Preserving personal data is one of the major issues of our time. It is essential to know who to contact if your rights are violated. In France, several authorities are responsible for protecting personal data (surname, first name, postal address, Social Security number, etc.). Each has specific responsibilities and areas of intervention.
The French Data Protection Authority (CNIL)
What is the CNIL?
The CNIL was established by the French Data Protection Act of January 6, 1978. It ensures the protection of personal data contained in computer or paper files, whether public or private. It ensures that data processing does not harm :
- To human identity;
- To human rights ;
- Privacy ;
- Public freedoms, both individual and collective.
This independent administrative authority (AAI) is made up of 18 elected and appointed members.
What does the CNIL do to protect personal data?
CNIL has four main missions.
Informing, protecting rights
One of the CNIL's key missions is to respond to requests from individuals and companies. At the same time, it implements communication initiatives aimed at the general public: press, website, social networks. It receives complaints from citizens in connection with :
- Online reputation, with requests to remove content from the web;
- Commerce. For example, opposition to receiving commercial e-mails;
- Human resources (HR), on the subject of video surveillance and geolocation of employee vehicles;
- The bank and borrowing. The complaint may relate to an entry in one of the Banque de France files.
Support for compliance/advice
CNIL is helping both private and public players to comply with the General Data Protection Regulation (GDPR). It offers them a toolbox adapted to their size and needs. The independent authority also advises and regulates. For example, it gives its opinion on draft texts concerning the protection of personal data.
Anticipating, innovating
The Commission Nationale de l'Informatique et des Libertés (CNIL) is contributing to a debate on the ethical issues surrounding data with :
- Its digital innovation laboratory, known as LINC ;
- The Foresight Committee ;
- The CNIL-INRIA European Prize ;
- Privacy Research Day, a major academic conference on data protection.
Control, sanction
The CNIL has the right to monitor private and public organizations. If it finds any breaches, it can issue formal notices or even impose sanctions. In 2022, the authority carried out 345 inspections, 147 of which resulted in a formal notice. Sanction procedures include :
- The ordinary sanction procedure, with fines of up to 20 million euros;
- The simplified sanction procedure, reserved for less complex or less serious cases.
What is CNIL's role?
The CNIL regulates personal data in the digital world. It supports companies in their compliance efforts, while helping individuals to exercise their various rights. As a reminder, individuals whose data is collected have several rights:
- The right to access data, at any time, without limitation;
- The right to rectify stored data and to object to their use;
- The right to portability, consisting in recovering the data provided, then transferring them to a third party;
- The right to be forgotten, based on the deletion of one's data and its dereferencing;
- The right to notification if data security is breached;
- The right to compensation for damage, whether material or moral, caused by the violation of GDPR ;
- The right to make a claim or appeal through a group action.
Dataventure is GDPR compliant
Dataventure designs conquest operations in line with GDPR. It uses opt-in databases as part of its performance e-mailing and SMS marketing solutions. It offers to rent targeted files and enrich data by drawing on its network's 100 million qualified opt-in profiles.
Co-sponsoring, co-registration, clic-lead... Every month, more than 3 million addresses are collected for major advertisers. Dataventure is one of France's leaders in opt-in.
Good to know: All collection systems offered by Dataventure are billed net of deduplication. In other words, only opt-in profiles not yet present in your active database are delivered to you.
General Directorate for Competition, Consumer Affairs and Fraud Control (DGCCRF)
What is the DGCCRF?
The DGCCRF is one of the departments of the Ministry of the Economy. It participates in the design and implementation of economic policy. It ensures that markets operate smoothly, while serving consumers and businesses.
What are the DGCCRF's missions in relation to the protection of personal data?
The DGCCRF carries out investigations and checks to ensure that companies comply with the rules governing the protection of personal data. It sanctions companies that fail to comply with provisions concerning the processing of sensitive data. It informs consumers of their rights regarding the protection of personal data. The Ministry of the Economy's data protection department makes consumers aware of the dangers associated with the use of personal data.
In 2019, the CNIL and the DGCCRF signed a new cooperation protocol. The aim of the two authorities? To increase consumer protection and that of their personal data, while adapting it to new digital challenges. More specifically, their cooperation aims to :
- To draw people's attention to the risks involved in communicating their personal information;
- Disseminate the best cases deployed by professionals;
- Simplifying the communication of information relating to non-compliance with consumer law and the protection of personal data;
- Carry out joint controls ;
- Working together to put forward proposals for action at European level;
- Pooling expertise, particularly in terms of survey tools;
- Share their analyses of legislative and regulatory changes to protect consumers and their personal information.
