Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
FRENCH SUPERVISORY AUTHORITY: exercise of right by mandate: the CNIL publishes it recommendation

FRENCH SUPERVISORY AUTHORITY: exercise of right by mandate: the CNIL publishes it recommendation

Each person can exercise its rights on behalf of a person or a body in charge for this purpose. In order to follow them, the CNIL publishes its recommendation adopted after a public consultation.

Which is the purpose of this recommendation?

The GDPR gives people a certain number of rights which permit them to keep the control on their personal data.

Those rights can be exercise by the same individuals, directly at the bodies that have their data (“data controllers”) but also by people or bodies by them commissioned.

This refers to the portability right, which facilitate the free movement of personal data in the European Union, by stimulating at the same time the competition and the innovation, as well as the access right, which provide an high level of transparency on the reality of process for data subjects.

The mandate offers new perspectives for induvial, but also for a whole ecosystem of, private and public, actors which desire creating new solutions and new usages.

The CNIL has decided to process a recommendation in order to offer a new framework to those activities and to provide the juridical certain both to actors who intent to assume the mandatory role both to bodies which receive request by those actors.

Without being prescriptive neither exhaustive, this recommendation carries out the role of practical guideline addressed to clarify to those actors the conditions in which individuals can charge bodies to exercise their rights.

Which is the content of the recommendation?

Steps of a request of exercise of rights by a mandate

The recommendation presents different steps of a request of exercise of rights by a mandatory and faces in particular the following questions:

  • The form and the content of the mandatory
  • Automated questions of right
  • Situations in which the data controller can considered as complex, manifestly unfounded or excessive for a request of exercise of right by an authorized representant;
  • Security legislation to apply and format for the sharing of data
  • Conditions to which a representant can reuse those data object of the exercise of the right, on your account and under your own responsibility

A model mandate for accompaniment

This recommendation is followed by a mandate to which representants and data controllers can make a reference.

Pay attention, it refers only to the personal data protection: there can be added other commercial clauses, under the condition that there are not in contrast with eh applicable data protection legislation.

A lot of contributes for the recommendation

After the public consultation launched on the 25th of November 2020, twenty contributors have permitted to enrich the recommendation project published, in particular on fourth points:

  1. The final version of the recommendation clarifies the distribution of roles and responsibilities between processors and agents. The former must respond to requests, the latter are responsible for the processing they are likely to implement on the data, as soon as they are received.
  2. The recommendation clarifies its scope, in particular with regard to payment service providers whose activity is governed by the PSD2 (2nd Directive on payment services). Account information providers may exercise the rights provided for in the GDPR as agent if certain conditions are met, in particular outside the provision of an account information service or where the request does not relate to payment data.
  3. The recommendation also clarifies the hypotheses in which an authorized representative may be made a recipient of the data: the direct transmission of the data by the controller may be required only in the context of the right to portability, but the CNIL encourages data controllers to send the data to the authorized representative when the latter is designated as the addressee by the data subject in the mandate.
  4. The recommendation reinforces the conditions under which agents may exceptionally consider the use of content extraction (or scraping).
deliberation-2021-070-recommandation-exercice-droits-_mandataire mandat-type_-_exercice_des_droits


Recommended to you

Advanced Research