France Data Protection Act: A Comprehensive Guide
As a business owner processing data of French citizens, your business is subject to the regulations set out by the France Data Protection Act. Knowing these regulations is important to ensure that your business remains compliant and avoids those hefty penalties should you not comply.
The Act was created to ensure businesses like yours handle personal data as specified within the regulation. To help you stay on the right side of the law, we have compiled a guide on all your business needs to know about the France Data Protection Act.
Let’s dig in.
Key Takeaways
- The France Data Protection Act is a set of data protection guidelines created to dictate how businesses handle the data privacy of individuals.
- Data used for France's well-being and legal processes is exempt from the Data Protection Act.
- Data subjects have a set of data subject rights that give them more control over their data and protect their data from being misused.
What is the France Data Protection Act?
The France Data Protection Act is a set of data protection guidelines that were created to dictate how businesses handle the data privacy of individuals, including how the data was obtained and where it is from.
The France Data Protection Act is France's interpretation of the GDPR, the European data protection law standard. The Data Act was founded in 1978 and complied with broad laws that businesses had to adhere to. In 2018, this data act was amended to remain relevant to how modern data is used but remain loyal to the protection acts provided in the GDPR.
The Act applies to any persons or businesses that are manually or automatically handling the personal data of French citizens regardless of the data subject's location or the data controller.
If you're using a third party to process, store or transfer your collected data, you must ensure that the third-party risk management processes comply with the Act.
It is so important that businesses understand this legislation as it is their responsibility to ensure that they guarantee the rights of the data subjects, or else they face the might of the Commission Nationale de l'informatique et des libertés (CNIL).
The CNIL is there to ensure the rights of the data subjects are guaranteed and will also handle any reports of non-compliance with the Act. The CNIL is the national supervisory authority to ensure all data processing is carried out according to the Act and that businesses and data subjects know their rights.
According to the Data Act, all businesses must ensure that all personal data collected is transparent, lawful, and fair. The Act gives French citizens control over personal data collection, distribution and use.
Other key provisions of the French Data Protection Act entail that businesses only collect and process the personal information of data subjects after receiving consent either given explicitly, informed or unambiguously.
Businesses that do not comply with the regulations or do not obtain consent will face penalties.
Businesses are only to collect and process data necessary for collection and ensure that the collected data is accurate. Businesses are also responsible for implementing efficient data security measures to protect collected data from cybersecurity risks like data breaches.
The most important provision that your business needs to comply with is ensuring that you are not violating the data subjects' rights as outlined in Article 40-1 of the Act.
Who is Covered Under the France Data Protection Act?
To ensure that your business does not face harsh penalties for improperly handling personal and sensitive information, you should check if your business is covered under the France Data Protection Act.
Material scope refers to both personal and sensitive data that is collected, with some exceptions made for data collected for legal purposes, national security and risk of life. All private and public data handlers must legally adhere to this Act.
The second scope of coverage is territory, where businesses must pay careful attention to ensure compliance. Businesses located inside France's jurisdiction are covered under the Act. Businesses outside of France that process the personal information of data subjects within France are subject to this Act as well.
In addition to those mentioned above, public establishments like government departments, bodies, and organizations that collect, store, and process sensitive and personal data about a data subject are also required to comply with the regulations set out by this Data Protection Act. Any business, individual or data controller that uses a third party to store, distribute or collect is also covered under this Act and needs to be compliant as well.
Exceptions to FDPA
Some businesses or collected data are exempt from the requirements set out by the French Data Protection Act. This applies to the collection of data that is vital to the well-being and stability of France.
Some data exceptions outlined in Article 44 of the Act include:
- Collected data deemed necessary for preventive medication, treatment administration, and medical diagnosis.
- Health data that is in the interest of the French public as specified in Section 3 of Chapter III of the Act.
- The French National Institute of Statistics and Economic Studies collected data for statistical purposes.
- Personal data that was made public
- Biometric data controls access into workplaces, including all equipment inside.
- Public data collected and processed for court decisions
- Data was collected and processed for research for the public's best interest.
- Personal data was collected by educational and social support institutions, private or public educational institutions and judicial representatives.
Medical and government fields may require consent in the form of authorization from the CNIL to process health data for study, research and evaluation purposes. The CNIL has two months to grant authorization, and failure to do so means automatic authorization as outlined in Article 66 of the Act.
