPD issues,
    • documentary database with model clauses and contracts, legal notices,
    • legal watch,
    • legal and technical support chat with a lawyer, etc.

    Compliance Booster (formerly Smart GDPR)

    Compliance Booster is a customisable and scalable solution that uses automation to make the tasks of DPOs and data controllers easier.

    It enables the DPO to carry out RGPD audits and impact analyses, and to raise awareness among all employees and subcontractors via training courses, particularly on the prevention of internal and external risks.

    Whatever your level of compliance, the tool will support you throughout the process and help you maintain good practice afterwards.
    Designed by data protection officers, it is pre-configured for 55,000 businesses and 700 sectors, and can be extended to cover the world's 10 main data protection regulations.

    Features include

    • import of existing compliance work
    • interoperability with your business software
    • maintenance of a register of processing and data,
    • automation of recurring tasks,
    • semi-automatic mapping of processing operations,
    • intelligent audits and impact studies,
    • compliance gap analysis with automatic, modifiable prioritisation,
    • exportable specialised documentation,
    • integrated legal department,
    • coverage of financial risk in the event of errors attributable to the platform, etc.

    Present a true copy

    Your company's RGPD compliance is not something to be taken lightly. Not only is it compulsory, but failure to comply can result in significant penalties, affecting not only your wallet but also your company's brand image.

    The ADEF association, which manages accommodation for students, single-parent families and migrants, was fined €75,000 two months after the regulations were introduced.

    Whatever the size of your organisation and its resources, enlist the help of experts in the field. An RGPD compliance solution will help you set up and monitor the regulations. Peace of mind is yours!

    Article translated from French