Data protection in France: overview

A Q&A guide to data protection in France.

This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.

To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.

Contents

Regulation

Legislation

1. What national laws regulate the collection and use of personal data?

General laws

The Data Protection Act No. 78-17 dated 6 January 1978 (Loi informatique et libertés) (DPA) is the key legislation on the protection of personal data.

The DPA created the French Data Protection Authority (Commission Nationale Informatique et Libertés (CNIL). The DPA has been amended several times, in particular by Act No. 2004-801 of 7 August 2004.

Sectoral laws

The collection and use of personal data is also subject to special rules set out in the Postal and Electronics Communications Code (Articles L. 34-1 et seq and Articles R. 10-12 et seq.) when such collection and use is carried out in the context of providing electronic communication services to the public.

In addition, special rules on privacy and professional secrecy apply to the collection and processing of personal medical data (Articles L. 1110-4, L. 1111-8, L. 1112-3, L. 1121-3, L. 1343-3 and L. 2132-1, Public health Code).

Scope of legislation

2. To whom do the laws apply?

The Data Protection Act (DPA) applies to any person that is in charge of collecting, processing or storing personal data and is either a:

  • Data controller. A data controller is any person, public authority, department or any other organisation that determines the purposes and means of the data processing (Article 3, DPA). Whether a person is a data controller is determined on a case-by-case basis.

  • Data processor. A data processor is a person (often a subcontractor) that acts under the authority of the data controller and can only process personal data under the data controller's instructions (Article 35, DPA). A data processor is subject to reduced obligations as set out in Articles 34 and 35 of the DPA.

An entity can be considered s a data controller for some of its activities and a data processor for others. For example, an accountant may be considered as a data controller when acting for small and medium-sized enterprises (SMEs) since he receives very few instructions on how to collect or process their data, and therefore enjoys a strong autonomy. However, the same accountant may be considered as a data processor when he acts for large companies that provide him with very detailed instructions on how to process data. In addition, the French Data Protection Authority (Commission Nationale Informatique et Libertés (CNIL) is not bound by the qualification chosen by an entity.

 
3. What data is regulated?

The Data Protection Act (DPA) applies to the processing of personal data.

Personal data is defined as "any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to them" (Article 2, DPA). This notion is very broad and, therefore, the collection of any data that can identify a person, whether directly or indirectly (for example, name, date of birth, phone number, e-mail address, social security number), must comply with the DPA. Personal data include data that are not associated with the name of a person but can easily be used to identify such person and know his habits and tastes.

To determine whether a person is identifiable, all the means that the data controller or any other person uses, or may have access to, should be taken into consideration (Article 2, DPA).

 
4. What acts are regulated?

The Data Protection Act (DPA) applies to any processing of personal data. Processing is defined as any operation or set of operations in relation to such data, regardless of the mechanism used, especially the (Article 2, DPA):

  • Obtaining.

  • Recording.

  • Organisation.

  • Retention.

  • Adaptation or alteration.

  • Retrieval.

  • Consultation.

  • Use.

  • Disclosure by transmission.

  • Dissemination or otherwise making available.

  • Alignment or combination.

  • Blocking.

  • Deletion or destruction.

This definition is very broad and, therefore, a simple consultation or the mere archiving of data is considered as processing.

The DPA also distinguishes between:

  • Non-automatic processing (manual processing). Non-automatic processing must comply with the DPA. However, it is not subject to the prior notification obligation, provided that the processed data do not relate to sensitive information, offences or convictions (see Question 7).

  • Automatic processing. The definition of automatic system is broad and is not limited to databases, as even processing through simple text editors fall within this definition.

 
5. What is the jurisdictional scope of the rules?

The Data Protection Act (DPA) applies to the processing of personal data by a data controller that either is established in France or carries out its activities in an establishment in France, regardless of its legal form. The notion of establishment is not defined in the DPA. However, the French Data Protection Authority (Commission Nationale Informatique et Libertés (CNIL) considers that there is an establishment where there is an effective and real exercise of an activity through stable facilities.

