The sanctions provided for by the GDPR (General Data Protection Regulation) are implemented following inspections or complaints, particularly when data controllers or processors do not comply with the provisions of the GDPR or the law.
The restricted committee of the CNIL may take various measures in the event of non-compliance. These sanctions include:
Formal notice
Order to bring processing into compliance
Temporary or permanent restriction of processing
Suspension of data flows
Order to comply with data subjects’ rights requests
Administrative fine: In the event of serious infringements, financial penalties may be imposed. Under the GDPR, these fines can reach up to 20 million euros or 4% of the company’s total worldwide annual turnover, whichever is higher.
It is important to note that these sanctions may be made public, thereby enhancing transparency regarding GDPR compliance and enforcement actions. The CNIL plays a central role in the application of these sanctions to ensure respect for individuals’ rights and privacy.
