Get your processors in order – the CNIL's focus on controller audits

In two recent decisions, the French data protection authority, the CNIL, emphasised the importance of robust auditing processes for French data controllers.

In September 2022, the CNIL fined Infogreffe, the main French business registry providing information services on companies, €250,000 for password security failings and holding personal data of inactive users beyond an appropriate retention period. Despite providing specific binding contractual instructions to its data processor on anonymisation and security, Infogreffe failed to regularly audit its contractor to ensure that these instructions were being followed. Infogreffe pointed to its data processor's "contractual responsibility" in its defence, but the CNIL found this insufficient to absolve the company of its responsibilities under GDPR. This case highlights the importance of auditing processor implementation of security measures and data retention processes.

In November 2022, the CNIL fined EDF, the largest national electricity utility company in France, for failure to collect consent from data subjects to receive marketing email, breach of information requirements, and failure to set up appropriate practices to enable the exercise of data subject rights. EDF argued that data brokers were responsible for collecting the consent of data subjects and were contractually obliged to comply with the GDPR and ePrivacy rules applicable to consent collection for direct marketing. However, EDF also acknowledged that it had no control over the consent collection forms used and did not actually carry out audits on its contractors. The CNIL therefore considered that the measures implemented by EDF to ensure that valid consent was collected by its data brokers were insufficient and constituted a breach of its own obligations under both the GDPR and the ePrivacy applicable rules on consent collection for direct marketing activities by email.

Contracts insufficient without underlying auditing process

These two cases demonstrate that controllers using data processors or processing personal data from other controllers, such as data brokers, need to implement robust audit processes that go beyond simply making sure their contractors contractually commit to comply with the GDPR and the data controller's instructions.

Although the GDPR provides for enforcement against data processors, these cases also demonstrate that data controllers remain liable for the processing activities performed on their behalf by their processors.

Having robust data processing agreements in place may help controllers to establish contractual liability of their processors and other contractors in the event of a breach, but will not be enough to avoid enforcement and fines imposed by the CNIL if they do not check compliance on a regular basis. This highlights the need for companies to have a thorough understanding of their data processing activities entrusted to third parties and to regularly audit their data processors and data brokers to ensure that they are collecting data in compliance with the GDPR.

Data controllers are now used to implementing appropriate agreements with their processors which provide extensive auditing rights in accordance with Article 28 GDPR, but these decisions show that the audits need to be carried out in practice.

A need for further guidance

If the message from the CNIL is straightforward, it nonetheless presents challenges for businesses, which may not know where to start or what to look for in an audit.

Specific sectoral laws and binding internal regulations on what need to be accomplished when performing audits are available to regulated entities such as banks and insurance companies, but are clearly lacking for other businesses.  

A general guide for processors was published by the CNIL in 2017 but has not been updated. It lacks detail on how controllers, especial small and medium enterprises, should audit their processors to ensure that they comply with their instructions and the GDPR. In contrast, the Danish data protection authority published a guide on how to approach data processors audits in late 2021, and provides risk assessment tools. 

Some guidance on audit processes does exist in France. The ANSSI, the French National Agency for Security of Information Systems, has produced helpful publications, but is obviously focused on cybersecurity rather than GDPR compliance. The EDF case demonstrates, however, that audits by controllers should not only focus on security, but need to factor in wider GDPR requirements, such as adequately informing data subjects of the data processing activities and appropriately collecting their consent, when necessary.  Further guidance from the CNIL as to what it considers appropriate would be welcome.