search
Where Thought Leaders go for Growth
Reference a solution

RGPD and sanctions: don't miss out on compliance!

RGPD and sanctions: don't miss out on compliance!

By Nathalie Pouillard

Published: October 28, 2024

RGPD and sanctions: two terms that have sent shivers down companies' spines since May 25, 2018, when the General Data Protection Regulation came into force. European in scope, it aims to provide a framework for personal data security, confidentiality and traceability in an increasingly digital environment. Entrepreneurs are seeing their obligations increase, enshrined very concretely in law, on pain of administrative and criminal sanctions. But what exactly are these obligations? And above all, how can they be avoided? Here's how to decipher them, and what solutions to follow...

Definitions and context of the RGPD

From the French Data Protection Act to the RGPD

You were already familiar with the French law on information technology, files and freedoms, known as the " Loi Informatique et Libertés " (Law no. 78-17 of January 6, 1978), regulating the freedom to collect, process and use personal data, and defining obligations in terms of the right of access, the right to portability and the right to be forgotten.

The RGPD is a sort of extension of this law, put on a European scale:

The General Data Protection Regulation (GDPR) is a European regulatory text that frames data processing equally throughout the European Union.

le portail de l’Économie, des Finances, de l’Action et des Comptes publics (economie.gouv.fr)

In fact, the French Data Protection Act was updated on June 1, 2019 to transpose the new European regulations into French law. This new version has been in force since July 16, 2019.

Objectives of the RGPD implementation

  • strengthen the rights of consumers and users,
  • make companies (data controllers) and subcontractors handling personal data (prospect files, customers, employees, etc.) more accountable,
  • harmonize national regulations within Europe,
  • consolidate cooperation between the various data protection authorities.

GDPR and competent authorities

The European Data Protection Committee

The mission of the European Data Protection Board (EDPS) is to ensure the consistent application of the RGPD for the purposes of:

  • prevention and detection of criminal offences,
  • investigation, prosecution and enforcement of criminal sanctions.

It is made up of the heads of the RGPD authorities of each member state, representatives of the authorities of Norway, Iceland and Liechtenstein (without voting rights), as well as representatives of the European Commission. They are chaired for the first 5 years by Ms. Andréa Jelinek, head of the Austrian authority.

Each Member State therefore has its own competent authority, with the same missions and powers for a homogeneous application of the RGPD in Europe, particularly for cross-border disputes. In France, it's still the CNIL, an independent public administrative authority.

European protection authorities are currently cooperating on 345 cross-border complaints. The CNIL is involved in 187 cases, and is the lead authority for 15. These complaints notably raise questions about consent.

baromètre CNIL/ Ifop 2018.

CNIL missions

Information and prevention

  • Inform employees, individuals and companies about the protection of personal data,
  • Provision of documentation,
  • Raising awareness.

Support and advice

  • Support for members of parliament,
  • Issuing opinions and recommendations on draft laws and decrees.

Control

  • On-site, documentary, hearing or online inspections,
  • According to a pre-established program, but also on the basis of reports or complaints,
  • Particular attention is paid to establishments that have already been placed under formal notice, and to video-surveillance/video-protection systems.

Sanctions

In the event of non-compliance observed during a company audit, the CNIL may, via its restricted sanctions panel:

  • report the infringement to the Public Prosecutor,
  • impose an administrative financial penalty,
  • decide to publish the sanctions imposed.

Anticipation

The CNIL has set up a committee of public and private sector experts to anticipate new technological trends and their potential impact on freedoms (emerging issues).

Company obligations

RGPD compliance: who does it concern?

All companies :

  • private or public,
  • collecting or processing personal data,
  • whatever their sector of activity or size,
  • located in the European Union or whose activity concerns European residents.

They must protect "individuals, regardless of their nationality or place of residence".

4 steps to compliance

The company, as data controller, must be able to provide all evidence of data protection compliance, such as the processing register, impact analysis (in the case of management of highly sensitive data, sometimes at the request of supervisory authorities) and proof of consent.

