Fraudsters have fun impersonating the CNIL, making professionals and individuals believe that they are not respecting the rules of the GDPR. An original way to scare them to force them to take out their wallet…
Apple condemned for advertising tracking without consent, TikTok because of its cookies and, recently, Doctissimo for various breaches… The National Commission for Computing and Freedoms (CNIL) is not idle in 2023! It must be said that she does not mess with the non-compliance with the European Data Protection Regulation (GDPR), inflicting sfines of up to tens of millions of euros. But some take advantage of this threat to develop their scams, even if it means usurping the identity of the digital policeman. In effect, the CNIL warns of a new wave of fraudulent calls and messages targeting professionals (hoteliers and tobacconists are massively affected), as well as individuals. To do this, the scammers simply pretend to be CNIL agents or proxies on the phone – this is called vishing. Some even display the real number of the administrative authority, namely 01 53 73 22 22, because telephone spoofing makes it possible to falsify a telephone number – which is actually not very complicated – in order to usurp the identity of a person who is a member of public authorities or institutions. They can also send false letters, faxes or e-mails containing the official logos of the organization.
GDPR scam: the law as a means of pressure
Fraudsters canvass professionals by telephone pretending to be representatives or agents of the CNIL in order to sell them fake GDPR compliance services – services which are obviously chargeable – threatening them with heavy financial penalties if they do not accept. This aims to create a climate of anxiety and urgency in order to prevent the victim from thinking and making a cold-headed decision. They also contact individuals who have already been the target of a first scam, promising them a refund of the sums they have previously paid.
In any case, never pay money under the threat of a financial penalty. You must not be fooled by the climate of urgency, on the contrary, you must take the time to verify the identity of your interlocutor. Be aware that the CNIL never mandates companies to intervene in the case of a repressive procedure and that it never charges for GDPR compliance services. Similarly, it never asks for the immediate payment of a sum of money nor will it require the communication of your bank details. If unfortunately you are the victim of a scam of this type, contact your bank immediately to block the transfer or request the return of the funds paid. Cease all contact with usurpers and deposit immediately a complaint to the competent authorities.