If the data controller is not established in France or in any other EU member states, but uses means of processing that are located in the French territory (with the exception of processing used only for the purposes of transit through France or any other EU member states), the processing will also fall within the scope of the DPA. Means of processing are located in France if:

  • Data is collected in France.

  • The hosting server is located in France.

  • The external service provider is located in France.

At the European level, the control of, and co-ordination between, the national data protection authorities are organised under Directive 95/46/EC on data protection (Data Protection Directive). Under Article 29 of the Directive, a working group called "G29", which is composed of representatives of the national data protection authorities, the European data protection supervisor and the European Commission was established for national authorities to provide expert advice to the European Commission and to promote the uniform application of the Data Protection Directive in all member states. Based on this co-ordination, a data controller that processes personal data in several member states will be controlled by the authority of the member state where it is established.

If the data controller is not established in France or the EU, it must designate a representative before the CNIL.

 
6. What are the main exemptions (if any)?

The Data Protection Act (DPA) does not apply to processing carried out for the exercise of exclusively private activities (Article 2, DPA). This applies to private phone books.

In addition, the DPA does not apply to temporary copies made in the context of technical operations of transmission and provision of access to a digital network for the purpose of automatic, intermediate and transitory retention of data, and with the sole aim of allowing other recipients of the service to benefit from the best access possible to the transmitted information (Article 4, DPA).

Notification

7. Is notification or registration required before processing data?

Before processing data, the data controller must either notify the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) or obtain authorisation from the CNIL.

Notification regime

The notification regime applies to automatic processing only (see Question 4). The notification can be normal or simplified.

Normal notification (déclaration ordinaire). This is the general regime that applies to any personal data processing. The notification form must include the following information:

  • Purpose(s) of the processing.

  • Identity and address of the data controller.

  • Possible interconnections between databases.

  • Personal data processed and categories of persons concerned by the processing.

  • Recipient(s) or categories of recipients of the processed data.

  • Time period for which the data will be kept.

  • Department or person(s) in charge of data processing.

  • Persons or departments before which the right of access is exercised.

  • Countries where the data will be sent, stored, used and/or processed (if outside the EU).

  • Measures taken to ensure the security of the processing.

The applicant can start the processing as soon as it receives the acknowledgement of notification (récépissé). Under the Data Protection Act (DPA), the CNIL must deliver the acknowledgement "without delay" after the notification. In practice, it is delivered within a few days or a few weeks. If the notification is submitted through the CNIL's website, the acknowledgement is normally received within a couple of days after the notification.

Simplified notification (déclaration simplifée). This applies to the most common forms of processing. In such cases, the data controller only needs to confirm that the processing complies with certain standards set in advance by the CNIL (for example, standards of data processing by a company to geo-locate the vehicles used by its employees). Each set of standards describe the purpose of the treatment, the type of personal data processed, the recipient of the data, the time period for which the data are kept and the compliance with the rights of the data subjects. If no such standards apply, the data controller must submit a normal notification (see above).

Authorisation regime

Article 25 of the DPA sets a list of data processing, whether automatic or not, which are subject to prior authorisation. This regime concerns processes and data that could be particularly harmful to privacy and civil liberties, including:

  • The processing of sensitive data.

  • The processing of genetic data.

  • The processing of data relating to offences and security measures.

  • Biometric identity checks.

  • The transfer of data outside the EU to a country without adequate protection (see Question 20).

The CNIL must make a decision within two months, renewable once. If the CNIL does not make a decision, the authorisation is deemed to be refused. A tacit or explicit refusal can be appealled before the French Supreme Administrative Court (Conseil d'Etat).

The CNIL has also developed a simplified system of "unique authorisation" on the same lines as the simplified notification regime (see above, Notification regime: simplified notification (déclaration simplifée)). The unique authorisation regime applies to situations listed on the CNIL's website (for example, data processing relating to the whistleblowing system).

A specific authorisation regime applies to data processing in the medical sector.

 

Main data protection rules and principles

Main obligations and processing requirements

8. What are the main obligations imposed on data controllers to ensure data is processed properly?

Data controllers' main obligations are listed in Article 6 of the Data Protection Act (DPA). The data controller must ensure that:

  • Data are collected and processed fairly and lawfully.

