CNIL Published Guidance

CNIL Published Guidance on GDPR Responsibilities: Data Privacy Trends

It’s data privacy day! Last week, France’s data protection authority, the Commission nationale de l’informatique et des libertés, CNIL published guidance on GDPR responsibilities.

In their guidance release (Public order: which actor is responsible under the GDPR?), CNIL published guidance on the identification of a “controller,” “subcontractor,” and “joint principal” under the EU General Data Protection Regulation. As stated in the English translation of the release:

To carry out these public contracts or concession contracts, economic operators are required to collect and use personal data which may concern staff or users of the public service: this data processing must comply with the general data protection regulations (GDPR).


The role played by each actor has an influence on the nature and extent of their responsibilities vis-à-vis the data. In this respect, the qualification of actors as “controller”, “subcontractor” or “joint controller” must occur as soon as possible and be carried out with regard to factual elements and taking into account each contractual context. In particular, it will make it possible to identify each person’s level of responsibility and consequently define the clauses relating to data protection which must be inserted in the contract (e.g.: taking into account all the mandatory clauses provided for in Article 28 of the GDPR in the case where the administration must be qualified as “controller” and the economic operator as “processor”).

CNIL published guidance regarding considerations for responsibilities to guarantee compliance, as follows:

A key step for the effective application of all the obligations provided for by the GDPR

The qualification of the actors when drafting the contract is an essential first step: it makes it possible to determine who will have to guarantee compliance with the main principles of the GDPR, in particular:

  • the existence of an explicit and legitimate objective (purpose) for each use of data;
  • collection of relevant and non-excessive data;
  • data security;
  • a limited data retention period;
  • proper consideration of people’s rights.

To support professionals in identifying their responsibilities, CNIL also provided a link to a 13-page guide containing details of the legal criteria to be taken into account, the different qualifications that may be used depending on the subject of the contracts and the nature of the processing that they imply, as well as the consequences to be drawn from them when drafting the contractual documents. Alas, it’s in French – no English version of that I see. C’est la vie!

So, what do you think? Do you think the CNIL published guidance will help organizations better define the responsibilities under GDPR? Please share any comments you might have or if you’d like to know more about a particular topic.

Hat tip to IAPP for original coverage of the story here.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply