Following its 384 inspections in 2021 based on complaints, data breach reports and news, the CNIL published its strategic control lines for 2022 on February 15.
The control plan focuses on three main areas: commercial prospecting, surveillance tools in the context of remote working, and the use of the Cloud.
Commercial prospecting allows companies to retain their customers or recruit new prospects in various forms. The abuse of these approaches is the source of many complaints.
Points of attention: to be compliant, commercial prospecting, based on the person’s consent, must respect a certain number of rules of validity:
Recommendations: control the appearance of information on each data collection form, be able to trace consent (date, time, place, form), set up an opt-out list or mechanisms to allow the withdrawal of consent to be automatically reflected in the database, respect the retention periods of consent.
For more information: Practical sheet on consent and disclosures.
Reminder of CNIL sanctions handed down for non-compliance with consent: Brico Privé(€500,000), Nestor(€20,000), Performclic(€7,300).
Context: the massive use of remote working and its generalization may lead to the development of specific tools for monitoring the professional activity of employees, or the use of tools for indirect surveillance purposes that may lead to a misuse of purpose.
These practices must remain legitimate and cannot infringe on the privacy of the employee.
Points of attention: the implementation of devices in the context of professional activities must be proportionate to the objective pursued without infringing on the privacy of the employee:
Recommendations: it remains less intrusive and more linked to a professional trust relationship to set up a control by professional objectives over a given period and/or regular reporting by the employee of his activity.
For more information:telework and RGPD, the challenges for companies.
Reminder of CNIL sanctions related to the implementation of HR processing that infringes on employees’ rights and freedoms: RATP(€400,000).
Penalty appeal from theVersailles Correctional Court regarding spying on employees: IKEA(€1 million)
Context: The Cloud is a set of IT services (server, storage, software) generally accessible from the Internet. This new technology is exposed to data transfers across borders.
Points of attention: all countries outside the European Economic Area do not offer adequate guarantees in terms of personal data protection. It is then a matter of ensuring the contractual framework as to:
Recommendations: it is preferable to use a Cloud service provider hosted in one of the EEA member countries, to contractually and specifically frame the qualification and roles of the parties, to put in place CCTs in the event of a transfer.
For more information: international DPO support and possibilities for data transfers after the Privacy Shield is cancelled.
Reminder of CNIL sanctions noting the lack of a contractual framework and/or poor qualification of the parties: Monsanto(€400,000), Slimpay(€180,000), Credential Stuffing(€150,000 and €75,000 for the data controller and its data processor).
The areas of control identified by the CNIL do not exclude the control of other areas of compliance regularly brought up during inspections such as the failure to comply with the limitation of data retention, the use of cookies, the observance of the obligation to inform data subjects, the security of data in particular.
– Marie De Asis-Trem