Admittedly, the 384 checks carried out by the CNIL last year stem for the most part from complaints received by the Commission, or from current events. But a third of these controls escape this logic. They are the fruit of the “strategic positioning” of the Commission.
And for 2022, the CNIL will particularly target in terms of strategic positioning commercial prospecting, monitoring tools in the context of teleworking and cloud services.
You have certainly already heard of it, or even been a victim of it, of unsolicited commercial prospecting. It recently exploded with incentives to use CPFs (personal training accounts).
The CNIL standard explodes
The CNIL specifies that its standard explodes on this question, drowned by calls from individuals exasperated by this untimely canvassing.
Before typing, the CNIL specifies for professionals that it has published a new “commercial management” reference this month. A text that provides a framework for carrying out commercial prospecting actions. “The CNIL will verify the compliance with the GDPR of professionals in the sector, in particular those who resell data, including the many intermediaries in this ecosystem (also called data brokers)”, specifies the Commission.
The CNIL will also look into the monitoring tools used by employers in the context of teleworking. Especially since even after the Coronavirus pandemic, “many employees, agents and employers believe that it will become widespread and will continue, both in companies and in administrations”, indicates the CNIL.
These monitoring tools are defined by the CNIL as “tools allowing employers to ensure closer monitoring of the daily tasks and activities of employees”. Here too, the CNIL specifies that it has communicated on the rules and best practices in this area. And will therefore in 2022 try to see more clearly on the ground.
Finally, the use of IT resources in cloud mode is also of interest to the Commission. “These new mechanisms are likely to entail risks for the protection of personal data, in particular massive transfers of data outside the European Union to countries that do not provide an adequate level of protection or data breach in the event of bad configuration”, indicates the CNIL, which thus understates the current quarrel between Europe and the United States about the Cloud Act and the end of the Privacy Shield.
The commission will therefore control “data transfers” and “the management of contractual relations between data controllers and subcontractors providing cloud solutions”. And it started. As of last week, the CNIL prohibited a website from using Google Analytics on these grounds.
This action will be extended to the whole EU, with checks carried out by the 22 European CNILs.