  • Data are collected for specified, explicit and legitimate purposes and are subsequently processed in a manner that is compatible with such purposes.

  • Personal data are adequate, relevant and not excessive in relation to the purposes for which they were collected.

  • Collected personal data are accurate, complete and kept up-to-date.

  • Collected personal data are retained in a form that allows the identification of the data subjects for a period that is no longer than necessary for the purposes for which they were collected.

In addition, data controllers must ensure that the individuals concerned are informed, have given their consent, and have the right to access the data and request amendments or deletions.

 
9. Is the consent of data subjects required before processing personal data?

Article 7 of the Data Protection Act (DPA) expressly provides that the consent of data subjects is required before collecting and processing personal data. The DPA does not contain any provision on the form and content of consent, and on evidence of such consent. As a basic principle, consent must be obtained in accordance with the loyalty principle. Therefore, pre-ticked boxes cannot constitute a valid consent.

Article 7 also lists exceptional circumstances in which consent of the data subject is not required (see Question 10).

Personal data processing regarding individuals under the age of 18 is subject to specific conditions. According to the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL), the data controller must receive the consent of the parents and must provide clear information to the minor. Data controllers are not allowed to collect a minor's sensitive personal data. The CNIL also indicates that, to send a newsletter to a minor, data controllers can only collect his e-mail address and age. Any further information on the minor's family, consumer habits, parents' situation is considered disproportionate and unfair.

Under Article 226-18-1 of the French Criminal Code, processing data despite the objection of the data subject is a criminal offence punished by five years' imprisonment and/or a fine of EUR300,000.

 
10. If consent is not given, on what other grounds (if any) can processing be justified?

If the data controller has not received the consent of the data subject, processing can be justified on any of the following grounds:

  • Compliance with any legal obligation to which the data controller is subject.

  • Protection of the data subject's life.

  • Performance of a public service mission entrusted to the data controller or the data recipient.

  • The processing relates to the performance of a contract to which the concerned individual is a party or of pre-contractual measures requested by that individual.

  • Processing the data is in the legitimate interests of the data controller or data recipient, subject to the interests and fundamental rights and liberties of the concerned individual.

Special rules

11. Do special rules apply for certain types of personal data, such as sensitive data?

The Data Protection Act (DPA) contains special rules for certain types of personal data, namely:

  • Sensitive data.

  • Social security numbers.

  • Data relating to offences, convictions and security measures.

In principle, the collection and processing of sensitive data is prohibited. Sensitive data is data that reveal, directly or indirectly, a persons' racial and ethnic origins, political, philosophical, religious beliefs or opinions, trade union affiliation, health or sexual life. This prohibition does not apply to the processing of sensitive data which is:

  • Based on the express consent of the data subject.

  • Necessary for the protection of human life when the data subject is unable to give his consent because of a legal incapacity or physical impossibility.

  • Carried out by an association or any other non-profit religious, philosophical, political or trade union body, provided that the processing relates to the object of the organisation, is limited to its members and the data collected are not transmitted to third parties, unless such transfer was expressly approved.

  • Based on data that have been made public by the data subject.

  • Necessary for the establishment, exercise or defence of a legal claim.

  • Necessary for healthcare.

  • Carried out for statistical purposes by the National Institute of Statistics and Economic Studies or one of the statistical services of the ministries.

  • Necessary for medical research.

The processing of data relating to offences, convictions and security means is governed by Article 9 of the DPA.

Regarding the processing of social security numbers, the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) has established a strict control regime, since social security numbers can provide access to a significant number of personal data and connection possibilities on many databases.

 

Rights of individuals

12. What information should be provided to data subjects at the point of collection of the personal data?

At the point of collection of personal data, the data controller must inform data subjects of:

  • The identity of the data controller and its representative (if any).

  • The purpose of the processing.

  • Whether replies to questions are compulsory or optional.

  • The recipients or categories of recipients of the data.

  • The right to object, for a legitimate purpose, to the collection of such data.

  • The right to access the collected data.

  • The right to have the processed data rectified, completed, blocked or deleted.

