|
FRANCE
French Data
Protection Authority Website:
http://www.cnil.fr/english/
Act No 78 – 17 of
6 January 1978 on Data Processing, Data Files and Individual
Liberties (amended by the Act of 6 August 2004 Relating to the
protection of individuals with regard to the processing of personal
data and by the Act of 12 May 2009 relating to the simplification
and clarification of law and lightening procedures)
http://www.cnil.fr/fileadmin/documents/en/Act78-17VA.pdf
What
needs to be done prior to collection?
CONTACT THE DATA
PROTECTION AUTHORITY:
Notification –
Chapter IV – Section 1
Article 22
Automatic
processing of personal data must be notified to the ‘Commission
nationale de l’informatique et des libertes’ (CNIL) except when the
processing falls under the provisions of Article 25, 26 and 27
(below)
Article 23
The notification
shall comprise an undertaking that the processing complies with the
requirements of the law. It may be sent to the CNIL electronically.
The CNIL will deliver a receipt without delay. The applicant may
carry out the processing as soon as the receipt is received (it may
be received electronically). The applicant shall not be exempted
from any of his responsibilities.
Authorisation –
Chapter IV - Section 2
Article 25
The following may
be carried out after authorisation by the CLIS, with the exception
of those mentioned in Articles 26 and 27; political
philosophical, medical, sexual life data, genetic data, offences
exclusion from a right, use of NIR i.e. social security number.
The CLIS shall
issue its decision within two months from the date of receipt of the
application. However, this period may be renewed by a reasoned
decision of its chairman. Where the commission has not given its
decision within this time limit, the application for authorisation
shall be deemed to have been rejected.
Article 26
An order of the
competent minister shall authorise, after a reasoned and published
opinion of the CLIS, the processing of personal data carried out on
behalf of the State and which involves State Security, defence or
public safety or whose purpose is the prevention, investigation or
proof of criminal offences, the prosecution of offenders or the
execution of criminal sentences or security measures. The
opinion of the CLIS shall be issued together with the order
authorising the processing.
Article 27
The ‘Council
d’Etat’ shall authorise by decree, taken after a reasoned and
published opinion of the CLIS public processing NIR i.e. social
security number, State biometrics , census, e-government online
services.
The CLIS shall
issue the opinion referred to in Articles 26 and 27 (above) within
two months from the date of receipt of the application. However,
this period may be renewed once by a reasoned decision of the
chairman. Where the commission has not given its decision within
this time limit, the commission’s opinion shall be taken to be
positive.
The information
required by the notification/authorisation – Chapter IV - Section 3
Article 30
The
notifications, applications to obtain authorisation and requests for
opinion sent to the CLIS by virtue of Section 1 and Section 2 above
shall specify:
(1)
The
identity and address of the data controller and of his
representative, if any
(2)
The
purpose or purposes of the processing, as well as, for processing
provided for in Articles 25, 26 and 27, the general description of
its functions
(3)
If
necessary, the combinations, the alignments or any other form of
relation with other processing
(4)
The
personal data processed, their origin and the categories of data
subjects to whom the processing relates
(5)
The
period of storage of the processed information
(6)
The
department(s) responsible for carrying out the processing as well
as, for the processing provided for in Articles 25, 26 and 27, the
categories of persons who, due to their functions or for the needs
of their department, have direct access to the registered data
(7)
The
authorised recipients or categories of recipients to whom the data
may be disclosed
(8)
The
function of the person or the department where the right of access
provided for by Article 39 (right of direct access) is exercised, as
well as the measures relating to the exercise of this right
(9)
The
steps taken to ensure the security of the processing and data
(10)
If
applicable, any transfer of personal data which is envisaged to a
State that is not a Member State of the EC, in any form whatsoever
CONTACT THE DATA
SUBJECT:
Article 32 –
Information to provide to the data subject
I - The data controller or his representative
must provide a data subject from whom personal data is obtained with
the following information, except where he already has it:
(1)
The identity of the data controller and of his representative, if
any;
(2)
The purposes of the processing for which the data is intended;
(3)
Whether replies to the questions are compulsory or optional;
(4)
The possible consequences for him of the absence of a reply;
(5)
The recipients or categories of recipients of the data;
(6)
The rights granted him by Section 2 of this Chapter (rights of
individuals in relation to the processing of data);
(7)
When applicable, the intended transfer of personal data to State
that is not a Member State of the European Community.
