Authors: Denise Lebeau-Marianna & Divya Shanmugathas

The French Supervisory Authority (the “CNIL”) regularly conducts investigations based on various triggering events such as a complaint, an article or its annual program that the CNIL regularly publishes on its website.

On 15 February 2022, published a post regarding its upcoming dawn raids for 2022.

As a reminder, in 2021, the CNIL’s priority topics were (i) the cybersecurity of the French websites, (ii) the security of the health data and (iii) compliance with the rules applicable to cookies and other trackers further to its recommendations and guidelines released in March 2021.

For 2022, the CNIL has decided to focus its attention on three topics which should represent one third of the dawn raids to be carried out. One of the topics relates to marketing rules, which are regularly monitored by the CNIL due to the number of claims received. Another key topic is teleworking which developed with the pandemic. The third topic is the use of the cloud services, which is becoming an increasingly sensitive issue within the EU in particular in relation to transfers to the US.

  • Direct marketing

Further to a public consultation, the CNIL has published the final version of its reference framework for the processing of personal data in the context of “Commercial Management”. This reference framework includes the applicable legal basis for each type of processing activity, the relevant data retention terms and the technical and organizational measures to ensure the security of the personal data. The CNIL refers to the several guidelines it has published to help the various stakeholders, notably in relation to direct marketing (email, SMS, phone, post), commercial management, cookies and others trackers, attendance measurement systems, behavioral targeting, online payments, and templates of information notices.

The CNIL also provides further guidance regarding the transmission of personal data, with or without remuneration, to business partners (e.g., data brokers, data resellers) and will particularly check the “compliance of these professionals and intermediaries” with the CNIL’s guidance in this reference framework.

  • Monitoring telework

With the COVID-19 pandemic, and the return to normal life, the use of telework has developed with specific tools, including those enabling employers to monitor the teleworking of employees.

Since 2020, the CNIL provided several rules and good practices notably through a Q&A regarding the teleworking, advising employers on the implementation of reinforced security measures to ensure the security of the personal data processed by  employees who telework and precautions to take  when using visio conference tools, to ensure the right balance between privacy at work and employer’s legitimate interest to monitor its employees work.

As a result, employers allowing teleworking have to ensure that such practice does not infringe the GDPR and the CNIL’s guidance.

  • Use of cloud computing

Given the use of cloud computing technologies in all sectors, the CNIL is particularly concerned by the massive  international data transfers to third countries that cloud computing technologies entail, as well as the risk of data breaches.

Regarding, the international data transfers, the CNIL has announced that it “will be looking in greater detail the conditions of  data transfers and the contractual framework implemented between companies (acting as data controllers) and cloud solution providers (acting as processor)”.

At the same time, the EDPB released a press release informing the launch of coordinated enforcement on the use of cloud technologies in the public sector. In France, the CNIL has already announced its  investigations into five ministries. Therefore, the public sector stakeholders appears to be the priority for the CNIL, notably on the following subjects: process and safeguards implemented when acquiring cloud services, challenges related to international transfers, and provisions governing the controller-processor relationship.

However, private sector stakeholders should not become complacent, as investigations could potentially shift to the private sector. It is therefore important to get prepared and start the compliance review and risk assessment process in relation to any international data transfers that may occur in the context of processing activities using cloud computing.

Regarding possible data breaches that may occur in the context of cloud computing technologies, the CNIL confirmed that this is an issue which is under scrutiny, but did not detail the points of control. We can anticipate that the CNIL’s agents will check the record of breaches, and the decisions to whether or not to notify a breach, and will review the related documentation, including the existence of an internal data breach procedure in compliance with the French Data Protection Law.

Controllers and processors should therefore get prepared and document their various compliance efforts for 2022!

For more information, please contact, Partner.