The steps of the procedure of sanction

22 December 2020

When a sanction is likely to be imposed, the CNIL Chair may appoint a “rapporteur” and refer to the restricted committee.

The procedure of sanction


A procedure of sanction may be issued against an organization in case of infringement to the GDPR or French Data Protection Act:

  • following a complaint or a report of violation to the CNIL ;
  • following a investigation carried out by the CNIL.

In this case, the chair of the CNIL may appoint a rapporteur among the CNIL’s commissioners, except the members of the restricted committee, and refer to the restricted committee. The latter is composed of five CNIL’s commissioners and a chairperson elected among them.

  • The controller or the processor incriminated is informed;
  • the restricted committee receives all the documents exchanged during the written procedure between the rapporteur and the organization.

During the procedure, the incriminated organization may be heard if the rapporteur considers it is useful. In this case, a written report will confirm the hearing.

Before the session

During the session

At the end of the session