Selecting a language will automatically trigger the translation of the page content.

Obligations regarding the protection of personal data

Verified 03 April 2019 - Directorate of Legal and Administrative Information (Prime Minister), Ministry of Justice

The creation and processing of personal data (e.g. identification number, name, address, telephone number, photo, IP address) are subject to obligations designed to protect personal privacy and freedoms. New obligations are borne by companies, administrations, communities, associations or other bodies allowing to grant more extensive rights to their customers/users. The sanctions regime is also evolving.

This is any information relating to an identified or identifiable natural person, directly or indirectly, through an identifier or one or more elements specific to his identity.

Examples include a name, first name, email address, location, ID number, IP address, photo, social or cultural profile.

The rules apply when they are used, stored or collected digitally or on paper.

The regulation applies to all processing of personal data, except for exceptions (security files remain regulated by the States and processing in criminal matters for example).

It concerns:

  • Data controllers (companies, administrations, associations or other bodies) and their subcontractors (hosting companies, software integrators, communication agencies, etc.) established in the European Union (EU), regardless of the place where the data is processed.
  • Processing managers and their subcontractors established outside the EU, when implementing treatments to provide goods or services to European residents or when targeting them with algorithmic techniques (profiling technique).

In practice, therefore, the regulation applies whenever a European resident, irrespective of his nationality, is directly targeted by data processing, including via the Internet or through connected objects (e.g. home automation equipment, objects measuring physical activity).

Enhanced consent and transparency

Personal data must be:

  • Treated lawfully, fairly and transparently and collected for specified purposes
  • Explicit and legitimate
  • Adequate, relevant and limited to the purposes of the treatment
  • Accurate and maintained
  • Stored temporarily and securely.

Customers have a right of access to their data and can correct and oppose their use.

Upon request, the company which holds personal data must inform the data subject with the following information:

  • Identity of the file owner
  • Purpose of data processing
  • Required or optional response
  • Rights of access, rectification, questioning and opposition
  • Obligations arising from data transmissions.

Right to data portability

Any person may retrieve, in a reusable form, the data he has provided and then transfer it to a third party (social network for example).

Portability refers only to data collected under contract or consent.

Right to be forgotten

Everyone has the right to erase his data and to dereference (right to ask a search engine to delete certain results associated with his first and last names).

Right to notification

In the event of a data security breach involving a high risk to individuals, the controller must notify them promptly, except in certain situations (e.g. already encrypted data). It must also notify the Cnil: titleContent within 72 hours.

Right to compensation for material or moral damage

Any person who has suffered material or moral damage as a result of the breach of the European Regulation may obtain compensation for the damage from the controller (or subcontractor).

Group Action

Any person may appoint an association or organization active in the field of data protection to make a claim or a remedy and obtain compensation in case of violation of his data.

General obligation of security and confidentiality

The data controller must implement security measures for premises and information systems to prevent the files from being distorted, damaged or accessed by unauthorized third parties.

It must take all necessary measures to respect the protection of personal data from the conception of the product or service.

This means that it is required to limit the amount of data processed at the outset (the so-called "minimization" principle) and must demonstrate this compliance at all times.

Access to the data is reserved only to designated persons or to third parties who hold a special and ad hoc authorization (e.g. tax department).

The data controller must set a reasonable period of time for the retention of personal information.

All reporting obligations are abolished, except for exceptions provided for by national law (certain treatments in the health sector, or in public safety implemented on behalf of the State).

Obligation to provide information

The company which holds personal data must inform the data subject of:

  • The identity of the file owner
  • The purpose of data processing
  • Mandatory or optional nature of responses
  • Rights of access, rectification, questioning and opposition
  • Data transmissions.

The personal data operator (e.g. an online merchant) must comply with certain obligations, including:

  • Collect customer agreement
  • Inform customers of their right to access, modify and delete collected information
  • Ensuring the security of information systems
  • Ensure data confidentiality
  • Specify how long the data should be kept.

The objective of the information collection must be precise and the data must be consistent with that aim.


the digital majority, the age from which a minor can consent alone to the processing of his personal data to use a service on the internet (social networks for example), is fixed at 15 years. Parental authorization is required before this age. The information concerning the processing of the minor's data must be written in clear and simple terms.

Impact assessment in the event of a high risk to the rights and freedoms of individuals

For data processing involving a high risk to the rights and freedoms of individuals, the controller must conduct a Privacy Impact Assessment (PIA) to assess, in particular, the origin, nature, particularity and severity of this risk.

This study is to be presented to the Cnil: titleContent it has not reduced the risk sufficiently to make it acceptable.

The data concerned must cover:

  • Sensitive information (e.g. origin, political, religious, trade union), biometric or genetic information;
  • Assessment of persons (e.g. profiling);
  • Files with a particular purpose (statistical studies of theInsee: titleContentmedical research treatments for example);
  • Data transfers outside the European Union.

Please note

data transfers from outside the EU are no longer prohibited, but they must meet several conditions, including that the third country has an adequate level of protection, according to the European Commission. Authorization for Cnil: titleContent is necessary if contractual clauses differ from those of the European Commission. The transferred data remain subject to EU law not only for their transfer, but also for any further processing/transfer.

Data Protection Officer

The controller and the subcontractor must designate a Data Protection Officer:

  • If their activity is part of the public sector
  • If their main activity leads to regular and systematic monitoring of people on a large scale
  • If their main activity involves the large-scale processing of sensitive data or data relating to criminal convictions and offenses.

The delegate is responsible for:

  • To inform and advise the controller (or subcontractor) and his employees
  • To monitor compliance with European regulation and French data protection law
  • To advise the organization on the conduct of an impact assessment and to verify its execution
  • To cooperate with the supervisory authority and to be its contact.

The Data Protection Officer shall have the following qualifications and competencies:

  • Communicate effectively and perform its functions independently (not having any conflict of interest with other missions)
  • Expertise in legislation and practice (data protection), including through continuous training
  • A good knowledge of the business sector and organization of the organization (processing operations, information systems and the organization's data protection and security needs)
  • An effective internal position to report to the highest level of the organization
  • Facilitate a network of relays within the subsidiaries of a group for example and/or a team of experts in-house (e.g. IT expert, lawyer, communication expert, translator).

The delegate may be a person from the technical, legal or other field.

Other obligations

All organizations (public and private) that process personal data have the obligation to keep a record of all processing.

However, undertakings with fewer than 250 employees must only register:

  • Non-casual treatments
  • Treatments that may pose a risk to the rights and freedoms of individuals
  • Processes involving sensitive data.

In the event of a breach of the Regulation, Cnil: titleContent may impose administrative fines which may, depending on the category of breach, 2% to 4% the annual worldwide turnover of the preceding financial year.

To small and medium-sized and micro-entreprises, do you have a business project, a difficulty or a question ?

Quick and simple public service: you will be contacted over the phone by one of our experts.

Speak with an advisor on Place des Entreprises