Data protection in France: overview
A Q&A guide to data protection in France.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
To compare answers across multiple jurisdictions, visit the Data protection Country Q&A tool.
This article is part of the multi-jurisdictional guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-mjg.
The principal law regulating data protection in France is Law No. 78-17 of 6 January 1978 on data processing, data files and individual liberties, as amended (DP Law). Directive 95/46/EC on data protection (Data Protection Directive) was implemented through Law No. 2004-801 of 6 August 2004, which amended the DP Law Decree No. 2005-1309 of 20 October 2005 implements certain sections of the DP Law.
Violations of the DP Law can be prosecuted under, among others, Articles 226-16 to 226-24 of the Criminal Code.
There are many specific confidentiality obligations that regulate personal data processing, including in the:
Public Health Code, for example, Articles L. 1110-4, L. 1111-8, L. 1112-3, L. 1121-3, L. 1142-24-4, L. 1343-3, and L. 2132-1.
Monetary and Financial Code, for example, Articles L. 440-4, L. 464-1, L. 464-2, and L. 612-17.
There are also:
Specific requirements for using personal data in the context of e-marketing (Article L. 34-5, Postal and Electronic Communications Code).
More general requirements for using and storing personal data by electronic communications operators (Article L. 34-1 et seq., Postal and Electronic Communications Code).
Laws that do not directly relate to data privacy that can impact personal data processing in some circumstances, such as Article 9 of the Civil Code that is the basis for the right to privacy of all natural persons (including employees).
Scope of legislation
The DP Act applies to data controllers and data processors (Articles 3 and 35, DP Act).
A data controller is a person, public authority, department or any other organisation who determines the purposes and means of the data processing, unless expressly designated by legislative or regulatory provisions relating to the data processing in question (Article 3, DP Act). A data processor is any person who processes personal data on behalf of the data controller (Article 35, DP Act).
The DP Act regulates personal data. Personal data is any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to him (Article 2, DP Act).
To determine whether a person is identifiable, all means that the data controller, or any other person, uses or may have access to should be taken into consideration.
The processing of personal data, that is, any operation or set of operations in relation to personal data, is regulated whatever the mechanism used, in particular (Article 2, DP Act):
Adaptation or alteration.
Disclosure by transmission.
Dissemination or otherwise making available.
Alignment or combination.
The DP Law applies to both:
Automatic processing of personal data.
Non-automatic processing of personal data that is or may be contained in a personal data filing system, except for processing carried out to exercise exclusively private activities.
The DP Law applies to:
The processing of personal data by a data controller that is established in France or carries out its activity in France in an establishment, whatever its legal form.
A data controller that, although not established in France or in any other EU member state, uses means of processing located in France, except for processing only for the purposes of transit through France or any other EU member state.
Data processing requires one of the following, depending on the type of processing (Chapter IV, DP Law):
Prior authorisation from the regulator (Commission Nationale de l'Informatique et des Libertes) (CNIL). A common example of processing requiring authorisation are transfers of data to a country that does not offer adequate protection to personal data.
A ministerial order or decree issued by the Supreme Administrative Court (Conseil d'Etat). This requirement generally applies to data processing conducted on behalf of the state.
Filing a simplified prior notification with the CNIL. Common examples of processing requiring a simplified prior notification includes processing of HR data, processing of customer data and employee key card management systems, provided certain prerequisites set by the CNIL are met.
Filing a prior notification with the CNIL, when the processing requires neither authorisation, order, decree nor simplified prior notification.
Some types of data processing (for example, payroll processing) are exempt from all notification and authorisation requirements, provided certain prerequisites set by the CNIL are met.
Main data protection rules and principles
Main obligations and processing requirements
All personal data must be (Article 6, DP Act):
Processed fairly and lawfully.
Collected for specific, explicit and legitimate purposes, and subsequently processed in accordance with these purposes.
Collected in an adequate, relevant, and non-excessive way, in view of the purposes for which it is collected.
Accurate, comprehensive and, when necessary, kept up to date.
Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected, or for which it is further processed. Personal data can only be stored beyond this necessary period for processing for historical, statistical or scientific purposes.
In addition, data subjects must be given specific information about the processing of their personal data at the time such data is collected or, if data is disclosed to a third party, at the time the data is disclosed to that third party. As a general rule, all such information must be in French (Law No. 94-665 of 4 August 1994).
Consent may also be required (see Question 9).