📑 The register of data processing activities

Provided for in Article 30 of the RGPD, this census and analysis document centralizes your data processing activities in various departments: recruitment, payroll management, training, badge and access management, sales statistics, customer and prospect management, etc.
It lists :

  • the parties involved in data processing (data controller, DPO if applicable, subcontractors, co-contractors),
  • the IT tools and departments involved in each stage of data processing,
  • categories of data processed (ages, socio-professional categories, emails, etc.),
  • the means of collection (GPS, cookies, forms, etc.),
  • the purpose of data collection (loyalty, prospecting, etc.),
  • how it is used (by whom), communicated (to whom), who else has access to the data (hosts, intermediary service providers, etc.),
  • how long the data is kept,
  • the security measures put in place for data storage.

☞ Appointing a Data Protection Officer ( DPO ) is mandatory for public bodies and for those who process data, particularly sensitive data, requiring regular monitoring on a large scale. The Data Protection Officer supports the organization by steering the governance of personal data, for which the company is responsible.
He or she can be external to the company (such as a lawyer) or internal (this mission can be fulfilled by the Correspondant Informatique et Libertés already in place, for example).

☞ You must have the consent of the people whose data you are collecting. Ideally, you should also keep a register of consents, documenting the conditions under which they were collected and the evidence provided.

♻️ Data sorting

  • Eliminate all unnecessary information from your collection forms and databases;
  • Define automatic deletion or archiving rules in your applications and software;
  • Check that access rights to data are limited to certain people, listed in the register.

You can help yourself by answering these questions:

  • Is the data necessary for your business?
  • Is it sensitive (racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic, biometric, health or sexual data)?
  • Is access rights management compliant?
  • Do you have old data that should no longer be in your possession?
    → Personal data of people who have been inactive for 3 years or more (former employees, former customers),
    → Consent from visitors to your website for cookie processing not renewed for 13 months or more, etc.

💡 Respect for the rights of individuals

Data subjects are:

  • informed of who collects their data, who has access to it, to whom it is communicated, for what reasons and for how long it is kept,
  • free to object, easily, thanks to clearly stated procedures (via a personal space, by e-mail, etc.),
  • have their requests for modification or deletion met within a maximum of one month.

66% of French people say they are "more sensitive than in recent years to the protection of their personal data". Their concerns: data theft, social network hacking, spam/prospecting.

baromètre CNIL/ Ifop 2018.

🔒 Data security

The company is obliged to guarantee the integrity of your data assets by reducing the risk of loss and hacking. To do this, you must :

  • ensure that access to your premises is secure,
  • ensure that external and internal user accounts are protected with sufficient complexity,
  • keep your software and antivirus software up to date,
  • change passwords frequently,
  • encrypt sensitive data,
  • set up a data backup and recovery procedure.

    CNIL's supervisory role

    Depending on the outcome of the CNIL inspection, a number of different courses of action may be taken.
    If the inspection :

    • is satisfactory, the president of the CNIL sends a letter to the company to close the file;
    • reveals minor breaches (e.g.: data retention period slightly exceeded), the CNIL chairman sends a letter to the company to close the file, with recommendations;
    • identifies more significant breaches, the CNIL president may give formal notice to the organization to comply within a given timeframe, and/or forward the file to the CNIL's restricted formation, which will impose the sanctions provided for in the articles of the RGPD ;
    • notes the absence of a response or corrective measures following a formal notice, the CNIL's restricted panel responsible for sanctions may take up the case, make its decisions public, and notify the Public Prosecutor's Office in the most serious cases.

    Applicable penalties

    Administrative sanctions

    The CNIL's restricted committee may impose administrative sanctions, in ascending order:

    • call to order,
    • injunction to comply, possibly with penalties for late compliance (subject to a fine),
    • temporary or definitive limitation of data processing,
    • suspension of data flows,
    • an order to comply with requests from rightful claimants, with late penalties depending on the deadline,
    • an administrative fine.

    Depending on the duration, seriousness and nature of the infringement, the administrative fine may represent :

    • up to 2% of the company's worldwide annual sales in N-1, or 10 million euros* (for failure to keep a data processing register, for example),
    • up to 4% of the company's worldwide annual sales in N-1 or 20 million euros* (for failure to obtain consent from data subjects, refusal to cooperate with the CNIL, etc.).

