Commission nationale de l'informatique et des libertés (CNIL)
Mission
Regulation
Type of actor
Institutional player
Fields of intervention
Health / Social care / Social / Medical Device
Intervention zone
National
What is CNIL?
In the digital world, the National Commission for Information Technology and Civil Liberties (CNIL) is the French regulator of personal data. It assists private and public actors in achieving personal data protection compliance. It receives and processes complaints from individuals and has the power to carry out on-site or online inspections. It can compel a data processor to address violations (formal notice) or impose sanctions (fines, etc.).
Missions
- Inform, educate: The CNIL responds to requests from individuals and professionals. It carries out communication actions with the general public and professionals through its networks, the press, its website, its presence on social media, and by providing educational tools
- Protecting citizens' rights: Any person may contact the CNIL in the event of difficulty in exercising their rights
- Advise and regulate: The CNIL ensures that solutions are found to enable public and private bodies to pursue their legitimate objectives in strict compliance with citizens' rights and freedoms
- Supporting compliance: in order to help private and public organisations comply with the GDPR, the CNIL offers a complete toolkit tailored to their size and needs
- Anticipate: As part of its innovation and forecasting activities, the CNIL, through its LINC laboratory, conducts monitoring to detect and analyse technologies or new uses that could have a significant impact on privacy. It contributes to the development of privacy-protective technological solutions by advising companies as early as possible, following the principle of privacy by design
- Control and sanction: Control allows the CNIL to verify that the law is being adhered to. It can compel a data processor to address violations (formal notice) or impose sanctions (fines, etc.).
I have a project, how can contacting the CNIL be of use to me?
- To integrate GDPR obligations into your project and manage your data
- To comply with the specific regulations governing health data
- To design your user path for a digital product or service and allow people to control their personal data and know their rights
- To prevent risks and arrange for the security of your data
- To make your GDPR compliance a competitive advantage
- To do this, the CNIL offers various tools, available on its website cnil.fr.
At what stage of my project should I contact them?
- Before implementing a data processing operation, once the scope of your project has been clearly defined (What data do you want to collect and use? For what purpose? How will you inform people? What security measures are planned?)
- Ideally, on the basis of a Data Protection Impact Assessment.
See our dedicated pages to identify the main actions you need to take to begin ensuring your compliance with personal data protection rules.
J'ai un projet, en quoi entrer en contact avec la CNIL m'est utile ?
- Pour intégrer les obligations du RGPD dans votre projet et gérer vos données ;
- Pour être en conformité avec la règlementation spécifique à laquelle sont soumises les données de santé ;
- Pour concevoir vos parcours utilisateur de service ou produit numérique et permettre ainsi aux personnes de maîtriser leurs données personnelles et de connaître leurs droits ;
- Pour prévenir les risques et organiser la sécurité de vos données ;
- Pour faire de votre conformité RGPD un avantage concurrentiel ;
- Pour bénéficier des outils pratiques (voir ressources accessibles) guide développeurs, référentiels, modèles de registre etc.
- Pour bénéficier d'un réseau : animation régulière des ateliers à destination des startups qui travaillent dans le domaine de la santé, dont certains sont disponibles en ligne, présence dans les lieux d’innovation tel que Station F, mise en ligne de pages web dédiées aux start-ups sur le site de la cnil.
A quelle phase de mon projet entrer en contact ?
- Préalablement à la mise en œuvre d’un traitement de données, une fois le périmètre de mon projet bien défini (quelles sont les données que je souhaite collecter et utiliser ? pour en faire quoi ? comment vais-je informer les personnes ? quelles sont les mesures de sécurité envisagées ?) ;
- Idéalement, sur la base d’une analyse d’impact relative à la protection des données.
Consultez nos pages dédiées pour identifier les actions principales à mener pour entamer votre mise en conformité aux règles de protection des données personnelles.
Finance-t-elle des projets ?
Non
Find out more
Practical guide
Frequently asked questions about the CNIL.
Who should I contact for help?
In some cases, you may need to appoint a Data Protection Officer. This appointment is mandatory for certain companies operating large-scale processing operations presenting particular risks
In other cases, the appointment of a Data Protection Officer is recommended, particularly if your activity requires you to conduct an in-depth analysis of the GDPR. The delegate can be appointed internally from among your employees or externally. It can also be shared between multiple organisations or within professional associations or federations.
TO FIND OUT MORE:
On the compulsory designation and competences of a Data Protection Officer:
Information about Data Protection Officers on the CNIL website
If your data processing is likely to give rise to specific risks or new problems with regard to data protection, feel free to contact the CNIL (contact details on the "CONTACT" page of the CNIL website). Furthermore, your processors have an obligation to alert and advise you on data protection. Don't hesitate to ask them!
The CNIL regularly organises workshops for startups with FrenchTech Central (find the program here)
Does the CNIL charge for its services?
No
Can your organisation assist my project individually?
Yes, depending on the demand
3 Place de Fontenoy - Unesco 75007 Paris