Obligations regarding the protection of personal data

Verified 01 April 2022 - Directorate of Legal and Administrative Information (Prime Minister), Ministry of Justice

The collection and the treatment of personal data (surname, first name, address, social security number, etc.) by the companies are subject to obligations intended to safeguard the privacy and individual freedoms of the persons whose data are collected.

This is all information related to a natural person identified or identifiable, directly or indirectly, by means of one or more elements making it possible to relate it personally to a data item.

This is the case, for example, of a name, a first name, a telephone number, an electronic address, an identity card and/or social security number, an IP address, a photo, a profile on a social network.

Personal data protection rules apply in the case of collection, of use and preservation whatever the medium adopted (paper, digital, etc.).

The processing of personal data consists of any transaction involving personal data, whatever the method used (saving, organizing, preserving, modifying, reconciling with other data, transmitting, etc... these data).

For example, it may be an integration in a mailing for a commercial canvassing, the sending of targeted information or a newsletter or navigation cookies, etc.

FYI  

Processing of personal data may be computerized or not. A paper file organized according to a filing plan, paper forms or applications files in alphabetical or chronological order are also processing personal data.

To implement the treatment, the professional must, most often, to obtain consent the person whose data is being collected.

However, the collection of consent is not always required. This is the case in particular when the treatment is necessary for the execution or preparation of a contract with the person. The same is true when the treatment is imposed by a law.

Example :

As an employer, a professional may need to collect information about his employees in order to recruit, calculate working hours or draw up a payroll.

In addition, personal data must respond to conditions following:

  • Processed lawfully, fairly and transparently
  • Collected for one or more specific purposes (customer knowledge, more efficient processing)
  • Adequate, relevant and limited to the purposes of the processing
  • Accurate and kept up to date
  • Stored temporarily (they must be deleted after a certain time or anonymised for statistical processing) and secured (protection measures taken for access to these data, authorization...).

The GDPR applies to all organizations which process personal data, irrespective of their geographical location.

The following persons are affected:

  • Data controllers and their subcontractors (hosts, software integrators, communication agencies, etc.) established in the European Union (EU), regardless of where the data is processed
  • Data controllers and their sub-contractors located outside the EU, when they perform processing operations aimed at providing goods or services to European residents. This is also the case when they target them with artificial intelligence techniques (e.g. profiling).

In practice, therefore, the Data Protection Regulation applies whenever a European resident, regardless of nationality, is directly targeted by a data collection or processing. Including via the internet or connected objects (e.g. home automation devices, physical activity measuring objects).

Please note

France Num provides instructions for using the ensure that your client file complies with the GDPR.

General obligation of security and confidentiality

The data controller shall implement security measures in premises and information systems to prevent the files from being distorted, damaged or accessed by unauthorized third parties.

It must take all necessary measures to ensure that personal data protection is respected from conception the product or service.

Thus, it is obliged to limit the amount of data processed at the outset (principle known as minimization) and shall demonstrate such compliance at any time.

Access to data is reserved only to designated persons or to third parties who hold a special and ad hoc authorization (e.g. tax department.

The data controller must establish a reasonable period of retention of personal information.

FYI  

the reporting obligations are all abolished, except where provided for by national law (certain treatments in the field of health or public security carried out on behalf of the State).

Obligation to provide information

The company holding personal data must inform the data subject of the following information:

  • Identity of the file owner
  • Purpose of data processing
  • Mandatory or optional nature of responses
  • Rights of access, rectification, questioning and opposition
  • Data Transmissions
  • Working with navigation data (cookies)

The person processing the personal data (e.g. an online trader) has certain obligations. In particular:

  • Collect agreement prerequisite of customers
  • Inform customers of their rights of access, rectification, opposition and deletion of the collected information
  • Ensuring the security of information systems
  • Ensuring data confidentiality
  • Specify a data retention period

The purpose of the collection of information must be determined, and the data collected must correspond to that purpose.

FYI  

the age from which a minor can consent alone to the processing of his or her personal data (digital majority) to use a service on the internet (social networks for example), is set at 15 years. Parental approval is required before this age. The information on the processing of data of the minor must be written in clear and simple terms.

Conduct impact assessment

Where the processing of the data poses a risk to the rights and freedoms of individuals, the controller must conduct a privacy impact assessment (PIA)

This impact assessment aims to assess the origin, nature, particularity and seriousness of this risk to the rights and freedoms of individuals.

If the impact assessment identifies a high risk (e.g. use of banking data or identity theft) for individuals despite the measures put in place to reduce the impact, the Cnil: titleContent duty be informed.

