Lexicon > National Commission for Information Technology and Civil Liberties (CNIL)

IT Glossary

National Commission for Information Technology and Civil Liberties (CNIL)

Created by the Data Protection Act, the CNIL is an independent administrative authority. It is the French supervisory authority under the GDPR.

The CNIL is responsible for ensuring the application of the GDPR and the Data Protection Act, as well as for informing data subjects and data controllers of their rights and obligations.

Its missions include :

  • To control the application of the rules and to ensure compliance with them;
  • Promote public awareness and understanding of the risks, rules, safeguards and rights related to the processing of personal data;
  • Encourage awareness among controllers and processors of their obligations under the Regulation;
  • Provide, upon request, information to any data subject on the exercise of his or her rights under the Regulation and, where necessary, cooperate with the supervisory authorities of other Member States to this end;
  • To process complaints submitted by a data subject or organization, to investigate the subject matter of the complaint to the extent necessary, and to inform the complainant of the status and outcome of the investigation within a reasonable time;
  • Conducting enforcement investigations;
  • Adopt standard contract clauses;
  • Establish and maintain a list in connection with the obligation to conduct a data protection impact assessment;
  • Provide guidance on treatment operations;
  • Encourage the development of codes of conduct;
  • Encourage the establishment of certification mechanisms.

In addition, the CNIL has many powers including:

  • The one to order the controller and the processor to communicate all the information it needs to carry out its missions;
  • To carry out investigations and controls;
  • To issue warnings and reminders;
  • To give notice ;
  • To impose financial penalties of up to 20 million euros or, in the case of a company, up to 4% of its annual worldwide turnover, as well as periodic penalty payments, temporary or definitive limitations on processing and suspension of data flows.

All members of the CNIL must carry out their missions in complete independence.


Each supervisory authority should be provided with the financial and human resources, as well as the premises and infrastructure, necessary for the proper performance of its tasks, including those related to mutual assistance and cooperation with other supervisory authorities throughout the Union. Each supervisory authority should have its own annual public budget, which may be part of the overall national budget or of a federated entity.

Recital 120 of the GDPR

Point of jurisprudence

The Court administrative of Mainz (Germany) recalled that a complaint addressed to a supervisory authority “must at least contain all the information necessary to enable the supervisory authority to establish the facts of the case and, if necessary, to clarify them further and investigate possible violations of the Data Protection Act. The complaint must therefore contain information about the data subject and the person responsible, and must at least give an indication of the data protection violation that is the subject of the complaint.

Verwaltungsgericht, 22 July 2020, No. 1 K 473/19.MZ

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.