  • Where data are to be transferred outside the EU, specific details on the intended transfer (that is, where, why, what data and under which level of protection).

The information obligation can be fulfilled orally or in writing. However, it is recommended to use a written document for evidentiary purposes.

Under Article 32 of the Data Protection Act (DPA), the information obligation can be reduced or set aside in specific circumstances.

 
13. What other specific rights are granted to data subjects?

Rights of individual data subjects are set out in Articles 38 to 43 of the Data Protection Act (DPA).

A natural person is entitled, on legitimate grounds, to object to the processing of its personal data, unless the processing satisfies a legal obligation (Article 38, DPA).

The data subject is entitled to obtain from the data controller (Article 39, DPA):

  • Confirmation as to whether its personal data are part of the processing.

  • Information relating to the purposes of the processing, the categories of processed data and the recipients or categories of recipients to whom the data are disclosed.

  • Information relating to the transfer of personal data outside the EU, if applicable.

  • A copy, in an accessible form, of its personal data, as well as any available information on the origin of the data.

  • Information allowing the data subject to know and object to the reasoning involved in the processing, where a decision based on automatic processing produces legal effects in relation to the data subject.

A data subject can request the data controller to rectify, complete, update, block or delete personal data (Article 40, DPA) (see Question 14).

However, the rights of access and rectification are limited when the processing involves state security, defence or public safety (Article 41, DPA).

 
14. Do data subjects have a right to request the deletion of their data?

Under Article 40 of the Data Protection Act (DPA), data subjects can request the data controller to rectify, complete, update, block or delete their personal data that are inaccurate, incomplete, equivocal, expired, or whose collection, usage, disclosure or retention is prohibited.

The right to be forgotten was recognised by the European Court of Justice (ECJ) in Google Spain SL, Google Inc v Agencia Espanola de Proteccion de Datos and Mario Costeja Gonzalez (case C-131/12). This right is expressly mentioned in the draft data protection regulation that is being discussed before the EU Council.

Under the right to be forgotten, people can request an internet search engine to remove the links to web pages that contain inaccurate and damaging information. However, this right is not absolute and will be assessed on a case-by-case basis in light of the right to freedom of expression and information, particularly in the case of public figures.

 

Security requirements

15. What security requirements are imposed in relation to personal data?

The data controller must take all useful precautions, with regard to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent their alteration and damage, or access by non-authorised third parties (Article 34, Data Protection Act (DPA)).

The French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) considers that the data controller must implement any security measure that is adapted to the nature of the processed data and the risks of the processing. In 2012, the CNIL published an advanced guide on identification of risks and best practices for security measures (www.cnil.fr/linstitution/actualite/article/article/deux-nouveaux-guides-securite-pour-gerer-les-risques-sur-la-vie-privee/). The CNIL recommended security measures and guarantees, such as:

  • Strong password management.

  • Secure workstations.

  • Identification tools.

  • Secure local network.

  • Secure physical access.

  • Training users on information technology risks.

The processing of personal data without implementing the required security measures can be subject to five years' imprisonment and/or a fine of EUR300,000 (Article 226-17, French Criminal Code).

 
16. Is there a requirement to notify personal data security breaches to data subjects or the national regulator?

There is no general obligation to notify personal data security breaches to data subjects or the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL).

However, electronic communication service providers registered with the French Authority for the Regulation of Electronic Communications and Posts (Autorité de Régulation des Communications Electroniques et des Postes) (ARCEP) (that is, mobile phone operators and internet service providers) must notify all breaches to the CNIL, regardless of their seriousness (Article 34 bis, Data Protection Act (DPA) and decree 2012-436 dated 30 March 2012). Notification must be made within 24 hours of the breach, although the CNIL accepts a two-stage notification (that is, a preliminary notification within 24 hours and then within 72 hours if more time is needed for further investigations). Notification is made through a form that can be returned by post or filed online. Under this regime, the electronic communication service providers must also inform data subjects, unless the breach did not affect their privacy rights. In addition, the CNIL can require the data controller to notify data subjects.

Electronic communication service providers must also keep an updated record of all breaches (Article 34 bis, DPA).

