I. Introduction
On June 20, 2018, France adopted Law No. 2018-493 on the protection of personal data, in order to transpose the General Data Protection Regulation (GDPR). This law revises and consolidates the 1978 Data Protection Act.
The National Commission for Information Technology and Civil Liberties (CNIL), as the national supervisory authority, is responsible for ensuring compliance with the GDPR and its implementing texts in France.
France thus has a personal data protection system that complies with European Union requirements.
II. Scope
The implementing texts of the GDPR in France apply:
to any data controller or processor established on French territory;
to any organization established outside France offering goods or services to individuals located in France, or monitoring their behavior on French territory.
Regardless of the place of processing, as long as it concerns personal data of individuals located in France, the law applies.
It covers both automated processing and non-automated processing carried out within the framework of a filing system. Activities of an exclusively personal or domestic nature do not fall within its scope.
III. Data Processing Principles
Lawfulness, fairness and transparency: all processing must be based on a clear legal basis and be carried out in a transparent manner.
Purpose limitation: data may only be used for specified and legitimate purposes.
Data minimization: only strictly necessary data should be collected.
Accuracy: data must be accurate and updated regularly.
Storage limitation: data should only be kept for the strictly necessary period, then deleted or anonymized.
Security and confidentiality: appropriate technical and organizational measures must be implemented to prevent any data breach, alteration or loss.
IV. Rights of Data Subjects
In accordance with the GDPR and French legislation, data subjects have the following rights:
Right to information and access;
Right to rectification;
Right to erasure (right to be forgotten);
Right to restriction of processing;
Right to data portability;
Right to object. For minors under 15, the processing of their data requires the consent of a parent or legal guardian, and information must be provided to them in clear and understandable language.
V. Processor's Obligations
Processors must:
scrupulously follow the written instructions of the data controller;
implement adequate security measures;
assist the data controller in fulfilling its obligations, particularly in responding to requests from data subjects;
notify the data controller without delay in the event of a data breach, who must then inform the CNIL within 72 hours.
Data controllers must keep a record of processing activities and carry out a Data Protection Impact Assessment (DPIA) in case of high risk.
Some organizations must also appoint a Data Protection Officer (DPO) and register with the CNIL.
VI. International Data Transfers
When a transfer to a country outside the EU is envisaged, the data controller must ensure an adequate level of protection. This can be done through:
an adequacy decision by the European Commission;
or the signing of standard contractual clauses (SCCs). Since the invalidation of the "Privacy Shield" on July 16, 2020, French entities must use the new standard contractual clauses adopted on June 4, 2021, or any other legal mechanism.
VII. Control and Enforcement
The CNIL has extensive powers, including:
issuing warnings or formal notices;
limiting or prohibiting certain processing operations;
imposing fines of up to 20 million euros or 4% of worldwide turnover, whichever is higher.
French law also allows individuals to make arrangements for the use of their data after their death. Failing this, processing must comply with current regulations.
The French framework for implementing the GDPR aims to guarantee the rights of individuals, strengthen corporate compliance and promote trust in the digital environment.
VIII. Contact
Store Name: Déco Attitudes
Tel: +33 9 81 97 07 98
Email: info@deco-attitudes.com
Address: 14 rue des Tourneurs, 31000 Toulouse, France
Opening hours: Monday to Saturday, 9:00 AM to 6:00 PM (CET)