THE CNIL IN A NUTSHELL. Protect personal data Accompany innovations Preserve civil liberties.

Similar documents
CNPD Training: Data Protection Basics

Pursuant to Convention No. 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data;

This document is meant purely as a documentation tool and the institutions do not assume any liability for its contents

COMMISSION OF THE EUROPEAN COMMUNITIES. Amended proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

GENERAL DATA PROTECTION REGULATION REPORT

ARTICLE 29 DATA PROTECTION WORKING PARTY

A PRACTICAL GUIDE FOR HOW AN ADVERTISER CAN PREPARE FOR GDPR JANUARY 2018

EU General Data Protection Regulation (GDPR)

ARTICLE 29 Data Protection Working Party

ASSOCIATION TECHNIQUE INTERNATIONALE DES BOIS TROPICAUX

ARTICLE 29 DATA PROTECTION WORKING PARTY

***I REPORT. EN United in diversity EN. European Parliament A8-0226/

European Data Protection Supervisor (Controleur europeen de la protection des donnees)

Brasenose College Data Protection Policy Statement v1.2

General Data Protection Regulation (GDPR)

Data Protection Policy

Departmental Disclosure Statement

Our position. AmCham EU Comments on the Working Party 29 guidelines on data Protection Impact Assessment (DPIA)

EU data protection reform


EU GENERAL DATA PROTECTION REGULATION

The European Citizens Initiative


b. by a controller not established in EU, but in a place where Member State law applies by virtue of public international law.

The General Data Protection Regulation: What does it mean for you?

GDPR - Salon Guide Contents

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

closer look at Definitions The General Data Protection Regulation

APS Bank plc Data Privacy Policy

ARTICLE 29 Data Protection Working Party

Guidance on the General Data Protection Regulation: (1) Getting started

REPUBLIC OF LITHUANIA LAW ON PUBLIC ADMINISTRATION. 17 June 1999 No VIII-1234 Vilnius. (As last amended on 3 June 2014 No XII-903)

SCHOOLS DATA PROTECTION POLICY. Guidance Notes for Schools

THE ETHICS AND LEGISLATION OF COMMUNICATION IN THE ROMANIAN PUBLIC ADMINISTRATION

4. EU Charter of Fundamental Rights

UNI Europa ICTS position on the European Single Market for electronic communications

1 Privacy by Design: The Impact of the new European Regulation on Data protection. Introduction

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

GRIFOLS STATUTES OF THE AUDIT COMMITTEE

Preparing for the GDPR

WHAT PAYROLL PROFESSIONALS NEED TO KNOW ABOUT THE GENERAL DATA PROTECTION

The (Scheme) Actuary as a Data Controller

with Xavier Darmstaedter Managing Partner GEDAPRE DACOTA Consulting

The Council of State. An overview. Protecting freedom and fundamental rights. Defending the interest of the people

eni s proposals on Corporate Governance

General Data Protection Regulation Philippe Roggeband. Business Development, Manager, GSSO EMEAR

AUSTRALIA: New South Wales: Privacy Commissioner

EDPS - European Data Protection Supervisor CEPD - Contrôleur européen de la protection des données

Guidelines for establishing users committees and residents committees in health and social service institutions. February 2006

ON PREVENTION OF CONFLICT OF INTEREST IN DISCHARGE OF PUBLIC FUNCTIONS LAW ON PREVENTION OF CONFLICT OF INTEREST IN DISCHARGE OF PUBLIC FUNCTIONS

DATA PROTECTION POLICY VERSION 1.0

UNI Europa Guidelines on. European Works Councils

EU General Data Protection Regulation in the digital age: Are you ready?

GDPR Webinar 9: Automated Processing & Profiling

CALRE AWARD Stars of Europe

TimePlan Education Group Ltd ( the Company ) Data Protection. Date: April Version: 001. Contents

The French energy regulatory framework. INOGATE seminar 10 October 2013

Network Rail internal privacy notice

Vice-President for the Euro and Social Dialogue

EU General Data Protection Regulation: What Impact for Businesses Established Outside the EU and EEA Francoise Gilbert 1

Please read the following carefully in order to understand our policies and practices regarding your personal data and how we process them.