An electronic communication service provider that does not notify a security breach to the CNIL or data subjects faces five years' imprisonment and/or a fine of EUR300,000 (Article 226-17-1, French Criminal Code).

 

Processing by third parties

17. What additional requirements (if any) apply where a third party processes the data on behalf of the data controller?

A data processor must offer adequate guarantees to ensure the implementation of the security and confidentiality measures (Article 35, Data Protection Act (DPA)). The data processor must act on the basis of a contractual agreement concluded with the data controller, which must both:

  • Specify the processor's obligation regarding the protection of security and confidentiality.

  • Provide that the data processor can only act on the controller's instructions.

The French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) has published several standard contractual clauses regarding the implementation of confidentiality measures by the data processor in the area of health (www.cnil.fr/les-themes/sante/fiche-pratique/accessible/non/article/sous-traitance-modeles-de-clauses-de-confidentialite/) and regarding data transfer (www.cnil.fr/vos-obligations/transfert-de-donnees-hors-ue/contrats-types-de-la-commission-europeenne/).

 

Electronic communications

18. Under what conditions can data controllers store cookies or equivalent devices on the data subject's terminal equipment?

A data controller can store cookies or equivalent devices if the following three conditions are satisfied:

  • The data subject must be informed of the purposes of any cookies.

  • The data subject must be informed of the means available to object to such storing.

  • The data subject must give his consent.

The information provided to the data subject must be clear and comprehensive. In addition, the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) has set very detailed guidelines regarding the data subject's consent (www.cnil.fr/vos-obligations/sites-web-cookies-et-autres-traceurs/que-dit-la-loi/). The consent must be:

  • Given before using the cookies.

  • Based on comprehensive information to ensure that consent is specific and given freely.

  • The result of a real choice.

The CNIL considers that the consent must be given through a positive action and suggests the following consent mechanisms:

  • A banner on the first web page visited informing the data subject that continuing to visit the website constitutes consent.

  • Boxes to tick when registering for online services.

In addition, the CNIL recommends inserting a "for more information" page where the data subject can refuse the use of cookies.

The consent is valid for 13 months.

The use of cookies is exempted from the requirements above where the cookies are either:

  • Exclusively intended to enable or facilitate communications.

  • Strictly necessary for the provision of an online communication service at the user's express request.

For example, the CNIL considers that "shopping bag" cookies or authentication cookies are exempted.

 
19. What requirements are imposed on the sending of unsolicited electronic commercial communications (spam)?

Unsolicited electronic commercial communication must comply with the requirements set out in Article L. 34-5 of the French Postal and Electronic Communications Code.

Based on this Article, the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) has issued recommendations (www.cnil.fr/les-themes/conso-pub-spam/fiche-pratique/article/la-prospection-commerciale-par-courrier-electronique/) that distinguish between business-to-consumer (B2C) and business-to-business (B2B) relationships.

B2C relationships

The recipient must have explicitly agreed to receive unsolicited commercial communications when he provided his e-mail address. However, there are two exceptions where prior approval is not required:

  • The recipient is already a customer of the company and the marketing messages relate to products or services that are similar to those previously provided.

  • The marketing messages are not commercial in nature.

In any case, the recipient must be informed of the commercial use of his e-mail address and must be able to object to such use.

B2B relationships

Unsolicited electronic commercial communications are authorised provided that:

  • The recipient has been informed at the time his e-mail address is collected that it will be used for the purpose of electronic commercial communications.

  • The recipient is able to object to such use.

Generic e-mail addresses (for example, info@company.com or contact@company.com) are considered as a company's contact details and are therefore not subject to the principle of consent and the right to object.

To fall within the category of B2B relationships, the unsolicited electronic communication must relate to the professional activities of the recipient.

In both B2B and B2C relationships, the sender must always provide its identity and set a simple tool to object to the spam.

If the requirements above are not complied with, the sender can be subject to any or all of the following:

  • An administrative fine (Article 47, Data Protection Act (DPA)).

  • A sanction equivalent to a fourth class offence fine which applies per e-mail sent (Article R. 10-1, French Postal and Electronic Communications Code).

