Analysis of the CNIL’s control areas for 2022

Publié le 14 March 2023
cct cnil

Following its 384 inspections in 2021 based on complaints, data breach reports and news, the CNIL published its strategic control lines for 2022 on February 15.

The control plan focuses on three main areas: commercial prospecting, surveillance tools in the context of remote working, and the use of the Cloud.

1. Commercial prospecting

Commercial prospecting allows companies to retain their customers or recruit new prospects in various forms. The abuse of these approaches is the source of many complaints.

Points of attention: to be compliant, commercial prospecting, based on the person’s consent, must respect a certain number of rules of validity:

  • Informing peopleabout the collection of data on their use for commercial communication purposes in a clear and readable manner;
  • Specific manifestation of a will that corresponds to an active and explicit step of the person:
    • In the case of postal and telephone prospecting: the person must be informed at the time of data collection of their use and must be able to refuse their use for commercial purposes (= OPT OUT),
    • In the case of email, SMS/MMS prospecting: the individual must be informed at the time of data collection of their use and must specifically give consent to their use for commercial purposes (= OPT IN);
  • Freedom to consent/refuse without the choice impacting the originally intended processing (e.g.: online shopping, insurance purchase etc.);
  • Consent must be provable by the data controller of the collection;
  • Opposition to commercial prospecting must be able to be carried out in a comprehensible, easy and effective way;
  • The deletion of data in the absence of prospect activity on the sending of prospecting for 3 years from the last action (ex: link opening).

Recommendations: control the appearance of information on each data collection form, be able to trace consent (date, time, place, form), set up an opt-out list or mechanisms to allow the withdrawal of consent to be automatically reflected in the database, respect the retention periods of consent.

For more information: Practical sheet on consent and disclosures.

Reminder of CNIL sanctions handed down for non-compliance with consent: Brico Privé(€500,000), Nestor(€20,000), Performclic(€7,300).

2. Tools for monitoring work activity

Context: the massive use of remote working and its generalization may lead to the development of specific tools for monitoring the professional activity of employees, or the use of tools for indirect surveillance purposes that may lead to a misuse of purpose.

These practices must remain legitimate and cannot infringe on the privacy of the employee.

Points of attention: the implementation of devices in the context of professional activities must be proportionate to the objective pursued without infringing on the privacy of the employee:

  • The obligation of loyalty requires the employer to inform employees of monitoring devices prior to their implementation, in particular by consulting staff representatives;
  • Respect for privacy by design requires the employer to inform employees of the monitoring devices prior to their implementation.
  • requires the registration of remote working surveillance processing in the processing register and the analysis of the risk for the rights and freedoms of individuals (PIA);
  • The surveillance cannot be permanent if the nature of the task does not justify it. Also, in the same way as video surveillance to monitor professional activity on the premises, the use of screen monitoring software and typing is disproportionate;
  • The triggering of the camera in video conference may be required if the employer has set up a blurring background device and/or in the particular case of an HR interview;
  • The supervision of remote working should be done in the employment contract and by the establishment of an internal security charter in the context of remote working.

Recommendations: it remains less intrusive and more linked to a professional trust relationship to set up a control by professional objectives over a given period and/or regular reporting by the employee of his activity.

For more information:telework and RGPD, the challenges for companies.

Reminder of CNIL sanctions related to the implementation of HR processing that infringes on employees’ rights and freedoms: RATP(€400,000).

Penalty appeal from theVersailles Correctional Court regarding spying on employees: IKEA(€1 million)

3. Use of the Cloud

Context: The Cloud is a set of IT services (server, storage, software) generally accessible from the Internet. This new technology is exposed to data transfers across borders.

Points of attention: all countries outside the European Economic Area do not offer adequate guarantees in terms of personal data protection. It is then a matter of ensuring the contractual framework as to:

  • The supervision of data transfers to countries recognized by the European Commission, with the implementation of standard contractual clauses in particular;
  • The contractual framing of the parties with the qualification of the roles of each actor (data controller, data processor, co-controller, separate manager) and the resulting obligations.

Recommendations: it is preferable to use a Cloud service provider hosted in one of the EEA member countries, to contractually and specifically frame the qualification and roles of the parties, to put in place CCTs in the event of a transfer.

For more information: international DPO support and possibilities for data transfers after the Privacy Shield is cancelled.

Reminder of CNIL sanctions noting the lack of a contractual framework and/or poor qualification of the parties: Monsanto(€400,000), Slimpay(€180,000), Credential Stuffing(€150,000 and €75,000 for the data controller and its data processor).

The areas of control identified by the CNIL do not exclude the control of other areas of compliance regularly brought up during inspections such as the failure to comply with the limitation of data retention, the use of cookies, the observance of the obligation to inform data subjects, the security of data in particular.

– Marie De Asis-Trem