Data Covered Protected Under the France Data Protection Act
The France Data Protection Act was designed to protect all French citizens from privacy violations. This applies to both automated and manual collection and processing of personal data. According to Article 6 of the Act, personal data that is covered includes the following:
- Racial or ethnic origins
- Religious or philosophical beliefs
- Political beliefs
- Trade union membership
- Genetic data
- Biometric data
- Details about the data subjects' sexual health or sex life
- The data of a minor
This data is subject to exemption according to Article 9 of this Act if the data is in the best interests of the country's safety. Other data covered by the France Data Protection includes data specified within the GDPR.
For data handlers to collect and process the above personal data, they must first receive explicit consent from the data subject, or else they will face penalties.
The CNIL defines that the processing of personal data is to remain covered by the Data Protection Act regardless of the mechanism used to obtain the data. For example, the Act protects all personal data obtained via collection, recording, third-party organizations, consultations, retrieval and disclosure.
Personal data collected from a business's human resources management is covered under the Protection Act. For example, personal data gathered for recruitment, client files, CCTV, payroll and electronic devices.
Data Subject Rights Under the France Data Protection Act
In France, data subjects have been given a list of rights to be guaranteed by data handlers under the France Data Protection Act and the GDPR. The data subject rights provided in the France Data Protection Act are based on the rights outlined in Articles 12 to 14 of the GDPR.
Right to Access
The first data subject right within the general data protection regulation is the right to access. According to Article 48 of the Act, data subjects can obtain data collected directly or indirectly from them.
Provisions are made for the event of death, where data handlers have to give information to the data subject on the guidelines of how personal data is dealt with after death according to Article 48 of the Act.
Article 118 of the Act dictates that a data subject may request their right to access to the CNIL, who will facilitate the data handler to release their data.
However, there are limitations to the right of information demanded by the data subject. For example, information that was collected for the following purposes can be exempt from this right:
- Processed data relating to legal cases, investigated purposes and persecution of criminal offensives as outlined in Articles 107 and 108 of the Act.
- Processed data in the public's best interest for historical, research or statistical purposes, as Article 70 of the Act outlines.
- Processed data for journalistic or artistic purposes as Article 80 of the Act outlines.
Right to Rectification
According to Article 50 of the Act, the data subject can make a request that the data controller amend or update the collected data as they want. This is done at no extra cost to the subject data and without unlawful delays.
Businesses that have received a right to rectification need to inform the data subject of the status of the amendment, for example, if and why delays are to be expected. The data controller will then notify the subject of the changed data.
Limitations to this right include data that was obtained for the use of legal proceedings. This means that the data subject can not request that the data be amended according to Article 107.
Right to Erasure
The data subject may also request from the data controller that all their collected and processed data be erased, including stopping the processing of already collected data. This is outlined in Article 51 of the Act. However, certain limitations can be applied to the right of erasure if the data collected was for legal proceedings.
In addition, data subjects are allowed to request the deletion of data that is:
- Inaccurate
- Ambiguous
- Incomplete
- Out of date
- Prohibited from collection, use and storage
Right to Restrict Data Processing
Under Article 21 of the GDPR and Article 56 of the Act, data subjects can opt out of or object to data processing. This includes restricting how their data is collected and processed or stopping a data controller from processing it entirely. If a data controller feels the request cannot be granted, the matter must be taken to the CNIL.
However, Article 56 does state that this right cannot be exercised if the process of data collecting is legally required, for example, for tax purposes. Suppose your business is processing data for marketing purposes. In that case, the data subject is well within its rights to object, and if your business wants to avoid hefty fines, you should stop processing immediately.
Right to Withdraw Consent
The France Data Protection makes it clear that businesses need to obtain consent from the data subject before collecting and processing their data. Data subjects also have the right to withdraw previously given consent. Once consent has been withdrawn, your business must stop processing its data.
If the data subject feels that their right to withdraw has been violated, they can approach the CNIL, who will determine if and what penalties will be handed to the data controller.
Checklist for Businesses to Comply with the France Data Protection Act
To avoid hefty penalties due to non-compliance with the French Data Protection Act, businesses must fulfill all obligations. By implementing this checklist, your business can stay on the right side of French law.
Obtain Consent (for data protected under this law)
Businesses must ensure that they are obtaining consent before collecting and processing data that is protected under the law. Consent can be given in multiple forms as long as it is explicit and unambiguous, according to Section 2 Article 8 of the Act.
