The steps of the procedure of sanction
When a sanction is likely to be imposed, the CNIL Chair may appoint a “rapporteur” and refer to the restricted committee.
A procedure of sanction may be issued against an organization in case of infringement to the GDPR or French Data Protection Act:
- following a complaint or a report of violation to the CNIL ;
- following a investigation carried out by the CNIL.
In this case, the chair of the CNIL may appoint a rapporteur among the CNIL’s commissioners, except the members of the restricted committee, and refer to the restricted committee. The latter is composed of five CNIL’s commissioners and a chairperson elected among them.
- The controller or the processor incriminated is informed;
- the restricted committee receives all the documents exchanged during the written procedure between the rapporteur and the organization.
During the procedure, the incriminated organization may be heard if the rapporteur considers it is useful. In this case, a written report will confirm the hearing.
Before the session
The sanction’s report
The report proposing to issue one of the measures provided for in the article 20 of the French Data Protection Act against the organization, is notified to the organization. In case of a financial penalty, the report indicates the amount of the sanction proposed by the rapporteur.
The organization may consult and ask for a copy of the case file to the CNIL sanctions’ department, if he so requests.
The organization may be assisted or represented by a counsel of his or her choice at each step of the procedure.
Remarks of the organization
The organization has, from the receipt of the report, one month to make written remarks.
The rapporteur may respond to the organization within a 15-day delay from the receipt of the written comments.
The organization may then submit new written comments within a 15-day delay from the rapporteur response’s notification.
When the complexity of a case justifies it and if the rapporteur or the incriminated controller so requests, the chair of the restricted committee can accept to extend the delay until one month, pursuant to article 40 of the decree implementing the Act of 6. January 1978 updated on 20. June 2018.
In case where this extension is granted to the rapporteur, it will be automatically granted to the organization, which is informed.
The organization will be informed of the date of the restricted committee’s session at least one month before it will be held.
Public nature of the session
The restricted committee’s session is hold publicly.
The organization may ask the chair of the restricted committee for a restriction of the session’s publicity if he considers that it is in the interest of public order or when the protection of secrets covered by the law imposes it pursuant to article 65 of the CNIL’s rules of procedure. In this case, the session is closed to the public.
During the session
The rapporteur, followed by the organization and/or its legal advisor, may submit oral comments, in support of their written comments, and answer to questions from the restricted committee’s members.
The State commissionner may give its position on the affair.
The organization and/or its counsel speak(s) last.
At the end of the session
The members of the restricted committee deliberate in camera and can decide of the sanction’s publicity. The deliberation is notified, several weeks later, to the incriminated organization. This one can appeal the decision before the Council of State (Conseil d’État) within a delay of 2 months.
The CNIL’s fines are recovered by the French treasury (Trésor Public)