Racine
What law(s) specifically govern personal data / information?
Regulation (EU) 2016/679 (General Data Protection Regulation – “GDPR”)
The principal data protection legislation in France (and the EU) is the GDPR, which replaced Directive 95/46/EC (“Data Protection Directive”). The GDPR intends to increase the harmonisation of data protection law across the EU Member States.
French Data Protection Act named “Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés”.
What are the key data protection principles in this jurisdiction?:
Lawful basis for processing
The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date.
Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
The Commission Nationale de l’Informatique et des Libertés or “CNIL” is the French Supervisory Authority.
Is there a requirement to register with a supervisory authority / regulator?
Prior formalities with the CNIL are not required under the GDPR.
However, formalities are maintained for the processing of data in the health sector, which is subject either to a declaration of conformity to specific requirements defined by the CNIL, or an authorization by the CNIL.
Is there a requirement to notify the supervisory authority / regulator?
Yes, in case of a personal data breach
Is it possible to register with / notify the supervisory authority / regulator online?
Yes : https://notifications.cnil.fr/notifications/index
What are the key data subject rights under the data protection laws of this jurisdiction?
Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reasons as listed in Article 17 GDPR apply.
Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).
This is a summary only and there are some qualifications and limitations to these rights which may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the GDPR (articles 37 to 39), a Data Protection Officer (“DPO”) must be appointed by organisations:
- that are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Pursuant to Article 35 GDPR the controller is obliged – prior to the processing – to carry out a data protection impact assessment ("DPIA"), where the type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
The European Data Protection Board provides a list of 9 criteria for processing operations that require a DPIA. If at least 2 of those criteria are met, then a DPIA is required:
- evaluation or scoring;
- automated decision making with legal or similar significant effect;
- systematic monitoring;
- sensitive data or data of a highly personal nature;
- data processed on a large scale;
- matching or combining datasets;
- data concerning vulnerable data subjects;
- innovative use or applying new technological or organizational solutions; and/or
- processing that would prevent data subjects from exercising a right or using a service or a contract.
The CNIL provides a list of processing activities where a DPIA is required , such as:
- processing of large-scale location data;
- processing of applications; and
- management of public housing.
Does this jurisdiction have any specific data breach notification requirements?
There is an obligation for the controller to notify a breach to the supervisory authority without undue delay, and where feasible, not later than 72 hours after having become aware of it, unless the controller determines that the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
When the personal data breach is likely to result in a high risk to natural persons, the controller is also required to notify the affected data subjects without undue delay.
Where the breach occurs at the level of the processor, it is required to notify the controller without undue delay upon becoming aware of the breach.
The notification to the supervisory authority shall at least describe the nature of the personal data breach, the name and contact details of the DPO or other contact point, the likely consequences of the personal data breach, and the measures taken or proposed to be taken by the controller to address the breach.
The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications ( Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification ).
What restrictions apply to the international transfer of personal data / information?
International Data transfers (i.e. jurisdictions outside the European Economic Area (“EEA”)) can only take place if the transfer is subject to an “Adequacy Decision” or the recipient has implemented certain safeguards required by the GDPR.
The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45 para 3 GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea, Switzerland; and Uruguay. The United Kingdom has been recognised by EU Commission as providing adequate protection under the GDPR and the Law Enforcement Directive.
For a data transfer to all other countries the controller is obliged to ensure compliance for international data transfers:
- The transfer may be based on Standard Contractual Clauses (“SCCs”) drafted by the EU Commission. The SCCs which took effect from 27 June 2021, are available for the following transfers:
- Module 1: controller to controller
- Module 2: controller to processor
- Module 3: processor to processor
- Module 4: processor to controller
- The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
- The transfer may be based on Binding Corporate Rules (“BCRs”), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
- The transfer is covered by one of the permitted derogations set out in article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
With regard to its geographic scope, the GDPR combines the principles of establishment, market place and territoriality.
Pursuant to the principle of establishment, the GDPR is applicable for processing activities carried out in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU.
Pursuant to the principle of the market place, the GDPR is applicable for the processing of personal data of data subjects situated in the EU by a controller or processor who is not situated in the EU, where the processing activities are related to (i) the offering of goods or services to such data subjects situated in the EU, irrespective of whether a payment of the data subject is required; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU (principle of the territoriality).
What rules specifically deal with marketing?
Specific rules on electronic marketing are contained in the ePrivacy Directive 2002/58/EC.
In France, Article L. 34-5 of the French Code des postes et des communications électroniques regulates electronic marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes.
Electronic marketing to consumers and to other businesses are not subject to the same rules.
Business-to-consumer electronic marketing requires the consent of the data subject at the time of the collection of their contact details.
However, no consent is required when the data subject is already a customer of the company, and if the “marketing” is not of a commercial nature (e.g. charity).
In any event the data subject, at the time of collection of their contact details, must be informed that it will be used for electronic marketing activities, and be able to easily and freely object to such use.
Business-to-business electronic marketing does not require consent, and is based on the legitimate interests pursued by the company. However, the data subject shall be informed that its contact details will be used for electronic marketing activities, and they shall be able to easily and freely object to such use.
Moreover, the marketing message sent must relate to the concerned individual’s professional activity.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
Yes, see answer above.
What rules specifically deal with cookies?
Yes, EU Cookie Directive and Article 82 of the French Data Protection Act.
Moreover, the CNIL has adopted revised guidelines on September 17, 2020, aimed at proposing examples of practical modalities for collecting consent.
The main principles with respect to the consent are the following :
- consent must be obtained prior to the deposit and/or use of cookies;
- consent must be unambiguous and freely given;
- consent must be specific, informed and evidenced;
- consent shall be revocable, and refusing cookies should be as simple as accepting them.
Information collected by cookies may be retained for a period of up to 13 months. However, information collected via the trackers, for the purpose of audience measurement, can be retained for 25 months.
What are the consequences of non compliance with data protections laws (including marketing laws)?
The GDPR provides for a maximum penalty in the amount of the higher of EUR 20 million or 4% of worldwide turnover (Article 83 GDPR).
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Controllers and processors who are not established in the EEA are generally required under Article 27 GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.
What upcoming data protection developments should multinational organisations be aware of?
A new Trans-Atlantic Data Privacy Framework was announced in early 2022 with respect to data transfers to the USA
On December 13, 2022, the European Commission issued a draft adequacy decision concluding that the Trans-Atlantic Data Privacy Framework provides an adequate level of protection for personal data transferred from EU to US companies.
The European Commission then formally presented the draft adequacy decision to the European Data Protection Board on January 17, 2023.
The European Data Protection Board now has to issue its own opinion on the framework. The European Parliament may issue a nonbinding position as well.
Based on this feedback, the European Commission may then make revisions before submitting the decision for approval by EU member states.
Only after being approved by EU member states can the European Commission formally adopt a final adequacy decision on the Trans-Atlantic Data Privacy Framework, which could be in effect by spring 2023.