Lerins & BCW
The following law(s) specifically govern personal data / information:
Yes, the EU General Data Protection Regulation (GDPR) and Loi Informatique et Libertés no. 78-17 of 6 January 1978 in its updated version from 20 June 2018 (called “LIL”) and the Decree no. 2019-536 of 29 May 2019 which aimed to bring French law into line with the GDPR and Directive 2016/680 of 27 April 2016, known as the "Police-Justice" Directive, applicable to files / processing in the criminal sphere.
The key data protection principles in this jurisdiction are:
- Lawful basis for processing
- The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller’s interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Personal data must be accurate and, where necessary, kept up to date.
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of those data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
Under the LIL:
- Data subjects have a right to give instructions relating to their data post mortem (art. 40-1).
- Prior consent for use of any technology allowing to deposit or read information on an equipment (art. 82).
- Special and exceptional regime for processing carried out under the Police-Justice directive (chapter XIII), which is justified because such processing is carried out by the French Government for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including protection against and prevention of threats to public security. These particular rules will not be dealt with here as they are not the purpose of this guide.
- Regarding health data processing, specific prior authorization must be accomplished, except in case of compliance with some applicable methodology or Supervisory Authority’s referential.
Also, there is specific French (issued from the Health Public Code) regulations regarding health data hosting (only by certificated providers), medical secrecy, health data sharing, telemedicine.
Furthermore, in order to guarantee the exchange, sharing, security and confidentiality of personal health data, digital health services must comply with the interoperability and security reference frameworks drawn up by an agency of the Ministry of Health dedicated to digital health, for the processing of these data, their storage on a computer medium and their transmission by electronic means.
The use of digital health services requires the electronic identification of their users. This electronic identification is based on a material or immaterial means that guarantees an appropriate level of security and protection of personal data processed by the digital health service concerned.
A reference system, established by order of the ministers responsible for health and social action, determines the categories of digital health services according to the purposes of the service, the type of data processed, the number of users likely to access the service, its national or territorial dimension and, where applicable, the fact that the service benefits health professionals working simultaneously for several legal entities.
- The minimum guarantee level required for electronic identification, with regard to the technical specifications and minimum procedures provided for in the Annex to Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 laying down the technical specifications and minimum procedures relating to the guarantee levels of the means of electronic identification referred to in Article 8, (3) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, being able, where appropriate, to add to the so-called "low" guarantee level additional requirements;
- For professionals, the required means of electronic identification.
The national health identifier must be used to reference the health data and administrative data of any person who is or will be receiving a diagnostic, therapeutic, preventive, pain-relieving, disability-compensating or loss-of-autonomy procedure, or interventions necessary to coordinate several of these procedures. The use of this national health identifier can only be used as per above.
The use of the individual's registration number (NIR) in the national register for the identification of natural persons (RNIPP) is limited by the French Data Protection Act and by the "NIR framework" decree (n° 2019-341).
France has chosen to set 15 years old, the age at which a minor has capacity to consent to the processing of his/her personal data with regard to the direct provision of information society services. Where the minor is under 15 years old, the processing is lawful only if consent is given jointly by the minor concerned and the person or persons having parental authority.
The supervisory authority / regulator in charge of data protection is:
The Commission Informatique et Libertés (CNIL) - https://www.cnil.fr/
Is there a requirement to register with a supervisory authority / regulator?
Is there a requirement to notify the supervisory authority / regulator?
No, except for personal data breach but this comes directly from GDPR (art.33 GDPR and art.58 LIL) or for health data processing if it doesn’t comply with existing methodology.
Is it possible to register with / notify the supervisory authority / regulator online?
Link to the teleservice for notifying a data breach on the CNIL website: https://notifications.cnil.fr/notifications/index
The key data subject rights under the data protection laws of this jurisdiction are:
The rights provided under the GDPR:
- Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
- Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject’s personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
- Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
- Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the “right to be forgotten”) if one of the reason as listed in Article 17 GDPR apply.
- Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
- Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
- Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
- Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
- Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
- Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significantly effects for the data subject (Article 22 GDPR).
In addition to the rights under the GDPR, the right to give instructions relating to their data post mortem.
Is there a requirement to appoint a data protection officer (or equivalent)?
Yes – in the conditions provided in the GDPR:
- For government agencies and public organizations;
- For organizations whose core activities include large-scale regular and systematic monitoring of individuals. This may include e.g. profiling people for risk assessments, camera surveillance and monitoring someone’s health via wearables;
- For organizations whose core activities include the processing of special categories of personal data on a large scale.
As provided for in the GDPR, it may be designated on an optional basis by any entity. When the entity does designate one, whether it is mandatory or optional, it must declare it to the CNIL via the following link:
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes - as provided in the GDPR, a data protection impact assessment (DPIA) is mandatory if the data processing is likely to pose a high privacy risk for the data subjects. This must be determined by the controller itself. In any case a DPIA must also be performed if an organization:
- systematically and comprehensively evaluates personal aspects based on automated processing, including profiling, and makes decisions which affect people;
- processes special personal data or processes criminal data on a large scale; or
- widely and systematically monitors people in a publicly accessible area (e.g. with camera surveillance).
The National Authority has defined lists of processing operations subject to DPIA and exempt from DPIA, which define the type of processing concerned, whether or not it fulfils the criteria used in the EDPB Guidelines regarding DPIA and some examples in each case.
Does this jurisdiction have any specific data breach notification requirements?
Conditions provided in the GDPR and there is a teleservice provided by the Supervisory Authority to notify the data breach, it is specified that the data controller can begin a first notification and complete it later when it has obtained more information.
The following restrictions apply to the international transfer of personal data / information:
The same restrictions as provided under GDPR apply.
Under the GDPR, international data transfers (i.e. jurisdictions outside the European Economic Area (EEA)) can only take place if the transfer is subject to an “Adequacy Decision” or the recipient has implemented certain safeguards required by the GDPR.
For a data transfer to all other countries the controller is obliged to ensure compliance for international data transfers:
- The transfer may be based on the consent of the relevant data subject.
- The transfer may be based on Standard Contractual Clauses (“SCCs”). The SCCs, drafted by the EU Commission, may be adopted by controllers and processers and adopt supplementary measures whenever the country of destination requires it.
- The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
- The transfer may be based on Binding Corporate Rules (BCRs), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
Yes – as provided under the GDPR, if the data subjects are located or originate from the EU.
The following rules specifically deal with marketing:
Yes, the law provides for a special regime for commercial marketing by electronic means (see below) and the Supervisory Authority provides various recommendations for marketing by telephone or mail.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, article L.34-51 of the French “Code des postes et des communications électroniques“.
Regarding BtoC electronic marketing, the principle is the following: no commercial message without prior information and prior consent of the recipient and right of objection (see below).
There are two exceptions to this principle:
- if the person is already a customer of the company and if the marketing concerns products or services similar to those already provided by the company;
- if the message is not commercial in nature (e.g. charitable).
Regarding BtoB electronic marketing, the principle is the following: prior information and right of objection. The purpose of the marketing must be related to the profession of the person contacted.
In both cases, the person must, at the time of the collection of his/her email address:
- be informed that his/her e-mail address will be used for marketing purposes;
- be able to oppose this use in a simple and free way.
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
Yes, cf. the above-mentioned article L.34-51 of the French “Code des postes et des communications électroniques”.
The French Data Protection Authority (CNIL) has published recommendations concerning electronic marketing and especially in particular when sharing personal data with business partners or data brokers: data subjects must give their consent prior to any sharing of data with business partners or data brokers, a list of their names must be made available to them and they must be informed when it changes.
The following rules specifically deal with cookies:
The main principles confirmed by the CNIL are the following:
- Concerning the consent of users:
Users should be able to withdraw their consent easily and at any time.