  • A criminal sanction (Articles L. 226-18 and L. 226-18-1, French Criminal Code).

 

International transfer of data

Transfer of data outside the jurisdiction

20. What rules regulate the transfer of data outside your jurisdiction?

Under Article 68 of the Data Protection Act (DPA), a data controller cannot transfer personal data to a state that is not an EU member if this state does not provide a sufficient level of protection of individuals' privacy, liberties and fundamental rights.

This principle applies to all transfers, including intra-company or intra-group transfers.

The European Commission recognises that the following states provide a sufficient level of protection:

  • Andorra.

  • Faroe Island.

  • Jersey.

  • Canada.

  • Isle of Man.

  • Guernsey.

  • Argentina.

  • Uruguay.

  • New Zealand.

  • Switzerland.

  • Israel.

  • Member states of the European Free Trade Association (EFTA).

Transfers to the US can be done in accordance with the US/EU Safe Harbor.

For transfers to other states, personal data transfers are allowed provided that either (Article 69, DPA):

  • The data subject has expressly consented to the transfer.

  • The transfer is necessary for:

    • protection of the individual's life;

    • protection of the public interest;

    • compliance with obligations allowing the acknowledgement, the exercise or the defence of a legal right;

    • consultation of a public register intended for the public's information;

    • performance of a contract between the data controller and the individual, or the pre-contractual measures undertaken at the individual's request; or

    • the conclusion or performance of a contract in the individual's interests, between the data controller and a third party.

If the conditions above are not fulfilled, a personal data transfer is possible if it is authorised by the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL). The CNIL will assess whether there is an adequate level of protection, which can be reached through the following mechanisms:

  • The data controller uses contractual clauses to set a sufficient level of protection. In this respect, the European Commission has established model clauses that, if adopted, facilitate a CNIL authorisation (see Question 22).

  • Company internal rules that ensure sufficient protection for data transfers within the company.

 
21. Is there a requirement to store (certain types of) personal data inside the jurisdiction?

Under Article 6 of the Data Protection Act (DPA), personal data can be stored if the following conditions are satisfied:

  • Data are obtained and processed fairly and lawfully.

  • Data are obtained for specified, explicit and legitimate purposes, and is not subsequently processed in a manner that is incompatible with such purposes. However, further data processing for statistical, scientific and historical purposes is considered compatible with the initial purposes of data collection, if it is not used to take decisions relating to the data subjects and is carried out in accordance with the principles and procedures provided for in:

    • Chapter II of the DPA;

    • Chapter IV of the DPA (formalities prior to commencing data processing);

    • section 1 of Chapter V of the DPA (obligations of the data controllers and rights of individuals);

    • Chapter IX of the DPA (processing of personal data for the purpose of medical research); and

    • Chapter X of the DPA (processing of personal medical data for the purposes of evaluation or analysis of care and prevention practices or activities).

  • Data are adequate, relevant and not excessive in relation to the purposes for which they are obtained and their further processing.

  • Data are accurate, complete and, where necessary, kept up-to-date. Appropriate steps must be taken to delete and rectify data that are inaccurate and incomplete with regard to the purposes for which they are obtained and processed.

  • Data must be retained in a form that allows the identification of the data subjects for a period no longer than is necessary for the purposes for which they are obtained and processed.

Data transfer agreements

22. Are data transfer agreements contemplated or in use? Have any standard forms or precedents been approved by national authorities?

Although the use of model clauses approved by the European Commission is not mandatory, the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) recognises that the adoption of such model clauses will facilitate the authorisation process and increase legal certainty.

The European Commission has adopted three sets of model clauses:

  • Two sets apply to data transfers outside the European Economic Area (EEA) from one data controller to another, and were adopted in 2001 and 2004.

  • One set applies to data transfers outside the EEA from a data controller to its sub-processor, and was revised in 2010.

On 21 March 2014, the G29 working group (see Question 5) issued a working document on draft ad hoc contractual clauses applying to EU data processors and non-EU sub-processors. This working document provides a new set of clauses to ensure adequate safeguards for the protection of privacy and fundamental rights and freedoms of individuals for transfers of personal data to a sub-processor. This document is currently under the review of the European Commission, which is expected to decide whether the 2010 set of clauses should be amended or supplemented.

