While remaining below the peak of 2018, the number of requests received has remained high, with 708 written information requests received in 2019.
When GDPR came into force in 2018, a large number of inquiries were more general questions about compliance with the new legislation. These have now become more specific, showing an increased awareness of the new rules.
The CNPD has continued its guidance and awareness efforts last year by offering guidelines on a variety of subjects such as the consequences of Brexit on international data transfer, the importance of data protection in election campaigns, or the GDPR compliance of dashcams.
The number of complaints has considerably increased from the previous year, from 450 in 2018 to 625 in 2019, with people soliciting the CNPD if they thought there was a breach of the law or a threat to the exercise of their rights.
In 2019, the CNPD developed a new rule around the investigation procedure, which was adopted in early 20202. There are two types of investigations: either unannounced site visits, largely triggered by complaints, or audits. The number of field investigations increased from 12 in 2018 to 33 in 2019. These were most often in relation to video surveillance and geolocalisation.
The remaining investigations consisted of audits on data protection. The CNPD continued the work it had begun in 2018 around audit campaigns on the function of a data protection delegate (DPD) in 25 organisations.
Data controllers must notify the CNPD of personal data breaches within 72 hours of finding out, if the breach in question is likely to pose a risk to the rights and liberties of those affected.
In 2019, 354 data breaches were reported to the CNPD. In total, the CNPD has been notified of 526 data breaches since 25 May 2018, which comes to an average of 28 a month. The main cause of these remains human error.