Adopted by the State Duma on September 22, 1999

Robert Bond Partner 3/13/2015. EU Data Protection Officer: Roles and responsibilities

GDPR: What Every MSP Needs to Know

Data Protection Law: An Update

Get ready. A Guide to the General Data Protection Regulation (GDPR) elavon.ie

THE GENERAL DATA PROTECTION REGULATION: A BRIEF OVERVIEW (*)

WORKING DOCUMENT. EN United in diversity EN. European Parliament

Foundation trust membership and GDPR

CHECKLIST FOR TASKS NEEDED IN ORDER TO COMPLY WITH GDPR. Legal02# v1[RXD02]

A data processor is responsible for processing personal data on behalf of a data controller.

Association LATVIAN PERFORMERS AND PRODUCERS ASSOCIATION ARTICLES OF ASSOCIATION

Data Protection. Document Detail Type of Document (Stat Policy/Policy/Procedure) Category of Document (Trust HR-Fin-FM-Gen/Academy) General

Data protection (GDPR) policy

GDPR factsheet Key provisions and steps for compliance

EU General Data Protection Regulation: Are you ready?

Final May Corporate Governance Guideline

Rigorous, efficient and timely access to information is an important pillar of accountability for government.

Data Protection Policy

The objectives of the Association are, at the national and the international level:

Privacy Policy Policy App Subscription Dongle REMOTO REMOTO Package Bright Box Hungary Korlátolt Felelősségű Társaság Bright Box our Group

Draft Federal Law On Amendment of Selected Legislative Acts of the Russian Federation

June PUBLIC OVERSIGHT OF THE AUDIT PROFESSION: Enhancing Credibility and Supporting Cooperation

RIGHT TO INFORMATION IN INTERNATIONAL ORGANIZATIONS

Discussions within the Group made it possible to reach consensus on certain approaches and principles (Part I).

WELMEC European cooperation in legal metrology

St Mark s Church of England Academy Data Protection Policy

Danske Bank International Privacy Notice

Danske Bank International Privacy Notice

This privacy policy (the 'conditions') was last amended in May 2016.

Review of the Electronic Communications Regulatory Framework. Executive Summary 6: NRAs and BEREC

Commissioner for Research, Science and Innovation

CONFERENCE. Training to Leadership: going to the concrete problems

SURVEY OF ANTI-CORRUPTION MEASURES IN THE PUBLIC SECTOR IN OECD COUNTRIES: KOREA

Brussels, 7 May 2009 (Case ) 1. Procedure

Northern Territory: Information Commissioner

Data Protection Policy. Data protection. Date: 28/4/2018. Version: 1. Contents

Committee on Rules of Procedure, Immunities and Institutional Affairs

MALIN CORPORATION PLC CORPORATE GOVERNANCE GUIDELINES. Adopted on 3 March 2015 and Amended on 26 May 2015

EU Charter of Fundamental Rights

Transcription:

2017 THE CNIL IN A NUTSHELL Protect personal data Accompany innovations Preserve civil liberties www.cnil.fr

The CNIL in 2016 ADVISING AND REGULATING 3 078 ADOPTED DECISIONS AND DELIBERATIONS OF WHICH: 190 AUTHORISATIONS 145 REQUESTS FOR AN OPINION The CNIL supports the development of new technologies on a daily basis and takes part in the construction of a digital ethic. 1 976 TRANSFER AUTHORISATIONS 54 000 SIMPLIFIED FORMALITIES ACCOMPANYING COMPLIANCE 102 629 FORMALITY FILES 14 734 DECLARATIONS PROCESSED REGARDING VIDEO SURVEILLANCE SYSTEMS 97 PRIVACY SEALS DELIVERED 316 BIOMETRIC SYSTEM AUTHORISATIONS PROTECTING CITIZENS 7 703 COMPLAINTS, OF WHICH: 33 % relate to prospecting 410 COMPLAINTS following the refusal of a request to be de-listed by search engines INVESTIGATING 430 INVESTIGATIONS 100 online investigations 4 379 REQUESTS FOR ACCESS to police files, surveillance files, FICOBA, etc. 7 909 INSPECTIONS CARRIED OUT 94 INVESTIGATIONS REGARDING VIDEO SURVEILLANCE 7 370 DECLARATIONS PROCESSED REGARDING GEOLOCATION DEVICES RENDERING ORDERS AND ISSUING SANCTIONS 82 ORDERS RENDERED THE CNIL WORKFORCE 195 JOBS 63 % female 17 725 ORGANISATIONS HAVE APPOINTED A DATA PROTECTION OFFICER 13 SANCTIONS ISSUED: 9 WARNINGS 4 FINANCIAL SANCTIONS 37 % male