The consent of data subjects is required before processing personal data, unless an exception applies (see Question 10) (DP Law). Online consent will suffice.
Implied consent of the data subject is sufficient for processing personal data, unless special rules apply (see Question 11). Under the DP Law, express consent of data subjects is required for:
Any processing of sensitive data, unless an exception applies (see Question 11).
Medical research requiring the collection of biological sample identifiers.
Express consent may be required under other legislation (for example, for other types of medical research under the Public Health Code).
Data processing relating to minors (that is, persons under 18 years old) is subject to the consent of parents or guardians. However, there may be exceptions, for example, collecting the e-mail addresses and ages of minors in order to send them an online newsletter. Generally, the CNIL considers that any processing of sensitive data (see Question 11) relating to minors is strictly prohibited.
In most cases, the CNIL does not consider that employees can freely consent to the processing of their personal data.
If consent is not given, personal data can only be processed if processing is necessary to do any of the following:
Comply with a legal obligation to which the controller is subject.
Perform a contract to which the data subject is a party, or to take steps at the data subject's request before entering into a contract.
Protect the data subject's life.
Perform a public service duty entrusted to the data controller or the data recipient.
Pursue the data controller's or the data recipient's legitimate interests, provided this is compatible with the interests or the fundamental rights and liberties of the data subject.
Certain processing can only be carried out after prior authorisation has been granted by the CNIL (see Question 7). This includes:
Processing genetic data.
Processing, whether automatic or not, data relating to offences, convictions or measures restricting personal liberty.
Processing that may, due to its nature, importance or purposes, exclude persons from the benefit of a right, service or contract, in the absence of any legislative or regulatory provision.
Sensitive data is defined as data that reveals, directly or indirectly, the data subject's (Article 8, DP Act):
Racial or ethnic origins.
Political, philosophical or religious opinions.
Trade union affiliation.
Health or sex life.
The collection and processing of sensitive data are prohibited unless one of the following applies (Article 8, DP Act):
The data subject has given express consent.
The processing is necessary to protect human life and the data subject is unable to give his consent.
The processing relates to personal data made public by the data subject.
The processing is necessary to establish, exercise or defend a legal claim.
In addition, if sensitive data is, within a short period of time, to be made anonymous using a procedure approved in advance by the CNIL, the CNIL can authorise certain categories of processing, by taking into account its purpose.
Further, sensitive data processing is not prohibited if it is both:
Justified by the public interest.
Authorised by the CNIL or by a decree of the Supreme Administrative Court after a published opinion of the CNIL.
Rights of individuals
The data controller must provide, at the time data is collected, information regarding (Article 32, DP Act):
The identity of the data controller and its representative, if any.
The purposes of the data processing.
Whether providing each type of data is compulsory or optional.
The possible consequences of failing to provide data.
The recipients or categories of recipients of the data.
The rights of individuals to access, correct or delete data and to oppose data processing.
Whether data is to be transferred outside the EU, and in that case, specific details regarding the conditions of transfer.
Data subjects are entitled to obtain from the data controller (Article 39, DP Act):
Confirmation as to whether their data is being processed.
Information relating to the purposes of the processing, the categories of processed personal data and the recipients or categories of recipients to whom the data are disclosed.
If applicable, information relating to transfer of the personal data outside the EU.
A copy, in an accessible form, of their personal data, as well as any available information on the origin of the data.
Information allowing data subjects to know and object to the reasoning involved in the processing, where a decision taken based on automatic processing produces legal effects in relation to the data subject.
Data controllers can object to requests that are obviously excessive, particularly due to the number of requests, or if they are repetitive and systematic. The burden of proving the excessive nature of requests is on the data controller.
If a data subject requests access relating to processing involving state security, defence or public safety, the CNIL receives the request and appoints one of its members, who is or was a member of a French Supreme Court or central government audit body (Cour des Comptes), to carry out the necessary investigations. If the CNIL finds, with the agreement of the data controller, that disclosure of the data does not undermine the purpose of processing, state security, defence or public safety, the data can be disclosed to the data subject.
Responses to data subject access requests must be given within two months (Article 94, Decree No. 2005-1309 of 20 October 2005), while the CNIL recommends these responses to be given within 30 days.
Data subjects are entitled, on legitimate grounds, to object to the processing of their data (Article 38, DP Act), except if the processing is required by law or if the law or regulation authorising the processing expressly excludes the application of Article 38 of the DP Act to such processing. Data subjects are also entitled to object to the use of their data for marketing purposes.
