2019 was the first full year that the CNPD worked under the General Data Protection Regulation[1] (GDPR) and the new national data protection laws of 2018[2].
An increase in activity
The new rules and the growing interest of individuals and professionals in data protection issues have led to an increase in inquiries received by the CNPD.
While remaining below the peak in 2018, the number of requests remained high, with 708 written requests for information in 2019. While in 2018, with the entry into force of the GDPR, a large number of questions were related to more general issues concerning the compliance with the new legislation, the requests became more specific, demonstrating greater awareness among the public in 2019.
With 16 opinions on draft laws or regulations related to data protection, the CNPD actively participated in the legislative process. One of the most notable opinions of the year was on the central register of the Police. Other opinions were on video surveillance of public spaces for public safety purposes (VISUPOL), the use of video surveillance by communes, the register of beneficial owners, non-profit associations and foundations, reference directories for the identification of patients and providers, and the terms and conditions for setting up the shared medical file (“dossier de soins partagé” in French).
The 2019 annual report also includes a special part on the processing of personal data in criminal matters and on national security covering the period from 20 August 2018 to 31 December 2019.
Guidance, awareness and monitoring on various topics
The CNPD continued its guidance and awareness-raising efforts in 2019 with the development of guidelines on various topics such as the consequences of the Brexit on international data transfers, electoral campaigns in compliance with data protection and the compliance with the GDPR of mobile video surveillance cameras (of the “dashcams” type).
The supervisory authority continued to organise its “DaProLab”[3] workshops on data protection in the areas of health, scientific/historical research and finance/insurance. In addition to the events it has organised, the National Commission has also participated in some thirty training courses, conferences and seminars to raise awareness of data protection issues among more specialised audiences.
The CNPD has also begun to set up a technology and legal monitoring activity to follow innovation topics such as new technologies in the financial sector (Fintech), blockchain technology and artificial intelligence.
An increasing number of complaints and a new investigation procedure
The number of complaints increased significantly from 450 in 2018 to 625 in 2019. These complaints were made by individuals who contacted the CNPD when they considered that the law had not been respected or that their rights had been violated.
In 2019, the CNPD developed a new regulation on the investigation procedure, which was adopted in early 2020. On the one hand, there are unannounced on-site visits, largely led by the complaints, and on the other hand, there are investigations in the form of an audit.
The number of on-site investigations increased from 12 in 2018 to 33 in 2019. These investigations were carried out in the field of video surveillance and geolocation.
Other investigations have been carried out in the form of data protection audits. In 2019, the CNPD continued the work begun in 2018 on the thematic audit campaign on the role of Data Protection Officer (DPO) in 25 organisations.
526 data breaches since the entry into force of the GDPR
The data controllers shall notify the CNPD of violations of personal data within 72 hours after they become aware of them if the violation in question is likely to cause a risk to the rights and freedoms of the data subjects.
In 2019, 354 data breaches were reported to the CNPD. In total, the CNPD has received 526 data breach notifications since 25 May 2018, an average of 28 notifications per month. As for 2018, the main cause remains human error.
Reorganisation of the services and adaptation of the organisational chart of the CNPD
During 2019, the CNPD reorganised its services and adapted its organisational chart in order to better carry out its missions.
The year 2019 was also impacted by the preparations for a relocation of the CNPD to new headquarters. Planning work began in the summer of 2018 to allow the CNPD to move to the new NAOS building on the Belval site in the commune of Sanem in the summer of 2020.
-------------------------------------------------------------------------
[1] Règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE
[2] Loi du 1er août 2018 portant organisation de la CNPD et du régime général sur la protection des données et loi du 1er août 2018 relative à la protection des données en matière pénale ainsi qu’en matière de sécurité nationale
[3]CNPD’s Open Data Protection Laboratory