When obtaining consent, businesses must be clear about what they are using the data for and the legal basis of the data so that the data subject knows exactly what they're giving consent to.
Have a Transparent Privacy Policy
According to the Data Protection Act, all businesses handling French citizens' data must have a privacy policy that is transparent and comprehensive. This privacy policy should be visible on their website and must be communicated with the CNIL.
The privacy policy should include the following:
- The purpose of data processing
- The type of data categories of collected data (personal or not)
- The rights of data subjects
- Who the collected data is disclosed to
- The period during the data collection
Ensure Only Necessary Data is Collected and Retained
Businesses should practice data minimization by only collecting and processing necessary data. In addition, businesses should ensure that all collected data is up-to-date and accurate.
Setup Strong Security Mechanisms
The GDPR and the France Data Protection Act require that all data handlers in France have appropriate security measures. To help businesses keep their data secured, in 2008, the CNL put together a guide businesses can use.
Some of these data protection measures included:
- Securing websites and servers with some kind of encryption
- Identifying the possible threats
- Creating plans for each threat
- Educating users on the privacy risks
- Authenticating users
- Protecting internal networks
- Making use of a DPIA (more on that below)
Appoint Data Protection Officer
It is in the best interest of data controllers that they appoint a data protection officer (DPO) if you are handling large volumes of personal data or sensitive data. The DPO ensures that all the collected and processed data comply with the French Data Protection Act.
The DPO will also be the first point of contact between the CNIL, the data controller, and the data subjects. The CNIL instructs that the DPO resides inside the French jurisdiction and has the correct qualifications.
Conduct DPIAs (for sensitive data)
A Data Protection Impact Assessment is used by businesses handling large amounts of sensitive data to identify potential security risks and how to mitigate them. Businesses can use DPIA software that automates these assessments for convenience to ensure enhanced compliance with French law and protect their business from a data breach.
Notify When Data Breaches Occur
The French Data Protection Act rules that data handlers must report the CNIL as soon as a data breach has occurred. This will be your DPO's responsibility. However, the Data Protection Act does not provide an actual timeline.
Businesses will also need to inform the affected data subjects that their data has been breached.
Follow Cross Border Data Transfer Guidelines
The France Data Protection Act has strict requirements that businesses must meet to carry out cross-border data transfers.
The guidelines are:
- The destination of the data is in a whitelisted jurisdiction
- There is a binding contractual obligation
- The data handler in the destination country has its data protection measures
Penalties for Non-Compliance with the France Data Protection Act
In addition to the penalties handed out by the GDPR, the France Data Protection Act also has its own set of penalties for businesses that do not comply. Administrative remedies and civil penalties can attract fines of €20 million or 4% of the total worldwide turnover of the preceding financial year.
Negligent processing of personal data, using an unauthorized third party to process data, or failing to obtain consent can accumulate fines of EUR 300,000 per violation or be punishable by five years of imprisonment under FDPA as well.
The CNIL is the authoritative body of all rulings concerning the Data Protection Act. If businesses do not follow CNIL’s orders, they can face up to one year of imprisonment and a fine of EUR 15,000.
Ensure your business remains compliant to avoid hefty penalties or potential jail time, along with dozens of other indirect penalties like loss of reputation.
Closing
Suppose your business handles the personal data of data subjects within the French jurisdiction. In that case, you must ensure that your business remains compliant by following the rules set out by the France Data Protection Act.
These regulations can be complex, so having Captain Compliance, a global compliance services specialist, on your side is a good idea.
We offer both corporate compliance and outsourced compliance solutions, like compliance training, to help you comply with all the French Data Protection Act regulations. Get in touch with Captain Compliance today.
FAQs
What is the GDPR law in France?
The GDPR is enforced in France alongside the France Data Protection Act, France's take on the GDPR.
Learn more about the GDPR here.
Does France comply with GDPR?
As France is a member of the European Union, it must comply with the GDPR. However, France has created its interpretation of the GDPR, known as the France Data Protection Act.
The GDPR has many key principles and requirements you need to learn.
What is the GDPR authority in France?
In France, all data controllers must report to the CNIL, Commission Nationale de l'informatique et des libertés, the French Data Protection Authority.
Knowing how and when to report data breaches to the GDPR is important.
What are the requirements for DPO in France?
To appoint a DPO officer in France, they must reside within French jurisdiction and have the relevant qualifications.