Council of State
What is the Conseil d'État?
The Conseil d'État, established by Napoleon Bonaparte in 1799, is the highest administrative court in France. Its role is to advise the government. It has 300 members. They include conseillers d'État, maîtres des requêtes and auditeurs.
What does the Conseil d'État do to protect personal data?
The Conseil d'État rules on administrative disputes concerning the protection of personal data. It may be consulted by the government to give its opinion on questions concerning the protection of personal data. It issues recommendations concerning the collection and processing of sensitive data. The Conseil d'État verifies the legality of CNIL decisions. Finally, it rules on conflicts of jurisdiction.
For example, in June 2020, the Conseil d'État rejected Google 's appeal against the financial penalty administered by the CNIL. According to the Conseil, the American company had failed to meet its information and transparency obligations. Moreover, it ruled that the financial penalty of 50 million euros was not disproportionate.
In June 2020, the Conseil d'Etat approved the majority of the CNIL's guidelines on cookies and tracers. It did, however, overturn the provision imposing a general and absolute ban on the practice of "cookie walls". The latter consists in blocking access to a website if cookies are refused.
The judicial courts
What are courts of law?
The Judicial Court was born of the merger of two jurisdictions:
- Tribunal d'instance (TI);
- The district court (TGI).
It has jurisdiction over all disputes not assigned to another specialized court.
How do I go to court?
The court can be seized through :
- A writ of summons. This takes the form of a document issued by a commissioner of justice (formerly a bailiff's document) informing an adversary that a lawsuit has been filed against him/her. He summons him to appear before a court. The deed must include compulsory details such as the place, day and time of the hearing, the grounds for the dispute and the way in which the adversary is to appear before the court;
- A petition. This is a formal document used to bring a case before a court of law. You can draft it yourself, if you don't need to be represented by a lawyer, or you can call on the services of a lawyer;
- A joint petition, if both parties agree that the dispute should be settled by the court.
The judge may order the parties to have recourse to mediation beforehand.
What do the courts do to protect personal data?
The Judicial Court judges infringements of sensitive data protection. It awards compensation to victims of personal data protection violations. It issues injunctions to put an end to such violations. Finally, it has the power to impose sanctions.
As an illustration, in March 2021, following a data leak discovered by the CNIL, the Paris judicial court ordered internet service providers (ISPs) to suspend access to a website. The site contained the health data of 500,000 individuals.
The Collective for Digital Marketing Actors (CPA)
It's a professional organization with 88 members, all specialists in digital marketing. They work in a wide range of fields: affiliation, acquisition e-mailing, couponing, qualified lead generation, display, legal, etc.
140 companies have signed the CPA e-mail charter. They commit to :
- Implement address collection and monetization practices that comply with GDPR ;
- Use a third-party tool to encapsulate collection forms.
How does the CPA contribute to the protection of personal data?
The Collectif pour les acteurs du marketing digital works to regulate market practices. It promotes their development in a way that respects consumers, by publishing quality charters. The syndicate maintains a legal watch to inform and train its members on current and substantive issues.
The CPA is made up of several colleges:
- Retail;
- Email ;
- Lead;
- Search;
- Legal ;
- E-Marketing technologies ;
- Professions & Skills.
Among them, the Collège Juridique, created in 2017, positions itself on various legal subjects. It is made up of lawyers, legal experts and performance marketing experts. Fabrice Perbost, its president, is a lawyer at the Paris bar. He teaches e-commerce and data law at the Université Paris-Panthéon-Assas.
In April 2021, the Collège Juridique published a practical guide to the CNIL recommendation: cookies and other tracers. It supports CPA members in bringing their consent systems into compliance. It comprises 14 practical sheets, addressing the points raised by the CNIL, notably informed consent, the clear positive act and proof of consent.
In January 2021, the Collège Technologies E-Marketing published cookieless data sheets. Their aim? To inform advertisers about the implications of the end of third-party cookies. They present alternative solutions for continuing to track Internet users.
In France, numerous authorities monitor compliance with directives governing the processing of personal data. Collection, recording, storage, modification, consultation, dissemination, deletion... Companies do not have all the rights. They must comply with current legislation. To set up GDPR friendly campaigns, contact our experts.
