Data Privacy and Cybresecurity

GDPR Guide to National Implementation: France

A practical guide to national GDPR compliance requirements across the EEA

Article
|
23 min read

France

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

———

[back to top of page]

 

 

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

Old legislation has been updated.

———

(b) Relevant legislation includes:

  • French Data Protection Act (as amended by the Law No. 2018-493 of 20 June 2018 on the protection of personal data and by the Decree No. 2018-687 of 1 August 2018) (the “FDPA”)
    • Date in force: 21 June 2018
    • Link: see here
  • Order No. 2018-1125 of 12 December 2018 reorganising the FDPA and various provisions concerning the protection of personal data
    • Date in force: 1 June 2019
    • Link: see here 

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been revised.

———

[back to top of page]

 

 

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

Any person may define general or particular guidelines regarding the retention, deletion and communication of his or her personal data after death:

  • general guidelines concern all personal data relating to the data subject and may be registered with a digital trusted third party certified by the DPA; and
  • particular guidelines concern certain specific data processing activities (e.g., social networks, or online messaging services) and must be provided to the controller.

Generally, information regarding deceased persons (including information contained in a death certificate) may be processed, unless the data subject expressed his or her refusal during his or her lifetime.

———

[back to top of page]

 

 

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

Processing of personal data for public interest purposes is lawful if duly authorised by the DPA, and if carried out for the purposes of:

  • national security or public safety; or
  • prevention, investigation, detection, prosecution or enforcement of criminal offences or safety measures.

A controller may transfer personal data internationally on the basis that the transfer is necessary to protect the public interest.

The right to be provided with information regarding processing does not apply when the relevant personal data have not been obtained from the data subject and the processing is carried out on behalf of the state and concerns public security, insofar as such limitation is necessary for the purposes of the processing and is provided for in the legislation establishing the processing. It also does not apply when the processing is carried out by public bodies whose task is either to check or recover taxes, or to carry out checks on the activities of natural or legal persons, which may give rise to the detection of an infringement or failure, administrative fines or penalties.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

The processing of personal data carried out on behalf of the State, acting in the exercise of its power, relating to genetic data or biometric data necessary for the authentication or the control of the identity of individuals must be carried out on the basis of a legal obligation, based on guidance from the DPA.

Public authorities and authorised bodies may process personal data for the purposes of prevention, investigation, detection, prosecution or enforcement of criminal offences, including the protection against and prevention of threats to public security. The processing must be subject to a proportionate retention period, taking into account the nature or gravity of the offences in question.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

[back to top of page]

 

 

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

15 years of age.

———

[back to top of page]

 

 

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

All sensitive personal data can be processed if the data subject’s valid consent has been obtained. French law leaves open the possibility that restrictions could be imposed on processing of sensitive personal data for purposes that cannot be based on the data subject’s consent, but no such restrictions have been imposed to date.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Employees’ personal data cannot be collected through a device unless the employee has first been properly notified. Depending on the processing activity, employers should consider whether the works council should be informed and consulted prior to the implementation of the means of collection. Subject to the foregoing, employers may process biometric data, to the extent strictly necessary to control access to premises, equipment or applications used in the context of tasks entrusted to the employer’s personnel or service providers.

(ii) Substantial public interest

The processing of sensitive personal data can be justified on the basis of public interest.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

There are no specific rules on processing this category of data.

(iv) Public interest in the area of public health

There are no specific rules on processing this category of data.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

Where processing of personal data is carried out by public archive services for archiving purposes in the public interest, the rights of individuals under Arts. 15-16 & 18-21 GDPR (right of access, right to rectification, right to restriction of processing, right to data portability, right to object, etc.) do not apply, to the extent that these rights make it impossible or seriously interfere with the relevant public interest.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

The DPA publishes guidance and template rules for ensuring the security of data processing systems, and to regulate the processing of genetic data, biometric data and health data. The DPA may impose additional rules for processing these categories of data.

The processing by a public authority of genetic data or biometric data necessary for authentication or control of the identity of individuals must be authorised by a decree of the State Council (Conseil d’Etat).

In the case of processing for medical research purposes involving the examination of genetic characteristics, the express consent of the data subject must be obtained before the processing begins, except where the affected data subject cannot be found. Health data providers must hold a certificate of conformity from an accredited certifying body in the EU to process personal data for these purposes.

———

[back to top of page]

 

 

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

Processing of personal data related to criminal convictions, offences or related security measures may only be carried out by:

  • courts, public authorities and some private parties participating in the provision of a public service, under specific conditions;
  • auxiliaries of justice, only for the purposes entrusted to them by law;
  • any person for the purposes of legal proceedings and enforcement, for a period strictly proportionate to these purposes;
  • IP rights management organisations and professional organisations, for the purpose of ensuring the defence of these rights; and
  • re-users of public information contained in court decisions (i.e., legal databases, open data services providing access to court decisions, etc.), provided that the processing activities carried out have neither the purpose nor the effect of allowing the re-identification of the persons concerned.

———

[back to top of page]

 

 

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

The right to be provided with information regarding processing does not apply when the relevant personal data have not been obtained from the data subject and the processing is carried out on behalf of the State and concerns public security, insofar as such limitation is necessary for the purposes of the processing and is provided for in the legislation establishing the processing. It also does not apply when the processing is carried out by public administrations whose task is either to check or recover taxes, or to carry out checks on the activities of natural or legal persons, which may give rise to the detection of an infringement or failure, administrative fines or penalties.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

The prohibition on profiling set out in the GDPR applies and is subject to the exemptions mentioned in the GDPR. There is a further exemption for individual administrative decisions. For these decisions, the controller must ensure the control of the algorithmic processing and its evolution, in order to be able to explain, in detail and in an intelligible manner, to the data subject, the way in which the relevant processing has been carried out.

———

[back to top of page]

 

 

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

The rights under Chapter III GDPR may be restricted where personal data are retained in a form which clearly prevents any risk that the data subject may be identified, and where the data is retained for no longer than is necessary for the sole purpose of compiling statistics or carrying out scientific or historical research, under specific conditions.

In addition, the right of access can be limited for processing operations carried out by financial courts in the context of their non-judicial tasks, in particular, where such tasks are likely to reveal irregularities requiring the implementation of court proceedings.

———

[back to top of page]

 

 

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

[back to top of page]

 

 

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

[back to top of page]

 

 

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

The DPA has issued a list of 14 processing activities for which an Impact Assessment is mandatory:

  • processing of health data, carried out by healthcare institutions or medico-social institutions for the care of individuals;
  • processing of genetic data of so-called “vulnerable” persons (patients, employees, children, etc.);
  • processing activities profiling natural persons for human resources management purposes;
  • processing activities for the purpose of constantly monitoring the activity of the employees as data subject;
  • processing for the purpose of managing alerts and alerts on social and health matters;
  • processing activities for the purpose of managing alerts and alerts in professional matters;
  • processing of health data necessary for the establishment of a data warehouse or register;
  • processing involving the profiling of persons who may result in their exclusion from a contract or in its suspension or termination;
  • shared processing of contractual breaches identified, which may lead to a decision to exclude or suspend the benefit of a contract;
  • profiling processes using data from external sources;
  • processing of biometric data for the purpose of recognising persons including so-called “vulnerable” persons (pupils, elderly, patients, asylum seekers, etc.);
  • examination of applications and management of social housing;
  • treatments intended to provide social or medico-social support for people; and
  • large-scale processing of location data.

———

[back to top of page]

 

 

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is required concerning processing of personal data carried out on behalf of the state, relating to:

  • national security; or
  • the prevention, investigation, detection or prosecution of criminal offences, or the enforcement of criminal sentences.

To the extent that such processing activities concern sensitive personal data, they must be authorised by a decree of the State Council (Conseil d’Etat).

Processing of health data is subject to compliance with standards issued by the DPA and the National Institute of Health Data (Institut national des données de santé – INDS). Processing of health data that does not conform to these standards may only be carried out with a prior authorisation of the DPA.

———

[back to top of page]

 

 

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

DPOs are not subject to secrecy obligations under national law.

———

[back to top of page]

 

 

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Public registers are considered to be national treasures and cannot be transferred outside of French territory.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

[back to top of page]

 

 

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: Commission Nationale de l’Informatique
    et des Libertés
    • Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris CEDEX 07, France
    • Website: cnil.fr 

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

The law in France does not grant the relevant DPA any additional powers.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

Decisions of the DPA may be appealed to the State Council (Conseil d’Etat) within two months of the notification or the publication of the decision. The appeal filed before the Conseil d’Etat does not suspend the decision—the controller must comply with the provisions of the decision, or the sanction it imposes, while awaiting the result of his or her administrative appeal. Where a decision needs to be appealed urgently, the following applications may be made:

  • an application for summary suspension (called référésuspension) can be filed before a judge on an interim basis, while awaiting a verdict on the merits, if the urgency of the situation justifies the suspension; or
  • an application for a different form of summary suspension (called référé-liberté) can be filed before a judge, in order to seek any measures necessary to safeguard a fundamental freedom that has been seriously and obviously violated by the DPA.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

A controller cannot invoke professional secrecy against the DPA in order to prevent the DPA from accessing computer programmes or documents, unless the data relate to correspondence between a lawyer and his client, or are covered by the secrecy of journalistic processing. The DPA may also only access individual medical data covered by medical confidentiality in the presence and under the authority of a doctor.

———

[back to top of page]

 

 

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

Where several individuals suffer harm as a result of a similar breach of data protection law by a controller or a processor, a class action may be brought. The DPA must be informed by the applicant on behalf of the class. This class action may be brought either to prevent continuation of the breach, or to obtain compensation for the harm suffered (or both). A class can only be represented by:

  • An association that has existed for at least five years, whose statutory purpose includes the defence of the infringed interests;
  • an approved consumer association (specifically, CNAFAL, CNAFC, CSF, Familles de France, Familles rurales, UNAF, Adeic, AFOC, Indecosa-CGT, ALLDC, UFC-Que choisir, CLCV, CGL, CNL or Fnaut); or
  • certain trade union organisations.

———

[back to top of page]

 

 

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

Administrative fines cannot be imposed on public authorities, as the DPA is part of the administration. Public authorities can only be prosecuted in the courts.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

The State may, where necessary, take measures to prevent processing that threatens national security, or take measures with respect to processing of personal data relating to the prevention or detection of criminal offences.

In addition, a breach of the GDPR may result in criminal penalties imposed according to the Criminal Code (up to five years’ imprisonment and fines of up to €300,000 for individuals, or €1.5 million for companies) in the event of certain unlawful processing activities, or failure to notify a data breach to the DPA.

———

[back to top of page]

 

 

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

The GDPR does not prevent the application of French civil and criminal laws relating to freedom of the press, which lay down the conditions for exercising the right of reply and which prevent, limit, remedy and, where appropriate, penalise violations of the private life and reputation of individuals.

The FDPA is stricter than the GDPR as the exception concerning the freedom of press only applies to professional journalists and not to “journalistic purposes”, as provided in Art. 85 GDPR.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

Processing of sensitive personal data is permitted for purposes of artistic or literary expression. Obligations of retention in a form that allows the identification of data subjects, obligations of controllers (such as informing the data subject of the identity of the controller, purpose of the processing, etc.), right of access, rectification, erasure and obligations concerning data transfer are not applicable if the processing of personal data is carried out for the purpose of artistic or literary expression. There are no specific provisions concerning processing of personal data for the purpose of academic expression.

———

[back to top of page]

 

 

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

The processing of national identification data must be authorised by a decree of the State Council (Conseil d’Etat) setting out the categories of controllers and the purposes of the processing activities which may be carried out. There are three limited exceptions:

  • processing for official statistical purposes, carried out by the official statistical service that do not include sensitive personal data relating to criminal convictions, offences or related security measures;
  • processing carried out exclusively for scientific or historical research purposes; and
  • processing carried out for the purposes of online government services.

———

[back to top of page]

 

 

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

The processing of employee data is permitted for the purposes of the employee’s employment contract (i.e., within the scope of the employer-employee relationship) and HR/payroll issues (monitoring of working/ rest time, work authorisation, maternity/paternity leave, absence for religious events, sick leave, etc.).

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

French law imposes general rules on the preservation of privacy, individual and collective rights and principle of proportionality, and the obligation to provide employees with prior information on processing of their personal data. For example:

  • employers are not normally permitted to perform criminal records checks, unless they can justify such checks on the basis that they are necessary in the context of the employment offered, or are required by law; and
  • employers do not have the right to know the details of an employee’s health, but based on medical certificate, the employer is entitled to know that the employee is on sick leave and whether that sick leave is work-related or not.

———

[back to top of page]

 

 

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

French law does not apply to data processing activities that relate to temporary copies of personal data made in the context of the technical activities of transmitting and providing access to a digital network, for the automatic, intermediate and transitional storage of data and for the sole purpose of allowing other recipients the best possible access to the information transmitted.

———

[back to top of page]

 

 

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are no current legal challenges ongoing.

———

[back to top of page]

 

 

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

The DPA issued a fine of €50 million on 21 January 2019.

The decision is available here www.legifrance.gouv.fr/affichFrench DPA.do?oldAction=rechExpFrench DPA&id=French DPATEXT000038032552&fastReqId=2103387945&fastPos=1
 

 

———

[back to top of page]

 

 

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law:

  • guidelines on the security of personal data (see here); 
  • GDPR awareness guide for SMEs (see here);
  • GDPR guide for health professionals (see here);
  • GDPR guide for data processors (see here);
  • guide regarding the methodology of Impact Assessments (see here); and
  • list of type of data processing activities for which Impact Assessments are mandatory (see here).

———

[back to top of page]

 

 

White & Case contributors

Bertrand Liard

Bertrand Liard
Partner, White & Case
T +33 1 5504 1503
E bliard@whitecase.com

Bertrand Liard heads the White & Case Intellectual Property and Information Technology Practice in Paris, offering services in both contentious and noncontentious domains.

Bertrand has extensive experience advising clients in the field of privacy and data protection especially in litigation and international contexts. With the increase of regulators’ attention and class actions based on lapses in IT security and breaches of personal data and privacy protection laws, he represents clients in cuttingedge privacy, GDPR and IT litigation and regulatory matters.

His clients include global financial institutions, travel providers, social media companies, leading luxury brands, pharmaceutical, mining and industrial companies, as well as other multinational corporations.

Clara Hainsdorf

Clara Hainsdorf
Partner, White & Case
T +33 1 5504 5852
E chainsdorf@whitecase.com

Clara Hainsdorf is a partner in the White & Case Intellectual Property and Information Technology Practice in Paris.

Clara has a thorough knowledge of legal issues related to information and communication technologies and in relation to complex industrial and commercial contracts. Clara has extensive experience in the field of privacy and data protection especially in litigation and international contexts. She assists her clients with their relationships with the CNIL and other national or local DPA, and advises them on all legal aspects arising from personal data processing, notably, in relation to international data transfers, discovery and investigation procedures, as well as compliance with GDPR and consumer law.

Her clients include social media companies, global financial institutions, hotels, automotive, food & beverage and other industrial companies.

———

[back to top of page]

 

 

Other chapters

———

See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »

———

[back to top of page]

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP

 

Top