The data controller must take all useful precautions, in relation to the nature of the data and the risks of the processing, to preserve the security of the data and, in particular, prevent its alteration or damage, or access by unauthorised third parties (Article 34, DP Act).
The CNIL has issued recommendations on how to maintain a proper level of security, in particular:
Adopt a strong password management policy.
Set up a process for the creation and deletion of user accounts.
Identify exhaustively who may have access to the data.
Ensure confidentiality of data in relation to suppliers.
Secure the local network.
Secure the physical access to the premises.
Anticipate the risks of loss or disclosure of data.
Adopt an information systems (IS) security policy.
Train users on information technology (IT) risks.
A data security breach must be reported if it occurs in relation to providing to the public electronic communication services on electronic communication networks with open public access, including those involving data collection and identification systems.
If personal data security has been breached:
The provider of the public electronic communication services must promptly notify the CNIL.
If the violation is likely to breach the personal data security or privacy of a subscriber or any other individual, the provider must promptly notify the party affected.
However, notification of a breach of personal data to the affected party is not required if the CNIL finds that appropriate protection measures have been both:
Implemented by the service provider to ensure that the personal data is made undecipherable to any unauthorised individuals.
Applied to the data affected by the breach.
Alternatively, the CNIL can serve a formal notice on the service provider to inform the affected parties, after the CNIL has investigated the severity of the breach.
Each provider of electronic communication services must:
Keep an up-to-date record of all breaches of personal data, listing in particular the:
measures taken as remedies.
Make the record available to the CNIL on request.
Processing by third parties
Any person who processes personal data on behalf of the data controller is called a data processor or processor (sous-traitant).
The contract between the processor and the data controller must:
Specify the processor's obligations for protecting the security and confidentiality of the data.
Require that the processor can only act on the data controller's instructions.
Any subscriber or user of an electronic communication service (for example, a website) must be informed in a clear and comprehensive manner by the data controller of both the:
Purpose of any cookie.
Means available to object to implementation of the cookie.
Data controllers include, for example, the website operator, but can also include the advertising network or other entity responsible for placing cookies on users' equipment.
The subscriber or user must give his express consent to implementation of a cookie after having received relevant information.
These provisions do not apply if the cookie is either:
Exclusively intended to enable or facilitate communication by electronic means.
Strictly necessary to provide an online communication service at the user's express request (for example, a session ID and a cookie saving user language).
The CNIL has issued guidelines on how to obtain users' consent for placing or accessing cookies (the guidelines are available in French at www.cnil.fr/en-savoir-plus/fiches-pratiques/fiche/article/ce-que-le-paquet-telecom-change-pour-les-cookies).
It is prohibited to send e-mails for marketing purposes to any individual who has not expressly consented to receiving them (Article L. 34-5, Postal and Electronic Communications Code). An exception is where it is authorised by the prior sale exemption (see below).
For data subjects to opt-in, there is no particular wording required, nor any specific guidance on acceptable means of demonstrating opt-in consent. However, consent must be clearly shown. Consent should be both:
Obtained by some active mechanism, such as ticking a box.
Accompanied by a clear statement, by which the data subject acknowledges consent to receive solicitations from data controllers, or from data controllers and affiliated entities.
If individuals have consented to receiving e-mails (through opt-in), they must be informed:
With each e-mail that they are entitled at any time to opt out, free of charge. It is suggested to include an e-mail address or a postal address by which the recipient can opt-out.
Of the identity of the entity on behalf of which the e-mails are sent.
Prior consent is not required if the prior sale exemption applies, specifically where:
The e-mail address was collected with the data subject's consent.
The marketing messages relate to products or services similar to those provided to the data subject in the past, by the entity on behalf of which the marketing messages are sent, in the context of a sale or provision of services.
Data subjects can opt-out with each e-mail.
There is no specific form of opt-out required. However, the e-mail must include an e-mail address or a postal mail address that data subjects can contact to opt-out. In addition, data subjects must be informed of the identity of the entity on behalf of which the e-mails are sent.
For e-mails sent to a professional e-mail address that directly or indirectly identifies an individual (for example, email@example.com), no opt-in is required, provided that all the following apply:
The individual receives information about the fact that their e-mail address will be used for marketing purposes.
He has the ability at any time to opt-out.
The soliciting e-mail is related to the person's profession.
In all cases, the data controller must offer data subjects the right to:
Object to the use of their personal data (for example, by sending an e-mail for that purpose to a given e-mail address).