What is personal data? Personal data is any information relating to a natural person who may, directly or indirectly, potentially be identified by an identification number (i.e., social security number) or by one or more elements which are unique to that individual (i.e., first name and surname, date of birth, biometric elements, finger prints, DNA, etc.). STATUS & COMPOSITION AN INDEPENDANT ADMINISTRATIVE AUTHORITY Created in 1978, the CNIL is an independent administrative authority that exercises its functions in accordance with the French Data Protection Act dated 6th January 1978, amended on 6th August 2004. The CNIL s independence is guaranteed by its composition and its organisation. The eighteen members that form the commission are for the most part elected by the assemblies or jurisdictions to which they belong. The CNIL elects a Chair among its members and does not receive any instructions from any other authority. Isabelle Falque-Pierrotin, State council member, has been Chair of the CNIL since 2011. The CNIL s services are made up of 195 contract agents. 4 parliamentarians (2 assembly members, 2 senators). 2 members of the French Economic, Social and Environmental Council. 6 representatives of high jurisdictions (2 State council members, 2 members of the Court of cassation, 2 members of the Court of Audits). 5 qualified experts appointed by the President of the National Assembly (1 expert), the President of the Senate (1 expert), the French Cabinet (3 experts). The mandate of the commissioners is for 5 years, or, for parliamentarians, for an identical term to that of their mandate. The Chairman of the Freedom of Information Commission (CADA) (Commission d accès aux documents administratifs). FUNCTIONING PLENARY SESSIONS The members of the CNIL hold a plenary session once a week according to an agenda set by the Chair. A substantial part of these sessions is dedicated to the review of draft legislation and decrees submitted by the government for an official CNIL opinion. In addition, the CNIL also authorises highly sensitive processing operations, including those requiring the use of biometrics. It also analyses the consequences of new technologies on citizens private lives. RESTRICTED COMMITTEE The CNIL s restricted committee includes 5 members and a Chairman separate from the Chair of the CNIL. This committee can impose various sanctions on data controllers who do not respect the law. Financial sanctions can reach up to 3 million euros. These financial sanctions can be made public.

INFORMING, EDUCATING The CNIL has the general mission of informing individuals of the rights afforded to them by the French Data Protection Act. The CNIL responds to requests made by individuals and companies alike. In 2016, it received more than 166,500 phone calls. The CNIL leads communication campaigns which target the general public by means of either the press, its website, its presence on social networks or by providing learning resources. As well as being directly consulted by many organisations, companies or institutions for the purposes of conducting awareness campaigns and training programmes on the Data Protection Act, the CNIL also takes part in conferences, trade shows, and workshops in order to inform and be informed. It brings together a collective of over 60 organisations which run campaigns in favour of educating the public about digital technologies. PROTECTING CITIZENS RIGHTS Any individual can contact the CNIL upon experiencing difficulties in exercising their data protection rights. The CNIL ensures that citizens can effectively access their data contained in any processing operation. In 2016, the CNIL received 7,703 complaints regarding e-reputation (requests for the removal of internet content); commerce (objections to receiving email marketing); human resources (supervision mechanisms: video surveillance, geo-location of vehicles); banks and loans (contesting their registration within the files of the Banque de France). Need help is available on cnil.fr This service offers 500 useful questions and answers as well as the opportunity to submit a request (over 12,000 requests received in 2016). WHAT ARE YOUR RIGHTS? The right of access You may ask the data controller directly if they possess information on you, and request that they disclose all of this data to you. The right to request rectification You may request the rectification of incorrect details about yourself. The right to request rectification complements the right of access. The right to object You may object to the filing of your data on legitimate grounds. You may also object to the distribution, transmission or storage of your data. The right to be de-listed You may request that a search engine de-list a website associated with your first name and surname. The right of access to Police files, surveillance files, FICOBA, etc. When it is not possible for you to request access to your data directly from the police, surveillance services or the tax authorities, the right of access is exercised indirectly through the CNIL.