If the data is obtained by way of a
questionnaire, the information provided for in Sub-sections (1)-(3)
and (6) shall be directly mentioned on this questionnaire.
II - Any person who uses an electronic
communication network shall be informed in a clear and complete
manner by the data controller or his representative regarding:
-
The purpose
of any action intended to provide access, by means of an
electronic transmission, to information stored in his connection
terminal equipment, or to record information in his connection
terminal equipment by the same means;
-
The means he
has to object to such action.
-
These
provisions shall not apply if the access to information stored
in the terminal equipment of the user or the recording of
information in the terminal equipment of the user is-
·
Exclusively intended to allow or facilitate communication by
electronic means; or
·
Strictly necessary for the provision of an online communication
service at the user’s express request.
III - Whenever the data have not been
obtained from the data subject, the data controller or his
representative must at the time of recording the personal data or,
if disclosure to a third party is planned, no later than the time
when the data is first disclosed, provide the data subject with the
information enumerated in Section I.
What
needs to be done prior to shipping?
Transfer of
personal data to states that are not members of the EC
Article 68
The data controller may not transfer personal
data to a State that is not a Member of the European Community if
this State does not provide a sufficient level of the protection of
individuals’ privacy, liberties and fundamental rights with regard
to the actual or possible processing of their personal data.
The sufficient nature of the protection
provided by the State shall be assessed taking account in particular
of the provisions in force in this State, the security measures that
this State applies, the specific characteristics of the processing,
such as its purposes and duration, as well as the nature, origin and
destination of the processed data.
Article 69
However, the data controller may transfer the
personal data to a State not satisfying the conditions provided for
in Article 68 if the data subject has expressly consented to their
transfer or if the transfer is necessary subject to one of the
following conditions for:
(1)
The protection of the data subject’s life;
(2)
The protection of the public interest;
(3)
The meeting of obligations ensuring the establishment, exercise
or defence of legal claims;
(4)
The consultation, in accordance with legal conditions, of a
public register that, according to legislative and regulatory
provisions, is intended for public information and is open for
public consultation or by any person demonstrating a legitimate
interest;
(5)
The performance of a contract between the data controller and the
data subject, or of pre-contractual measures taken in response to
the data subject’s request;
(6)
The conclusion or performance of a contract, either concluded or
to be concluded in the interest of the data subject between the data
controller and a third party;.
What are the Sanctions for non-compliance?
Chapter VII - Sanctions which the CNIL may
impose
Article 45
I.
The CLIS may issue a warning to a data controller who does
not comply with the obligations resulting from this Act. It may also
order the data controller to cease the breach within a time limit
that it determines. If the data controller does not comply with this
order, the commission may impose the following penalties to him,
after fair proceedings:
1)
A financial penalty, within the conditions provided for in Article
47, except in cases where the processing is carried out by the State
2)
An Injunction to stop the processing, where the provisions of
Article 22 apply to it (notification), or a withdrawal of the
authorisation given by virtue of Article 25 (authorisation by the
CNIL)
Article 47
The financial penalty provided for in Article 45 shall be of an
amount that is proportional to the gravity of the breaches committed
and the profits obtained from the breach.
In case of a first breach, the penalty may not exceed EUR 150,000.
In the event of a second breach within 5 years from the fate on
which the preceding financial penalty becomes definitive, it may not
exceed EUR 300,000 or, in the case of a legal entity, 5% of gross
turnover for the latest financial year, within a maximum of EUR
300,000
Whenever the CLIS issues a financial penalty that is final before
the criminal court has definitely judged the same or related facts,
the criminal court may order the deduction of the financial penalty
from the fine it imposes.
The financial penalties shall be collected as State debts, other
than taxes and income from State assets
Please refer to the French Data Protection
Authority website for further details on the statute
|
