During the last CNIL inspection carried out on the 25th and 26th of June 2020 concerning the “StopCovid” application, the CNIL concluded that the application “essentially” complied with the GDPR and the French Data Protection Act (Loi Informatique et Libertés). Nevertheless, the Commission noted several irregularities :
- Information to data subjects: this must be completed with regard to the recipients of the data.
- The contract (between the Ministry and INRIA) must specify the subcontractor’s obligations;
- The Privacy Impact Assessment is incomplete and does not take into account all the personal data processing operations.
These checks thus highlight some key aspects of compliance with the GDPR :
- Information to persons
- Updating contracts
- PIAs
It is also the first control at the end of which the CNIL officially calls into question the quality of an PIA. The end of the CNIL’s leniency about PIAs clearly states that the time for adapting and carry out PIAs is over: now companies are deemed to be ready.
https://www.cnil.fr/fr/application-stopcovid-la-cnil-tire-les-consequences-de-ses-controles