 
23. Is a data transfer agreement sufficient to legitimise transfer, or must additional requirements (such as the need to obtain consent) be satisfied?

A data transfer agreement is sufficient to legitimise transfer.

 
24. Does the relevant national regulator need to approve the data transfer agreement?

The French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) does not need to approve the data transfer agreement. However, the CNIL must assess whether the contractual clauses of the data transfer agreement can ensure an adequate level of protection. Therefore, the CNIL can request to see the data transfer agreement during the authorisation process (if prior authorisation is required).

 

Enforcement and sanctions

25. What are the enforcement powers of the national regulator?

The enforcement powers of the French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) are set out in Article 44 of the Data Protection Act (DPA).

To date, the CNIL is entitled to:

  • Conduct on-site inspections, on justification and prior authorisation of a judge (Juge des Libertés et de la Détention). The inspection can take place without notice and the person in charge of the premises cannot object to the inspection (although it can appeal against the authorisation after the inspection). During these on-site inspections, the CNIL has access to any storage devices.

  • Request in writing the communication of documents (document review).

  • Conduct hearings.

The Hamon Act No. 2014-344 on consumer protection dated 17 March 2014 has increased the CNIL's investigation powers, enabling the authority to conduct remote online controls. Such controls are conducted within the CNIL's premises. The CNIL then reports any breach to the person controlled. Remote controls are limited to data that are public and accessible. The first online control was conducted in October 2014 and, since then, the CNIL has conducted 58 online controls.

Under the Hamon Act, which is now codified in Article L. 141-1 of the French Consumer Code, the authorities that are in charge of commercial and competition matters can now access relevant information and control compliance with personal data regulations while they investigate a company on any (other) matter. They can then report any infringement to the CNIL. These authorities include the:

  • General Directorate for Competition, Consumers and the Prevention of Fraud (Direction Générale de la Concurrence, de la Consommation et de la Répression des Fraudes) (DGCCRF).

  • Competition investigation inter-regional authorities (Brigades Interrégionales d'Enquêtes de Concurrence) (BIEC).

  • Fraud investigation inter-regional authorities (Brigades Interrégionales d'Enquêtes de Répression des Fraudes) (BIERF).

  • Companies, competition, consumption, labour and employment regional authorities (Directions régionales des entreprises, de la concurrence, de la consommation, du travail et de l'emploi) (DIRECCTE).

  • Local authorities for the protection of population (directions départementales de la protection des populations) (DDPP).

  • Competition Authority.

The CNIL can impose injunctions and fines for non-compliance with data protection laws (see Question 25).

Impeding the action of the CNIL may result in imprisonment for a term of one year and a EUR15,000 fine (Article 51, DPA). In addition, where the CNIL considers that a criminal offence has been committed, it can notify the Public Prosecutor.

 
26. What are the sanctions and remedies for non-compliance with data protection laws?

The French Data Protection Authority (Commission Nationale Informatique et Libertés) (CNIL) can impose various sanctions and remedies. These decisions are taken by a restricted committee.

The CNIL can issue a warning to a data controller that fails to comply with its obligations, and can decide to make the warning public. The CNIL can also impose financial sanctions and injunctions to cease the processing.

If the processing leads to a violation of individuals' rights and liberties (that is, human rights and privacy rights), the CNIL can initiate an emergency procedure to do one or more of the following:

  • Order the interruption of the processing for a maximum period of three months.

  • Issue a warning.

  • Order the lock-up of the processed personal data for a maximum period of three months.

  • Notify the Prime Minister so that he takes necessary measures to stop the violation.

  • Request the competent court to order in summary proceedings any security measure necessary to protect the rights and liberties at stake.

Regarding financial penalties, the amount of the fine must be proportional to the severity of the breach, as follows (Article 47, Data Protection Act (DPA)):

  • Up to EUR150,000 for a first violation.

  • Up to EUR300,00 for a second violation within five years, for natural persons.

