Since the implementation of the GDPR on 25 May 2018, the penalties imposed by the CNIL (French supervisory authority) for failure to comply accumulating one after the other, be it for insufficient security, lack of transparency, unsatisfactory information and even lack of valid consent. UBER, BOUYGUES TELECOM or GOOGLE LLC are but a few examples of recently sanctioned companies.
In practice, formal notices or sanctions issued by the CNIL for non-compliance only concern the legal entity, the only “person” affected by administrative sanctions. In most cases, the CEO (chief executive officer), in his/her capacity as representative, is only notified of the CNIL’s decision. However, s/he will be responsible for remedying the deficiencies identified by the supervisory authority.
CEOs often tend to neglect their personal responsibility. However, Article 24 of the GDPR provides for the possibility of engaging the controller’s liability.
Thus, in terms of sanctions, the CEO of the organization is not always spared from risks. Indeed, in the event of non-compliance of their company with the GDPR, s/he personally exposes himself to the risk of personal liability.
The criminal liability of the CEO
As the representative of the data controller, the CEO is responsible for ensuring that his/her company complies with the requirements of the GDPR (compliance with the principles of lawfulness of processing, guarantee of data security and integrity, ensure the rights of the data subjects, etc.)
As such, s/he ensures that appropriate technical and organisational measures are put in place within the structure to minimise the risk of sanctions for the company. No need to remind the risk of administrative fines up to 4% of the world’s annual turnover or €20 million.
However, in addition to the sanctions for the legal entity, the CEO may be held personally liable. Indeed, if s/he fails to exercise due diligence in monitoring the implementation of these measures by employees, s/he may be held accountable.
The articulation of the GDPR with French legislation
It goes without saying that the liability of a legal entity does not necessarily shield the CEO in the event of a conviction. If the CNIL finds breaches during an inspection, it has the right to refer the matter to the Public Prosecutor for criminal proceedings against the CEO.
Thus, as soon as the CEO has had personal knowledge of the breaches reported by the supervisory authority, s/he is required to do everything possible to comply with the requirements of the GDPR. In the case of negligence in compliance, s/he can be accused of the following facts:
Articles 226-16 and more. of the French Penal Code provide for a penalty of 5 years’ imprisonment and a fine of €300,000 for a CEO who fails to comply with his obligation to comply (collecting data by fraudulent or unlawful means, processing data despite the opposition of the person concerned, data’s conservation beyond the legal term provided for, etc.)
More frequently, alternative sanctions provided for in Article 131-6 of the Penal Code, which remain equally binding, may be imposed, namely:
In 2013, the IKEA brand was prosecuted during an investigation concerning the “habitual concealment” of offences. Among these offences, IKEA is accused of “unlawful espionage of its employees”, in particular by unofficially checking their criminal records. At the heart of this offence is the protection of personal data, although the CNIL did not initiate this procedure.
IKEA’s CEOs were placed under judicial supervision as representatives for “complicity in the collection of personal data contained in a file by fraudulent, unfair or unlawful means” and “complicity in the violation of professional secrecy”.
To date, the case is still not closed. In 2018, the public prosecutor’s office of the Tribunal de Grande Instance de Versailles (regional court) requested the case to be referred back to the criminal court.
The CEO could possibly be exempted if s/he has delegated his powers to another employee, for example to the HR director with regard to processing operations relating to employees. Consequently, the burden of proof of the existence of this delegation of power lies with the CEO and may be provided by any means.
As a result, the delegatee may be held liable for breaches of the law provided that the conditions for delegation meet some conditions:
A delegation of authority to the DPO is inadvisable.
However, the CEO cannot entirely release himself of his responsibilities and delegations must be limited both in their purpose and scope.
To conclude: it is essential for the company’s CEO to be aware of the risks s/he faces in the event of negligence in bringing data processing operations into compliance with the GDPR. In addition to heavy administrative and criminal sanctions, the company’s reputation will likely damaged, which can lead to a certain mistrust on the part of customers, partners and investors.
àIn order to reduce the risk of personal criminal proceedings, the CEO must therefore exercise due diligence in supervising the “GDPR” compliance scheme. This is done through:
Marie de Asis-Trem