The impact assessment shall cover the following elements:

  • Collection of sensitive information (origin, political opinions, religious, trade unions, sexual habits, health), biometrics or genetics in particular
  • Existence of a person assessment (e.g. profiling)
  • Production of files with a particular purpose (statistical studies of theInsee: titleContent(e.g. medical research treatments)
  • Data transfers outside the European Union

Please note

data transfers outside the EU are no longer prohibited, but they must comply with several conditions, including that the third country has an adequate level of protection, according to the European Commission.

An authorization from the Cnil: titleContent is necessary if contractual clauses differ from the European Commission's clauses.

The transferred data remain subject to EU law not only for their transfer, but also for any further processing / transfer.

Appointment of a Data Protection Officer (DPO)

The company performing data processing and the subcontractors must appoint a Data Protection Officer (DPO) in the following cases:

  • They are part of the public sector
  • Their main activity involves regular and systematic monitoring of individuals on a large scale
  • Their main activity involves the large-scale processing of sensitive data or data relating to criminal convictions and offenses

The DPO is responsible for:

  • Inform and advise the controller (or processor) and its employees
  • Monitor compliance with European and French data protection laws
  • Advise the body on the carrying out of an impact assessment and verify its execution
  • Cooperate with and be its contact with the supervisory authority.

The DPO shall have the following qualities and skills:

  • Communicate effectively and independently (not conflict of interest with other missions)
  • Have expertise in legislation and practice (data protection), acquired in particular through continuous training
  • Have a good knowledge of the organization's business area and organization (processing operations, information systems and the organization's data protection and security needs)
  • Have an effective internal position to report to the highest level of the organization
  • Lead a network of relays within the subsidiaries of a group for example and/or a team of in-house experts (IT expert, lawyer, communication expert, translator for example)

The DPO may be a person from the technical, legal or other field.

Keeping a register of data processing operations

Company of less than 250 employees

It shall only record the following treatments in the register:

  • Non-occasional treatments
  • Treatments that may pose a risk to the rights and freedoms of individuals
  • Processing of sensitive data
Other case

The company is obliged to keep a register of all treatments.

The Cnil proposes a register template.

Individuals whose data is collected have several rights.

They may exercise them at the data controller.

The name and address of the latter must appear on the sites visited and in the contracts concluded.

They may also bring class action proceedings before the courts.

Right of access

Persons whose information is collected and processed may request access to their data at any time and without limitation.

Right of rectification and opposition

The persons whose data are collected and processed may request the rectification of the stored data.

They may also oppose their use.

Right to portability

Any person can retrieve the data he or she has provided in a reusable form and then transfer it to a third party (e.g. social network).

Right to be forgotten

Everyone has the right to erasure of their data and to dereferencing (right to ask a search engine to delete certain results associated with their surnames).

Right to notification

In the event of a data security breach involving a high risk to individuals, the controller must notify them promptly, except in certain situations (data already encrypted for example).

It must also notify the Cnil: titleContent in the 72 hours.

Such is the case of a bank, which is the victim of an intrusion into its client computer system. It must inform them that third parties have been able to access their personal data.

Right to compensation for material or non-material damage

Any person who has suffered material or non-material damage as a result of the violation of the European Regulation may obtain compensation from the controller (or the processor) for his or her loss.

This is the case, for example, of a person whose health problem has been revealed.

Group Action

Any person may mandate an association or body active in the field of data protection to make a complaint or a remedy and obtain redress in case of a breach of his data.

In the event of a breach of the Regulation, the Cnil: titleContent may pronounce administrative fines which may, depending on the category of infringement, 2% to 4% the annual worldwide turnover of the preceding financial year.

It is the Council which sends a letter to the controller indicating the penalty.

Of criminal sanctions may also be added to those administrative penalties. This is the case for offenses related to discrimination, endangerment offenses in case of insufficient protective measures (e.g. revealing a person's address).

Finally, victims can ask for damages before civil or criminal courts.

Who can help me?

Find who can answer your questions in your region

  • National Commission for Informatics and Freedoms (Cnil)

    By mail

    3 Place de Fontenoy

    TSA 80715

    75334 Paris cedex 07

    The CNIL does not receive the public or provide any information on the spot.

    By telephone

    +33 1 53 73 22 22

    Telephone reception open Monday to Friday from 9:30 am to 5 pm.

    Legal information open on Monday, Tuesday, Thursday and Friday from 10am to 12pm.

    By email

    Access to contact form