Correspondant Informatique et Libertés ADVISING AND REGULATING Various tools are used to regulate personal data: authorisations for implementation of sensitive data processing, official opinions on the government s draft legislation involving data protection or the creation of new files, legal frameworks setting out good practices in certain domains, recommendations allowing the CNIL to justify its doctrine in different domains, requests for advice from data controllers, in increasing numbers, and notably through the medium of data protection officers. ACCOMPANYING COMPLIANCE The objective is to propose a compliance toolbox by using the different means of action at the CNIL s disposal: data protection officers (Correspondants Informatique et Libertés) who form the authoritative network of experts, development of privacy seals and BCR (Binding Corporate Rules) which govern the transfer of personal data within multinational companies outside the European Union, the creation of compliance packages that are sector-based reference models covering an entire sector or professional branch. Privacy Seals The CNIL is able to deliver privacy seals for products or procedures which deal with the protection of personal data. The activity report for 2016 demonstrates a sharp increase in activity in comparison with the previous year, with 3 078 ADOPTED DECISIONS AND DELIBERATIONS The CNIL privacy seal allows a company to set itself apart from others by the quality of its services. For users, it is a confidence indicator for certified products, procedures and organisations which allows users to identify and favour organisations that guarantee a high level of protection for their personal data. Registered data protection officers 18,000 organisations have already appointed officers, of which there are 5,000. Their role as compliance managers is established by the European regulation. The appointment of a data protection officer (DPO) will be mandatory for numerous organisations, and particularly public bodies, in May 2018. WP29 guidelines (group of European data protection authorities) specify the criteria set out by the regulation on this new officer function. The CNIL helps DPOs to prepare for changes in their roles through dedicated tools: become an officer section on cnil.fr, new information workshops.

ANTICIPATING Within the framework of the CNIL s innovation and foresight activities, it strives to combine two objectives: the taking into consideration, at a very early stage, of new subjects such as trends, technologies or upcoming uses for data; and, the assessment of case studies and analyses through innovative projects and tools. LINC A new medium dedicated to digital innovation In order to contribute to discussions on digital technologies, the CNIL launched LINC, Laboratoire d Innovation Numérique de la CNIL (The CNIL Laboratory for Digital Innovation). Insights and forward thinking, sharing and experimenting are at the heart of this editorial space. INSPECTING AND SANCTIONING Ex-post investigations are considered to be a favoured method of intervention for personal data controllers. They allow the CNIL to ensure concrete implementation of the law. The investigations programme is established according to current events and core issues (current events, new technologies) which are brought before the CNIL. Regarding investigations or complaints, the CNIL s restricted committee (composed of 5 members and a Chairman separate to the CNIL s Chair) can issue various sanctions which include: A warning, which can be made public. If the Chair of the CNIL has already rendered an order, and the data protection officer did not conform to said order, the restrictive committee, through adversarial proceedings, may issue: A financial sanction (except for Government data processing) up to a maximum of 3 million euros. This sanction can be made public; moreover, the restricted committee can also demand that the sanction be published in the press at the costs of the sanctioned organisation. The total amount paid under the sanctions will be collected by the Public Treasury and not by the CNIL. A cease-and-desist injunction on data processing. A withdrawal of the prior authorisation given by the CNIL. The laboratory The CNIL created, within its walls, a laboratory with dedicated IT resources for the testing and experimentation of innovative products and applications. Through this laboratory, it is possible to obtain products as far ahead of their commercialisation as possible, in order to test their functions and evaluate their potential impact on the protection of privacy. In keeping with privacy by design, the CNIL intends to reinforce its consulting role for companies with regards to the integration of personal data protection requirements within their technological development processes. Finally, the CNIL aims to contribute to the development of technological solutions that protect citizens private lives. ETHICS AND DIGITAL TECHNOLOGY A new mission for the CNIL The Foresight Committee Comprised of 15 members from outside the CNIL, this committee strives to stimulate the CNIL s discussions on societal and ethical issues regarding digital technologies in order to better grasp their impact on the rights and freedoms of citizens. It is a constructive space for exchanges. In 2017, it will notably study the place of citizens in a Smart City. Since 2016, legislation has entrusted the CNIL with the mission to give further thought to ethical issues arising from the evolution of digital technologies. In 2017, the CNIL has decided to concentrate its thoughts on algorithms and artificial intelligence by calling for concerned parties to organise public debates, workshops or meetings. 30 partners participate in this CNIL initiative.

