French Data Protection Authority (CNIL)

Mission

Regulation

Type of actor

Institutional player

Fields of intervention

Health / Social care / Social / Medical Device

Intervention zone

National

What is the CNIL?

In the digital world, the Commission nationale de l'informatique et des libertés (CNIL) is France's personal data regulator. It supports private and public players in implementing their personal data protection compliance.

Go to the CNIL website

Missions

Inform, educate: the CNIL responds to requests from individuals and professionals. It carries out communication actions with the general public and professionals whether through its networks, the press, its website, its presence on social networks or by providing educational tools;
Protect citizens' rights: anyone can contact the CNIL in the event of difficulty in exercising their rights;
Advise and regulate: the CNIL oversees the search for solutions enabling public and private organizations to pursue their legitimate objectives in strict compliance with citizens' rights and freedoms;
Accompanying compliance: to help private and public organizations comply with the RGPD, the CNIL offers a comprehensive toolbox tailored to their size and needs;
Anticipate: as part of its innovation and foresight activity, CNIL, through its LINC laboratory, sets up a watch to detect and analyze technologies or new uses that could have significant impacts on privacy. It contributes to the development of privacy-protecting technological solutions by advising companies as far upstream as possible, with a view to privacy by design;
Control and sanction : control enables the CNIL to verify the concrete implementation of the law. It can require a player to regularize its processing (formal notice) or impose sanctions (fines, etc.).

I have a project. How can I contact the CNIL?

To integrate RGPD obligations into your project and manage your data;
To be in compliance with the specific regulations to which health data are subject;
To design your user pathsof digital service or product and thus enable people to control their personal data and know their rights;
To prevent risks and organize the security of your data;
To make your RGPD compliance a competitive advantage ;
To benefit from practical tools (see accessible resources) developer guide, repositories, registry templates etc.
To benefit from a network: regular animation of workshops for startups working in the healthcare field, some of which are available online, presence in innovation venues such as Station F, online posting of web pages dedicated to startups on the cnil website.

At what stage of my project should I contact you?

Prior to implementing data processing, once the scope of my project is well defined (what data do I want to collect and use? to do what with it? how will I inform people? what security measures are envisaged?) ;
Ideally, on the basis of d'une analyse d'impact relative à la protection des données.

Consult our dedicated pages to identify the main actions you need to take to begin your compliance with protection des données personnelles.

Does it finance projects?

Accessible resources

Information on the Healthcare sector Practical RGPD awareness guide for VSEs and SMEs (in partnership with bpifrance) Hub Startup: how to turn your RGPD compliance into a competitive advantage? Access the software for conducting a Data Protection Impact Assessment (DPIA) Discover CNIL's digital innovation laboratory Co-constructing user paths that respect RGPD and privacy

Practical guide

All the questions you need to ask about CNIL.

In some cases, you may be required to appoint a data protection officer. This appointment is mandatory for certain companies operating large-scale processing operations presenting particular risks

In other cases, the appointment of a delegate is recommended, particularly if your business requires you to conduct an in-depth analysis of the RGPD. The delegate can be appointed internally from among your staff or externally. He or she can also be shared between several organizations or within professional associations or federations.

FOR MORE INFORMATION:

About the compulsory designation cases and competencies of the data protection delegate:

Dossier the data protection delegate on the CNIL website

If your data processing operations are likely to give rise to specific risks or new data protection issues, don't hesitate to contact the CNIL (contact details on the "CONTACT" page of the CNIL website). In addition, your subcontractors have a duty to advise you on data protection issues. Don't hesitate to contact them!

The CNIL regularly organizes workshops for startups with FrenchTech Central (find the program here)

Yes, depending on demand. In particular, the CNIL offers individual support as part of its call for projects "Personal data sandbox" and its Enhanced support.

3 Place de Fontenoy - Unesco 75007 Paris

Our podcasts on the subject :

Discover our podcasts on the subject

See all Podcasts

Regulations