On March 19, 2013, the French Data Protection Authority (“CNIL”) announced (in French) its annual inspection program, providing an overview of its inspections of data controllers in 2012 and a list of inspections that it plans to conduct in 2013. Under French data protection law, the CNIL is authorized to collect any useful information in connection with its investigations and has access to data controllers’ electronic data and data processing programs.

The CNIL reportedly conducted 458 “on-the-spot” investigations in 2012 (which is 19% more than in 2011). Of those, 173 inspections related to data controllers’ CCTV monitoring, some of which resulted in formal notices and administrative sanctions imposed by the CNIL.

The CNIL also announced that a target of 400 “on-the-spot” inspections was set for 2013 and that a quarter of these inspections will focus on CCTV. Other inspections are likely to be triggered by:

  • The processing of personal data by market research institutes;
  • The processing of personal data in the context of free access Internet services;
  • The processing by French local authorities of personal data relating to individuals’ social difficulties;
  • The processing of personal data related to incarcerated individuals; and
  • The data processing activities of the French police services.