    * Between the calculation of the percentage and the sum, the higher amount is used.

    From the date of notification of the CNIL's decision, the company has two months in which to lodge an appeal with the Conseil d'État.

    Penal sanctions

    Member States may decide to apply a criminal penalty in addition to the administrative penalty, to punish violations not covered by Article 83 of the RGPD.

    Failure to properly process personal data, even through negligence, is punishable by criminal penalties of 5 years' imprisonment and a €300,000 fine (Articles 226 16 to 226 24 of the Penal Code).

    Damages and interest

    People whose rights have been violated can also lodge a complaint and claim damages. This sanction, in the event of legal action, is in addition to administrative and criminal sanctions, where applicable.

    Some key articles of the RGPD

    We mentioned them above, so here's a little insight...

    Articles 45 and 46 of the RGPD

    These deal with transfers of personal data to third countries or international organizations.

    A data controller does not need to request authorization from the CNIL and cannot be penalized for transferring personal data to a third country or an international organization, if the security conditions applied there are satisfactory with regard to the RGPD.
    In fact, the CNIL publishes a list of these validated or blacklisted third countries and international organizations in the Official Journal of the European Union and on its website.

    If the recipient is not verified, the controller or processor may not transfer personal data to a third country or to an international organization, unless contractual guarantees have been provided and the individuals concerned have "enforceable rights and effective legal remedies".

    Excerpts from Article 83 RGPD

    This article targets the general conditions for imposing administrative fines.

    To decide whether to apply an administrative fine and to determine its amount, several criteria come into play:

    • the nature, seriousness and duration of the violation,
    • whether the violation was deliberate or negligent
    • corrective measures taken,
    • degree of responsibility,
    • previous violations,
    • degree of cooperation with the supervisory authority,
    • the type of data concerned,
    • how the competent authority learned of the breach,
    • aggravating circumstances (financial benefits obtained or losses avoided, directly or indirectly).

    If the controller, or processor, violates several RGPD rules, "the total amount of the administrative fine may not exceed the amount set for the most serious violation".

    First RGPD sanctions and companies sanctioned

    Among the most notable cases are:

    • Bouygues Telecom: 250,000 euros for insufficient protection of B&You customer data, with customer contracts and invoices accessible by simply changing a URL address on the website (more than 2 million customers impacted for 2 years) ;
    • Facebook and its subsidiary WhatsApp are under threat of a complaint from the Internet Society (ISOC): despite a conviction by the CNIL in 2017 (150,000 euros), the company continues to collect sensitive information;
    • Google: 50,000,000 euros for lack of transparency, unsatisfactory information and absence of valid consent for advertising personalization, following collective complaints from None Of Your Business and La Quadrature du Net associations.

    RGPD and software: a few points to watch out for

    Third-party applications not covered by the RGPD

    In legal terms, a software publisher is a subcontractor for the RGPD. It processes personal data on behalf of a customer, who is referred to as the data controller.

    The software publisher sometimes offers additional functionalities, via third-party applications, for which compliance with the European regulation must be verified. For example, OCR (optical character recognition) technologies sometimes come from American or Russian solutions, which are not subject to the RGPD. French publishers integrating them into their solutions must propose an RGPD compliance rider.

    The RGPD allows the CNIL to carry out checks on subcontracting service providers, in charge of implementing processing, on behalf of an organization responsible for processing (e.g. hosting, maintenance).

    CNIL



    ⚠️ Publishers outside the GDPR zone, particularly in the US, sometimes offer "Data Processing Addendum", GDPR compliance riders, which ultimately guarantee no compliance.

    The principle of privacy by design

    Right from the design stage of a website or CRM, the principle of privacy by design must now be applied, to meet the need for privacy protection right from the creation of the tool.

    Which solutions to adopt for RGPD compliance?

    The benefits of compliance software

    An irreproachable information systems department (ISD), a designated DPO, consulted lawyers - all these stakeholders can prove indispensable thanks to their legal and IT expertise.
    But to ensure complete compliance, without oversights and with complete simplicity, the support of a software platform can really make the difference, and save you time and white hairs.