THE EUROPEAN REGULATION The European regulation on general data protection was published on 4th May 2016. It shall provide for Europe s adaptation to the new realities of digital technology and be applicable from 25th May 2018 in all European Union countries. It reinforces European citizens rights and gives them more control over their personal data. It also simplifies formalities for companies and provides them with a unified framework. The reform of data protection rules has three objectives: Reinforce citizens rights, particularly by creating a right to data portability and provisions specific to minors; Holding data protection officers accountable (data controllers and data processors); Lending credibility to regulation through reinforced cooperation between data protection authorities, who will, notably, be able to make joint decisions regarding transnational data processing and issue reinforced sanctions. What will change for professionals While organisations requirements with regards to the French Data Protection Act rest primarily on prior formalities (declaration, authorisation), the European regulation on general data protection is based on accountability and transparency. This concept of accountability translates into: The taking into account of data protection, by default, right from the design of a service or a product; The implementation of an organisation, measures and tools, in-house, which guarantee an optimal protection of individuals whose data is being processed. In practice, the organisations will need to: Conduct an inventory of any data processing carried out; Assess practices and implement procedures (notifications of data protection offences, management of claims and complaints, etc.); Identify risks associated to data processing operations and take necessary measures to prevent their occurrence. Maintain documentation ensuring the traceability of measures taken. New tools for compliance From an operational viewpoint, compliance with the European regulation rests on various tools: Processing records and internal documentation; Privacy Impact Assessments (PIA) for processing presenting a risk; The notification of data protection offences. Implementation of these tools implies, in advance, the appointment of an internal manager: the data protection officer, a true conductor of data protection within the organisation. Beyond this, the principle of accountability must translate into a change in internal culture and mobilise internal or external skills (CIOs, providers, legal services, trade services). To assist in the coordination of organisations, the CNIL offers a dedicated section, a method and tools to prepare for the regulation in 6 steps. This allows organisations to ensure that they have anticipated and implemented the essential parts of the measures necessary in order to be ready in 2018. What will change for private individuals The European regulation consolidates the central role of the individual and reinforces the individual s control over his or her data. It shall apply as soon as a European resident is substantially affected by data processing. Global players will therefore be subject to European law if they offer a product or service to a European citizen, even remotely. This criterion, called targeting, represents a significant evolution: henceforth, the territoriality of European law regarding data protection is built around the individual, and no longer solely around a company s place of establishment. The regulation recognises the right of individuals to: Clearer and more accessible information; Reinforced protection of children by obtaining parents consent; A new right to data portability which allows individuals to retrieve their data in an easily reusable manner, and to then transfer that data to a third party; The right to compensation for material or moral damage, particularly as part of group actions. FRANCOPHONE COUNTRIES For about ten years, the CNIL has engaged itself in a data protection promotional campaign within francophone countries. These actions have given way to the creation of the Association Francophone des Autorités de Protection des Données Personnelles (Association for Francophone Data Protection Authorities) in 2007, in partnership with the International Organisation of La Francophonie (OIF), and has brought about the adoption of legislation regarding the right to privacy by francophone countries such as Burkina Faso, Tunisia, Morocco, Madagascar, and Mali. In 2016, 59 Francophone countries out of 84 have legislation on data protection and 51 have appointed a data protection authority. WP29 Since February 2014, the CNIL s Chair has presided over WP29, the working party which brings together the 28 European data protection authorities. In particular, the working party develops the guidelines which unify and clarify the interpretation of the regulation s essential provisions.

Contact the CNIL Commission Nationale de l Informatique et des Libertés 3 place de Fontenoy TSA 80715 75334 PARIS CEDEX 07 FRANCE Tel. +33 (0)1 53 73 22 22 Fax +33 (0)1 53 73 22 00 www.cnil.fr www.educnum.fr http://linc.cnil.fr https://twitter.com/cnil https://fr-fr.facebook.com/cnil/ https://fr.linkedin.com/ AGENCE LINÉAL - 03 20 41 40 76

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback