What every CEO needs to know about data privacy in France

What every CEO needs to know about data privacy in France
Digital sovereignty


The following is a guest post by Sonia Hadjadj, a French business lawyer who works with expatriates women entrepreneurs and businesses owner. You can connect with her by email info@hso-avocat.fr & twitter @sonia_hdj

Last month, the Commission Nationale de l’Informatique et des Libertés (the CNIL), the French data protection public agency, opened a procedure to impose sanctions to Google regarding its new privacy policy, after founding it to be in breach of the law

The principal law regulating data protection in France is the law of 6 January 1978 on data processing, data files and individual liberties and the directive 95/46/EC on data protection, implemented into French law (the Data Protection Law). The CNIL has responsibility to enforce the Data Protection Law and has the power to pronounce various sanctions and, in particular, a pecuniary sanction up to €150,000 for the first violation and, if the second violation occurs within five years, up to €300,000 or, for legal entities, 5% of the turnover within the general limit of €300,000.

Does this regulation apply to my company?

The Data Protection Law will apply:

  1. If your company is established in France or carries out its activity in France in an establishment, whatever its legal form or, although not established in France or in any other EU member state, your company uses means of processing located in France, except for processing only for the purposes of transit through France or any other EU member state, and
  2. If your company is considered to be a
  • Data controller:  a person, public authority, department or any other organisation who determines the purposes and means of the data processing, or
  • Data processor: any person who processes data on behalf of a data controller.

What is personal data and processing personal data?

“Personal data” is defined as any information relating to a natural person who is or can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to him. In order to determine whether a person is identifiable, all the means that the data controller or any other person uses or may have access to should be taken into consideration.

Personal data that reveals directly or indirectly, racial and ethnic origins, political, philosophical, religious opinions or trade union affiliation of persons, or that concern their health or sexual life is defined as sensitive personal data.

“Processing of personal data” is defined as any operation or set of operations in relation to such data, whatever the mechanism used, especially the obtaining, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, deletion or destruction.

What are your company obligations when processing personal data?

When processing personal data, you should be aware of the following:

  • Depending on the nature of the data, personal data shall not be processed without giving prior notice to, and/or, obtaining prior approval from the CNIL;
  • Consent of individuals is required before processing personal data, unless an exception applies;
  • The collection and processing of sensitive data are subject to specific requirements.

What are the individuals’ rights?

Your company may have to handle requests from individuals as they have the right to:

  • Require that their personal data be corrected, completed or clarified, or erased;
  • Have free access to all their personal data in clear language;
  • Oppose that their personal data is used for advertising purposes or for commercial purposes or disclosed to a third-party for the same purposes, etc.

Is your company allowed to transfer personal data outside the EU?

Transfer of personal data is allowed to:

  • Countries where there is an equivalent level of data protection (Canada, Switzerland, Argentina, Israel, Guernsey, Jersey, the Isle of Man, Faroe Islands and Andorra) and
  • United States companies covered by the US/EU Safe Harbor principles.

Otherwise, transfer of data outside the EU is subject to restrictions (EU model clauses, etc.)

Remember that consent of the individuals shall be sought prior to the transfer if it had not be granted initially for that purpose.