    An RGPD solution can, for example, enable :

    • maintain a mandatory register, a veritable mapping of the processing of users' personal data,
    • manage compliance audits carried out regularly by the DPO,
    • storage of proof of user or customer consent ,
    • data categorization, such as sensitive data and its purpose,
    • implementing risk management to prevent data leakage,
    • verification of encryption procedures and technologies to guarantee data security,
    • the provision of tools and information models for consumers,
    • identifying any data transfers to countries outside the European Union,
    • checking compliance and updating contracts with subcontractors in and outside the RGPD zone,
    • monitoring news on the European regulation,
    • managing and visualizing the results of Data Protection Impact Assessments (DPIAs).
      The CNIL has developed an open source software package, PIA (for Privacy Impact Assessment), to guide companies through this particular task.

    We have selected several solutions to help you with your data governance.

    Captain DPO

    Captain DPO is a collaborative solution for DPOs, enabling smooth, agile project management.

    The Data Protection Officer, whether internal or external to a structure, oversees the compliance of his or her organization or that of his or her clients, monitors data protection and documents the measures put in place in the event of an audit.
    All stakeholders (data controller, information systems security officer, etc.) are called upon to ensure full and effective compliance. Subcontractors also have access to the platform to gather instructions from your company and transmit their own processing reports.

    Features include

    • interactive dashboard,
    • multiple processing registers,
    • application mapping,
    • risk mapping,
    • management of rectification requests,
    • integration of CNIL software for impact analyses,
    • RGPD self-diagnosis,
    • document space and versioning,
    • performance monitoring indicators,
    • company directory, etc.

    Data Legal Drive

    Particularly suited to SMEs and ETIs, Data Legal Drive's aim is to offer secure, intuitive and collaborative software, whether you have an internal or external DPO, or none at all.

    The solution was developed thanks to the extensive legal IT expertise of partner publishers and lawyers. It was named best Legal Tech at the Trophées du Droit as well as the Victoires de l'innovation juridique in 2019.

    It helps companies accelerate their compliance from a legal, organizational and technical point of view. You can centralize your procedures while gaining access to state-of-the-art documentation. To-do lists, alerts and progress reports provide you with a concrete course of action to meet all legal criteria.

    Features include

    • mapping of processes and risks,
    • register creation,
    • compliance diagnosis using interactive questionnaires,
    • management and monitoring of contracts, amendments and other RGPD compliance documents,
    • management of requests from data subjects,
    • management of personal data breaches, identified internally or reported by your subcontractors,
    • follow-up of RGPD awareness training sessions,
    • documentary database with model clauses and contracts, legal notices,
    • legal watch,
    • legal and technical support chat with a legal expert, etc.

    Compliance Booster (ex Smart GDPR)

    Compliance Booster is a configurable, scalable solution that favors automation to facilitate the tasks of DPOs and data controllers.

    It enables the DPO to conduct RGPD audits such as impact analyses, and to raise awareness among all employees and subcontractors via training courses, particularly on internal and external risk prevention.

    Whatever your level of compliance progress, the tool supports you during the process and in maintaining good practices afterwards.
    Designed by data protection officers, it is pre-configured for 55,000 businesses and 700 sectors, and can be extended to cover the world's top 10 data protection regulations.

    Features include

    • import of existing compliance work,
    • interoperability with your business software,
    • data and processing register,
    • automation of recurring tasks,
    • semi-automatic data processing mapping,
    • intelligent audits and impact studies,
    • compliance gap analysis with automatic, modifiable prioritization,
    • exportable specialized documentation,
    • integrated legal department,
    • financial risk coverage in the event of errors attributable to the platform, etc.

    Present a true copy

    Making your company RGPD compliant is not something to be taken lightly. Not only is it mandatory, but any negligence can result in significant penalties, affecting not only your wallet but also your company's brand image.

    The ADEF association, which provides accommodation for students, single-parent families and migrants, was fined 75,000 euros two months after the regulations were introduced.

    Regardless of the size of your organization and its resources, surround yourself with experts in the field. An RGPD compliance solution will guide you through the installation and monitoring of the regulations. Peace of mind is yours!

    Article translated from French