Access, rectify, amend or erase their personal information at any time, free of charge.
It is advisable to include an e-mail address that data subjects can contact for the purpose of accessing, rectifying, amending or erasing personal data. Data must be modified or deleted free of charge to data subjects if data subjects so request. The data controller must ensure that someone at this address can process and answer requests in French.
If e-mails are sent to a general business e-mail address such as firstname.lastname@example.org or email@example.com, neither prior consent nor prior information is necessary.
International transfer of data
Transfer of data outside the jurisdiction
Data controllers cannot transfer personal data outside the EU unless the country where the recipient is located provides an adequate level of protection of the individual's privacy, liberties and fundamental rights, relating to the actual or possible processing of his personal data, as determined by the European Commission (Commission).
If the transfer does not provide this adequate level of protection, it requires prior authorisation from the CNIL, based on:
A data transfer agreement between the data exporter and data importer, identical to the EU model clauses.
Binding corporate rules.
An ad hoc data transfer agreement.
In addition, data controllers can transfer personal data to a country not providing an adequate level of protection if the data subject has expressly consented to their transfer, or if the transfer is necessary to do any of the following:
Protect the data subject's life.
Protect the public interest.
Satisfy obligations ensuring the establishment, exercise or defence of legal claims.
Perform a contract between the data controller and the data subject, or to take pre-contractual measures in response to the data subject's request.
Conclude or perform a contract, in the interests of the data subject, between the data controller and a third party.
However, the CNIL strongly discourages reliance on data subject consent, or one of the exceptions listed above, to legitimise a transfer of data outside the EU.
Data transfer agreements
When a data transfer agreement is used (see Question 20), there is no need to obtain consent.
When prior authorisation is required from the CNIL (see Question 20) the actual agreement does not need to be provided to the CNIL unless the CNIL so requests.
Enforcement and sanctions
The CNIL can:
Conduct verifications of data processing and, as the case may be, request a copy of every document that it considers useful, in view of its investigation.
Impose sanctions that vary according to the severity of the violations by the data controller (see Question 25).
The CNIL can:
Issue warnings and notices to comply with the obligations defined in the DP Act.
Order the data controller to cease the breach within a time limit set by the CNIL.
If the data controller does not comply with a notice, the CNIL can impose a fine up to EUR150,000 for a first violation. For a second violation in the following five years, the CNIL can both:
Impose a fine up to EUR300,000 or 5% of the company's turnover (limited to EUR300,000).
Order the data controller to immediately cease the data processing.
(As at 1 June 2012, US$1 was about EUR0.8.)
Various violations of the DP Act are a criminal offence. For example, the violation, even by negligence, of a prior notification requirement is punishable by either (Articles 226-16 to 226-24, Criminal Code):
Up to five years' imprisonment, and/or a fine up to EUR300,000 (for natural persons).
A fine up to EUR1.5 million and/or other sanctions (for legal persons).
The regulatory authority
National Data Processing and Liberties Commission (Commission Nationale de l'Informatique et des Libertes) (CNIL)
Main areas of responsibility. The CNIL is an independent administrative authority. Its main role is to:
Inform data subjects and data controllers of their rights and duties.
Ensure that the processing of personal data is carried out in compliance with the DP Act.
The CNIL is in charge of, in particular:
Authorising and giving its opinion on data processing, and receiving notifications relating to data processing.
Receiving claims, petitions and complaints relating to personal data processing.
Responding to requests from public authorities and courts for an opinion, and advising individuals and bodies that set up, or intend to set up, automatic personal data processing.
Informing the public prosecutor of offences and, as the case may be, giving evidence in criminal proceedings.
Verifications of data processing and, if necessary, obtaining copies of documents or other forms of evidence relating to its investigation.
Responding to requests for access concerning data processing involving state security, defence or public safety, or offences and taxation.
Carol AF Umhoefer
Qualified. New York, US, 1993; France, 2004
Areas of practice. Data protection and privacy; encryption; e-commerce; health and consumer regulation; commercial law (agency, distribution, supply).
- Leading a 15-country project to recommend data transfer and processing solutions, to restructure the HR databases of a French group with 700 entities.
- Leading a regulatory review of 150 IT service offerings under data protection laws, involving six countries.
- Leading a project reorganising a US group's global privacy compliance programme and implementing audit recommendations, involving 22 countries.
- Advising a French group on privacy and IT issues in implementing legal hold procedures and notifications, IT policies, document and archive management policies and reporting procedures.