fbpx

Free tools and resources for Data Protection Officers!

Tag Archives for " CNIL "

CNIL Fines French Real Estate Service Provider for Data Security and Retention Failures

On June 6, 2019, the French Data Protection Authority (the “CNIL”) announced that it levied a fine of €400,000 on SERGIC, a French real estate service provider, for failure to (1) implement appropriate security measures and (2) define data retention periods for the personal data of unsuccessful rental candidates.

Source: CNIL Fines French Real Estate Service Provider for Data Security and Retention Failures

CNIL releases its 2018 annual report and announces its next challenges for 2019

On April 15 2019, the French Data Protection Authority (the “CNIL”) released its 2018 Annual Report.

In 2018 the CNIL:

  • received more than 11,000 data subjects’ complaints, which represents an increase of 32% as compared to 2017.
  • sought to provide professionals with guidelines and documentation and took into account the need for legal certainty in a context of increased sanctions and the demand for greater simplification for smaller businesses.
  • conducted 204 on-site inspections (including 20 on-site inspections of CCTV devices); 51 online inspections; 51 controls on a document production basis, and 4 hearings.
  • of the 310 controls carried out, only 11 sanctions were adopted by the Restricted Committee.

Source: CNIL releases its 2018 annual report and announces its next challenges for 2019 – Privacy, Security and Information Law Fieldfisher

CNIL Publishes Binding Rules on Processing Biometric Data as Workplace Access Control

On March 28, 2019, the French data protection authority (“CNIL”) published a “Model Regulation” addressing the use of biometric systems to control access to premises, devices and apps at work.

The Model Regulation lays down binding rules for data controllers who are subject to French data protection law and process employee biometric data for such purposes.

Source: CNIL Publishes Binding Rules on Processing Biometric Data as Workplace Access Control

Year 1 of GDPR: Over 200,000 cases reported, firms fined €56 meeelli… Oh, that’s mostly Google

European data protection agencies have issued fines totalling €56m for GDPR breaches since it was enforced last May, from more than 200,000 reported cases – but watchdogs have said they’re just warming up. However, almost all of it comes from French data watchdog CNIL’s €50m fine for Google.

One thing that did change immediately under GDPR, if not the fines, was the number of incident reports. This was particularly so for companies turning themselves in over data breaches. In the first nine months, there were 206,326 cases reported under the new law from the supervisory authorities in the 31 countries in the European Economic Area.

Source: Year 1 of GDPR: Over 200,000 cases reported, firms fined €56 meeelli… Oh, that’s mostly Google • The Register

CNIL Publishes FAQs to Prepare for a No-Deal Brexit

On February 20, 2019, the French data protection authority published a set of questions and answers to specify the CNIL’s recommendations and steps that organizations should take to prepare for a no-deal Brexit.

Source: CNIL Publishes FAQs to Prepare for a No-Deal Brexit | Privacy & Information Security Law Blog

What happened to the one-stop shop?

At the time of the adoption of the EU General Data Protection Regulation, the European Commission touted as the benefit for companies that the GDPR would bring a one-stop-shop enforcement mechanism, whereby in respect of controllers or processors with more establishments in the EU, the supervisory authority of the “main establishment” of such controller or processor in the EU will serve as the “lead SA” in respect of its “cross-border processing” activities.

In the first landmark enforcement decision under the GDPR, the CNIL fined Google 50 million euros, despite the fact that the complaints concerned cross-border processing in the EU, which calls for one-stop shop enforcement.

Full article: What happened to the one-stop shop?

Data location vendor worked with GDPR regulator on data consent model, yielding 70% opt-in rates

Last August French privacy regulator CNIL cited two French location-intelligence companies (Fidzup and Teemo) as non-compliant with GDPR consent rules (as well as French privacy law).

Teemo then worked cooperatively with CNIL to develop specific consent language around third-party use of location data. Surprisingly, but the opt-in rates were 70%. Teemo says that transparency gives consumers a sense of control and they respond positively as a result.

Source: Data location vendor worked with GDPR regulator on data consent model, yielding 70% opt-in rates – MarTech Today

Learning from Google’s record-setting GDPR fine

With the French Data Protection Authority (CNIL) disclosing on January 21 st a 50 million euro fine against Google LLC, we now have a precedent against which to evaluate the impact and reach of GDPR enforcement.

This is significant as, with this precedent, we can determine some of the factors a Data Protection Authority (DPA) will use in assessing the extent of a given violation.

Full article: Learning from Google’s record-setting GDPR fine

Google fined €50 million in France for GDPR breach about consent

France’s Data Protection Authority, the CNIL, has today announced a 50 million euro fine on Google LLC for lack of transparency, inadequate information and lack of valid consent regarding the personalisation of advertisements.

The case was initiated by two associations, None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”). LQDN was supported by 10 000 people to refer the matter to the CNIL. The CNIL says that the GDPR “one-stop-shop mechanism” was not applicable as the DPAs consider that Google did not have one main establishment in the European Union.

Source: Google fined €50 million in France for GDPR breach about consent – Privacy Laws & Business

CNIL Fines French Telecom Operator for Data Security Failure

On December 27, 2018, the French Data Protection Authority (the “CNIL”) announced that it imposed a fine of €250,000 on French telecom operator Bouygues Telecom for failing to protect the personal data of the customers of its mobile package B&YOU.

Full article: CNIL Fines French Telecom Operator for Data Security Failure

1 2 3 6
>