Refusing to accept cookies should be as easy as accepting them.
Concerning the information of the persons:
- the sole continuation of navigation on a site can no longer be considered as a valid expression of the internet user's consent;
- Individuals must consent to the deposit of cookies by a clear positive act (such as clicking on "I accept" in a cookie banner). If they do not do so, no non-essential cookies can be deposited on their device.
The organizations operating the trackers must be able to provide, at any time, proof of the valid collection of the user's free, informed, specific and unambiguous consent.
- they must be clearly informed of the purposes of the trackers before giving their consent, as well as the consequences of accepting or refusing the trackers. To make it easier to read, the CNIL recommends that each purpose be highlighted in a short and prominent heading, accompanied by a brief description;
- they must also be informed of the identity of all actors using tracking devices subject to consent.
Trackers exempted from the consent requirement:
some trackers are however exempted from the consent requirement, such as trackers intended for authentication with a service, those intended to keep track of the contents of a shopping cart on a merchant site, certain trackers intended to generate traffic statistics, or those allowing paying sites to limit free access to a sample of content requested by users.
Other recommendations of the CNIL:
The CNIL recommends that the interface for obtaining consent should not only include an "accept all" button but also a "refuse all" button.
It suggests that websites, which generally retain consent to trackers for a certain period of time, should also retain the refusal of internet users for a certain period of time, so as not to re-interrogate the Internet user at each visit.
In addition, to ensure that the user is fully aware of the scope of his or her consent, the CNIL recommends that, when tracking devices are used on sites other than the one visited, consent should be obtained from each of the sites concerned by the tracking.
The consequences of non compliance with data protections laws (including marketing laws) are:
The GDPR provides for a maximum penalty in the amount of the higher of EUR 20 million or 4% of worldwide turnover (Article 83 GDPR). There are also specific offences and penalties associated provided by the criminal code for violations of the French Data Protection Act.
Among the most significant National Authority sanctions, there are:
- SPARTOO (28/07/2020/): Financial penalty of 250,000 euros. Failure to comply with the principle of data minimization; failure to comply with the retention period; failure to inform individuals; failure to ensure data security and confidentiality;
- CARREFOUR (18/11/2020): Financial penalty of 2,250,000 euros. Failure relating to the retention of data; failure relating to the exercise of rights; failure relating to the information of persons; failure relating to the right of access, right of erasure, right of opposition; failure relating to the obligation to ensure the security and confidentiality of data; failure relating to cookies;
- GOOGLE LLC and GOOGLE IRELAND LIMITED (07/12/2020): Financial penalty of 60 million and 40 million euros. Failure to comply with cookies; failure to inform individuals; failure to obtain consent; failure to exercise the right to object;
- AMAZON EUROPE CORE (07/12/2020): Financial penalty of 35 million euros. Failure to comply with cookies; failure to provide information to individuals;
- GOOGLE (21/01/2019): Financial penalty of 650 million euros. Lack of transparency, inadequate information and lack of meaningful consent;
- FUTURA INTERNATIONALE (21/11/2019): Financial penalty of 500,000 euros. Non-adequacy, non-relevance and excessive nature of data, failure to inform individuals, failure to respect the right to object, failure to cooperate with the supervisory authority, unregulated transfer of data outside the EU.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Depending on it activity, it may be advised to refer to the CNIL’s website, which contains a number of didactic and precise information and recommendations on several subjects.
Regarding the case of Hosting of Health Data, it must be realized by a certificated Hosting Providers. Also, there are many specific regulations in the Health Public Code applying to the Health Data processing (see above).
Multinational organisations should be aware of the following upcoming data protection developments:
Not at the French level. At the European level, the draft e-Privacy Regulation is currently being debated in the European Parliament after three years of stalemate: in our opinion, it is advisable to be particularly vigilant about this text.