  • For legal entities, up to 5% of the entity's gross revenue up to a maximum of EUR300,000 for a second violation within five years.

The French Criminal Code contains a full set of sanctions for breaches of data protection legislation (Articles 226-16 to 226-24). A criminal fine of up to EUR300,000 and/or five years' imprisonment can be imposed.

 

Regulator details

French Data Protection Authority (Commission Nationale de l'Informatique et des Libertés) (CNIL)

W www.cnil.fr/english/

Main areas of responsibility. The CNIL is responsible for ensuring that information technology remains at the service of citizens, and does not jeopardise human identity or breach human rights, privacy, or individual or public liberties.



Online resources

Legifrance

W www.legifrance.gouv.fr/

Description. Legifrance is the French Government entity responsible for publishing legal texts online. This website provides access to an English translation of the Data Protection Act (www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf).



Contributor profiles

Jérôme Philippe, Partner

Freshfields Bruckhaus Deringer LLP

T +33 1 44 56 44 56
F +33 1 44 56 44 00
E jerome.philippe@freshfields.com
W www.freshfields.com

Professional qualifications. France, Avocat à la Cour

Areas of practice. Anti-trust, competition law and merger control; state aid; data regulation and privacy; regulatory issues; distribution law; consumer law.

Non-professional qualifications. PhD in economics, Toulouse School of Economics; engineer, Ecole Polytechnique, France

Recent transactions

  • Advising LVMH in the acquisition of Bulgari.

  • Advising General Mills in the acquisition of Yoplait.

  • Advising Yoplait in the French "yoghurt cartel".

  • Advising Etisalat in the acquisition of Maroc Telecom.

  • Advising Pierre Fabre Dermo-Cosmétique in litigation related to the right to impose a ban on Internet sales by retailers.

  • Advising Laboratoires Boiron in a landmark state aid case against ACOSS/URSSAF.

  • Advising Engie in a state aid case in Hungary.

  • Advising Hewlett Packard in litigation related to alleged tying between computers and operation system/software.

Languages.

French, English, Spanish

Publications.

  • Getting the deal through, Merger Control, 2015.

  • Getting the deal through, Telecoms and Media, 2015.

  • Global Antitrust Compliance Handbook, Oxford University Press, 2014.

  • Regulation of international activities (Contrat et Regulation, Revue de jurisprudence commerciale), 2015.

  • Advances and coming challenges of the leniency programmes in the European competition network (ECN), Revue Lamy de la concurrence, April/June 2013.

Aude-Charlotte Guyon, Senior Associate

Freshfields Bruckhaus Deringer LLP

T +33 1 44 56 44 56
F +33 1 44 56 44 00
E aude.guyon@freshfields.com
W www.freshfields.com

Professional qualifications. France, Avocat à la Cour

Areas of practice. Anti-trust, competition law and merger control; state aid; data regulation and privacy; regulatory issues; distribution law; consumer law.

Non-professional qualifications. LLM, University of Northumbria; Master (DEA) in economic law, University of Orléans

Recent transactions

  • Advising Mr. Bricolage in the acquisition of Les Briconautes.

  • Advising Etisalat in the acquisition of Maroc Telecom.

  • Advising Laboratoires Boiron in a landmark state aid case against ACOSS/URSSAF.

  • Advising Engie in a state aid case related to Hungary.

  • Advising Hewlett Packard in litigation related to alleged tying between computers and operation system/software.

Languages.

French, English

Publications.

  • Getting the deal through, Telecoms and Medias, 2015.

  • Global Antitrust Compliance Handbook, 2014, Oxford University Press.

  • Chapter on international cartels in: The Modernisation of Competition Law, edited by Yves Canivet (then President of the French Cour de Cassation).


{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1247355822314", "objName" : "Data protection in France overview", "userID" : "2", "objUrl" : "http://us.practicallaw.com/cs/Satellite/us/resource/6-502-1481?source=relatedcontent", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "26cd2a5fc:14f93c5ca49:-2970", "analyticsSessionCookie" : "26cd2a5fc:14f93c5ca49:-296f", "statisticSensorPath" : "http://analytics.practicallaw.com/sensor/statistic" }