Data protection in France is regulated by the French Act n°78-17 dated 6 January 1978 on Information Technology, Data Files and civil Liberties, amended by Act n° 2018-493 of 20 June 2018 which transposed the General Data Protection Regulation 2016/679 (GDPR).
GDPR applies to any data controller or data processor established in the European Union (EU) who process personal data related to a natural person. It also applies to data controller and data processor not established in the EU, when their processing activities are in connection with the supply of goods and/or services to data subjects in the EU, or to the monitoring of their behaviour within the EU.
"Personal data" corresponds to any information that identifies directly or indirectly a natural person. The data controller is the person who determines the purposes and means of the processing. The data processor processes personal data on behalf of the aforementioned controller.
- The controller must (i) use personal data only after determining its legal framework, (ii) process them in accordance with the laws, and (iii) inform the data subjects of the data collection.
- Data must be collected for specified and legitimate purposes and limited to what is necessary.
- The controller has to to erase or correct inaccurate personal data.
- The storage period must be set in accordance with the purpose.
- Personal data confidentiality must be protected.
- The rights of data subjects must be protected (i.e: the rights of access, rectification, erasure, restriction, data portability, objection).
- It is mandatory to maintain a record of processing activities as well as implement data protection impact assessments (DPIA) when a company is required to nominate a data protection officer (DPO).
Transfers of data outside the EEA are supervised providing that equivalent safeguards to those imposed by GDPR are observed.
The data controller and/or the data processor can be held liable for non-compliance with French data protection law. They may be subject to investigation of the CNIL as well as penalties up to € 20,000,000 or up to 4% of the total worldwide annual turnover of the preceding financial year.