A General Overview of French Data Protection Law

Profession:Lovells, Paris - Intellectual Property, Technology and Media Group

by Alexandre Menais, Marie Marcoux and Sophie des Courtis

The processing of personal data in France is under the control of the CNIL (Commission Nationale de l'Informatique et des Libertés), the National Commission for Data Processing and Liberties. Pursuant to the Law n° 78-17 dated 6 January 1978 (hereafter the "Law"), the processing of personal data encompasses any set of operations which is performed upon personal data by automatic means relative to the collection, recording, development, modification, storage and destruction and any set of operations of the same nature dealing with the usage of files or data bases and interconnexions, consultations or communications of personal data.

The Law states that any automatic processing of personal data on behalf of parties other than the State, public establishments, territorial authorities, or private legal entity managing a public service, must be declared prior to its implementation to the CNIL.


2. Declaration to the CNIL

Two kinds of declarations exist, the normal declaration ("déclaration ordinaire") and the simplified declaration ("déclaration simplifiée"). A simplified declaration may be chosen only if the data processing corresponds to one of the approximate 40 standard processing defined by the CNIL as not infringing privacy or liberties. For instance, employee databases do not correspond to a standard norm, and therefore a normal declaration will be necessary.

The declaration must be completed by the entity implementing such processing, and responses to a certain number of questions must be supplemented by specific exhibits and filed with the CNIL in three copies, either by registered mail with return receipt requested, or by direct filing with the CNIL against receipt. The filing is free.

The duration of database must be disclosed in the application, and shall be limited to the time the information is necessary. This time limit depends on the nature of the data. The personal data processed should also be limited to information that is necessary and must not be excessive for the purposes for which it is being processed.

In practice, a declaration must be sent to the CNIL before the commencement of the operation. The CNIL will check if it has been properly completed and, in the affirmative, deliver a receipt. Such receipt permits the commencement of the operation, but does not prevent the CNIL from carrying out checks during the operation. Indeed, Article 17 of the Law provides that such registration does not exclude the liability of the filing company with respect to the processing of data.

Please note that...

To continue reading