The powers of the restricted committee
In case of a non-compliance with the GDPR and the French Data Protection Act, the chair of the CNIL may refer to the restricted committee in order to make one or several measures pronounced at the end of a procedure during which the incriminated organization is heard.
The different measures set out
The following corrective powers may be imposed by the restricted committee, if breaches of the GDPR or the French Data Protection Act.
- a reprimand;
- an order to bring the processing into compliance with the obligations provided by the texts or an order to satisfy the requests of individuals to exercise their rights. This order may be accompanied by a periodic penalty payment of up to 100 000€ per day of delay;
- a temporary or definitive limitation to the processing, its prohibition or the withdrawal of an authorisation;
- the withdrawal of a certification;
- the suspension of data flows addressed to a recipient located in a third country or an international organization;
- a partial or total suspension of the decision approving the binding corporate rules;
- an administrative fine whose amount is determined on elements mentioned in the article 83 (5) and (6) of the GDPR.
The fine may be up to 20.000.000 euros or up to 4% of the worldwide annual turnover applicable for non-compliance with the fundamental principles of the GDPR, rights of individuals, provisions on transfers or failure to comply with an authority’s order.
This fine may amount up to 10.000.000 euros or up to 2% of the worldwide annual turnover applicable for non-compliance with the controller’s or processor’s obligations (concerning security, impact assessment, maintain of a record of processing activities, DPO’s designations, ...) or non-compliance with the obligations to be respected by a certification body or in charge of the codes of conduct.
The restricted committee may decide to make its decision public. The publicity may be made as soon as the decision has been notified to the concerned organization.
The incriminated organization may appeal the decision before the State Council within a two-month delay.
The restricted committee can also order the decision to be inserted in publications, newspapers and supports of its choice, at the expenses of the sanctioned organizations.