The steps of the procedure of sanction

The sanction’s report

The report proposing to issue one of the measures provided for in the article 20 of the French Data Protection Act against the organization, is notified to the organization. In case of a financial penalty, the report indicates the amount of the sanction proposed by the rapporteur.

The organization may consult and ask for a copy of the case file to the CNIL sanctions’ department, if he so requests.

The organization may be assisted or represented by a counsel of his or her choice at each step of the procedure.

Remarks of the organization

The organization has, from the receipt of the report, one month to make written remarks.

The rapporteur may respond to the organization within a 15-day delay from the receipt of the written comments.

The organization may then submit new written comments within a 15-day delay from the rapporteur response’s notification.

When the complexity of a case justifies it and if the rapporteur or the incriminated controller so requests, the chair of the restricted committee can accept to extend the delay until one month, pursuant to article 40 of the decree implementing the Act of 6. January 1978 updated on 20. June 2018.

In case where this extension is granted to the rapporteur, it will be automatically granted to the organization, which is informed.

The organization will be informed of the date of the restricted committee’s session at least one month before it will be held.

Public nature of the session

The restricted committee’s session is hold publicly.

The organization may ask the chair of the restricted committee for a restriction of the session’s publicity if he considers that it is in the interest of public order or when the protection of secrets covered by the law imposes it pursuant to article 65 of the CNIL’s rules of procedure. In this case, the session is closed to the public.

The rapporteur, followed by the organization and/or its legal advisor, may submit oral comments, in support of their written comments, and answer to questions from the restricted committee’s members.

The State commissionner may give its position on the affair.

The organization and/or its counsel speak(s) last.

The members of the restricted committee deliberate in camera and can decide of the sanction’s publicity. The deliberation is notified, several weeks later, to the incriminated organization. This one can appeal the decision before the Council of State (Conseil d’État) within a delay of 2 months.

The CNIL’s fines are recovered by the French treasury (Trésor Public)