Its operation

CNIL commissioners hold plenary and sanction committee sessions once a week, on an agenda prepared by its Chairman.

A large number of meetings is dedicated to reviewing bills and decrees submitted to the CNIL by the Government.

The CNIL also authorizes the implementation of sensitive records, such as those containing biometric data.

Since the adoption of the August 6, 2004 Act, the commission’s Sanction Select Committee, comprising six members, may issue sanctions ranging from warnings to maximum fines of €300,000 against data controllers failing to comply with the law.

To carry out their tasks and missions, CNIL commissioners are assisted by a staff of 148 budgeted FTEs, split into four major Divisions, each comprising several departments:

• Legal & International Affairs and Expert Appraisals;
• Users Relations and Inspections;
• Design, Innovation & Expertise;
• Human Resources, Finance, IT & Logistics.

Beyond its activities of file inventory, inspection of records, replies to consulting requests and complaint investigation, the CNIL also devotes its efforts to delivering information to citizens regarding their rights and obligations.

In response to direct requests from numerous organizations or institutions to conduct training and awareness initiatives on the topic of the French data privacy act (“Loi Informatique et Libertés”), the CNIL participates in symposia, conferences and fairs to inform and keep informed. The Commission also gives talks in schools and educational establishments.

As part of its assignments, the CNIL replies to requests for advice addressed by data controllers, investigates complaints received from citizens, and performs in situ inspections. It also carries out the verifications required under the right of indirect access to records linked to public safety and State security, and delivers extracts from the list of file processing notifications (“Registry of Notifications”) to anyone requesting it.

To date, the CNIL has organized 21 regional fora. Their purpose is to reach out at regular intervals to all public and/or private stakeholders impacted by data protection issues in a given French region, in particular corporate entities or decentralized State administrations. In order to publicize its decisions or actions more widely, the CNIL leverages various communication tools: web site, monthly e-newsletter addressed to more than 30000 subscribers, annual reports, press releases, along with a collection of practical guides.