On 15 February 2022, the CNIL released its control programme for the year 2022. This year the priority themes are as follows:
- Direct marketing ;
- Employee’s monitoring in the context of remote working;
- Cloud computing.
However, the CNIL recalls that controls on the basis of priority themes accounts for one third of the total number of controls carried within the year. Other audits/investigations will also be carried out on the basis of complaints received by the CNIL and news/events occuring during the year.
The CNIL conducts hundreds of audit/controls per year (e.g. 384 in 2021).
These audits generally stems from complaints and reports of data breaches (one third of inspections) or are linked to the news.
In addition to these controls, the CNIL sets up, each year, a yearly control plan targeting high-stakes matters called the priority themes.
In 2022, three priority themes are direct marketing, monitoring of remote workers and the use of cloud computing.
Typically, audits relating to these three priority issues account for about one third of the audit carried out within the year.
The CNIL has recently published a new “marketing management” referential, in particular, direct marketing campaign, after lengthy consultation with the concerned stakeholders.
Direct marketing is a recurrent subject of complaints and calls to the CNIL hotline, which is why the Authority has decided to concentrate significant resources on it in order to ensure that the practices of the players concerned are GDPR compliant.
On the basis of its referential, the CNIL will check the compliance of organisation with the GDPR, in particular data reseller, including data brokers.
Employee monitoring in the context of remote working
The CNIL has widely communicated on the rules and good practices to apply in order to ensure a fair balance between privacy at work and legitimate monitoring of the remote employees’ activity during the pandemic.
It now considers necessary to check whether employers’ practices comply with its recommendations, especially as remote working is likely to continue.
The use of clouds is constantly developing in the private and public sectors.
According to the CNIL cloud computing entail risks for the protection of personal data, in particular massive transfers of data outside the European Union to countries that do not provide an adequate level of protection or data breaches in the event of incorrect configuration.
The CNIL indicates that it will examine in greater detail the issues relating to data transfers and the framework of contractual relations between data controllers and cloud solution providers.
It will therefore be necessary to ensure that transfers outside the EU are properly supervised and that an adequate level of security is provided.
As regards transfers to countries such as the United States, to avoid any risk, it will be necessary to ensure that no transfer takes place or that the data is encrypted (see here, for more information).
The CNIL also recalls that 22 supervisory authorities will, in the coming months, launch investigations into the use of cloud-based services by the public sector.
For any question, do not hesitate to contact Arnaud BLANC, French & UK qualified lawyer based in France.