🇫🇷 France

Informations

Extracts :

Extract :

"The Bill does not contain provisions on this matter."

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - IND

Extract :

The GDPR protects persons, despite their nationality or location.

2016

Reference :

General Data Protection Regulation

GDPR articles and chapters

Link to reference

Extracts :

Extract :

"Article 3 of the Act provides that all the provisions of the Act apply to the processing of personal data carried out in the context of the activities of an establishment of a data controller or a data processor on the French territory, whether or not the processing takes place in France."

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"As long as the processing concerns personal data, the Act applies whether the data controller or proces- sor is a legal or natural person, public or private."

2022

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extract :

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"The GDPR applies to organizations that have a presence in the EU. In particular, per Article 3, the GDPR applies to entities or organizations established in the EU, notably entities that have an 'establishment' in the EU or if processing of personal data takes place in the context of the activities of that establishment, irrespective of whether the data processing takes place in the EU or not."

2021

Reference :

Italy Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extract :

2022

Reference :

Canada Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

There is nothing in the official text on this.

Reference :

What personal data is considered sensitive?

Information on sensitive data in the GDPR

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Filled on the basis of extract ID 822 (for EU) which should apply.

2016

Reference :

What are the GDPR Fines?

Information on GDPR fines

Link to reference

Extracts :

Extract :

Filled on the basis of extract ID 843 (for EU) which should apply.

2016

Reference :

What are the GDPR Fines?

Information on GDPR fines

Link to reference

Extracts :

Extract :

Data entered based on reference.

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

"The Act provides for an individual compensation procedure in relation to class actions (Article 37 of the Act). Class actions for consumer and competition law breaches were implemented in 2014 and their scope was extended in 2016 to other matters including personal data protection, discrimination, labour law, environmental law and health. Therefore, although data protection class actions are not new under French law, their scope was limited before the GDPR as they were only aimed at stopping a breach and did not provide for the possibility for data subjects to claim compensation. These compensation claims are now possible in court under the GDPR regime as included in Chapter 1 of Title V of the Act No. 2016-1547 (only available in French here) and Chapter X of Title VII of Book VII of the Code of Administrative Justice (only available in French here) provides procedural provisions dealing with class actions brought before a competent civil or ad- ministrative court. "

2022

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Filled on the basis of extract ID 864 (for EU) which should apply.

2016

Reference :

General Data Protection Regulation

GDPR articles and chapters

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Based on value in 469 (general GDPR) which should apply to this case.

2016

Reference :

General Data Protection Regulation

GDPR articles and chapters

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Filled on the basis of extract ID 469 which applies for EU and should apply here as well (GDPR).

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

"The Act provides that the right of the data subject to object to processing can be exercised under the conditions of Article 21 of the GDPR (Article 56 of the Act)."

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"The Act does not implement variations of GDPR on the right to data portability, as it expressly refers to Article 20 of the GDPR."

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"There are no variations of the GDPR.Article 47 of the Act expressly forbids that a court decision involving an assessment of a person's conduct may be based on an automatic processing of personal data intended to evaluate certain aspects of the person's personality. Article 47 of the Act also provides that no decision which has legal effects on or significantly affects a person may be taken solely on the basis of automated processing of personal data, including profiling. However, according to Article 47 of the Act, and excluding the event where the administration decides on an administrative appeal, this last prohibition is limited in some cases:"

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"8.1. Right to be informed Article 48 of the Act expressly refers to Articles 13 and 14 of the GDPR for the conditions of right of information's application. These articles list the information that the controller shall give to data subjects when personal data is collected directly from them or collected indirectly. In addition to the information provided for in Articles 13 and 14 of the GDPR, Article 48 of the Act also provides that the controller shall give information to the data subject"

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

"8.2. Right to access Variations within the Act on the GDPR's right to access consist of the following. For processing operations carried out by public administrations and private persons entrusted with a public service mission whose task is to monitor or recover taxes, according to Article 52 of the Act, the right of access shall be addressed to the CNIL. For processing carried out by the financial courts in the context of their non-judicial tasks as provided for by the Code of Financial Courts (only available in French here), Article 52 of the Act provides that the right of access may be restricted under the conditions laid down in of Article 23(1) (e) and (h) of the GDPR."

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"8.3. Right to rectification Regarding the right to rectification, Article 50 of the Act explicitly refers to Article 16 of the GDPR. Variations within the Act on the GDPR's right to rectification consist of the following."

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

"8.4. Right to erasure Article 51 of the Act expressly refers to Article 17 of the GDPR for the implementation of the right to erasure. Nevertheless, this right is subject to the limitations provided in Article 17 and additional limitations provided for in the Act:"

Reference :

France Data protection overview | DataGuidance

(Data Protection Overview 2021)/ DataGuidance reports

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2022

Reference :

International Data transfer Agreements | DataGuidance

Comparison of international data transfer agreements

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Filled based on value observed in extract ID 301 (GDPR) which should apply here as well.

2016

Reference :

General Data Protection Regulation

GDPR articles and chapters

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

"PIPA does not explicitly refer to the term 'accountability,' however it states that 'the data handler shall endeavour to obtain the trust of data subjects by observing and performing such duties and responsibilities as provided for in PIPA and other related statutes.' Furthermore, accountability can be taken to apply to other requirements, including the appointment of a Privacy Officer and establishment of a privacy policy."

2021

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - KOR

Extracts :

Extract :

"The PIPL does not contain a specific provision for the principle of accountability. However, Article 9 of the PIPL states: Personal information handlers shall bear responsibility for their personal information handling activities and adopt the necessary measures to safeguard the security of the personal information they handle."

2021

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - CHN

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extract :

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extract :

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extract :

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extract :

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extract :

Extracts :

Extract :

Extracts :

Extract :

There is no comment by DataGuidance.

2022

Reference :

GDPR vs countries' comparison | DataGuidance

Comparison of GDPR vs countries' data protection laws, definitions etc. - RUS

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Extracts :

Extract :

Data entered based on reference.

2023

Reference :

Global Data Security Handbook

BakerMckenzie

Link to reference

Actors
Name	Short name	Classification	Jurisdiction	Year of creation
French Data Protection Authority (CNIL)	CNIL	Regulator	Independant agency	1978
Autorité de la Concurrence (Competition Authority)		Regulator	Independant agency	2008
Autorité de régulation des communications électroniques, des postes et de la distribution de la presse (ARCEP)		Regulator	Independant agency	1997
Ministry of Economy, Industry and Digital Affairs		Regulator	Ministry	1958
Ministry of Culture		Regulator	Ministry	1959

Texts
Legal text name	Original text name	Legislation type	Year signed	Regulation status	In effect since	Latest update initiated	Latest update areas	Latest update signed year
General Data Protection Regulation (GDPR)	Act 78-17 on Data Processing, Data Files and Individual Liberties	General privacy/data protection law	1978	Active	1978	2016		2018

🇫🇷 France

Data subject classification

Citizens outside their jurisdiction are considered as data subjects : Yes

Persons within their jurisdiction are considered as data subjects : Yes

Legal entities are considered as data subjects : Yes

Data controller definition and responsibilities

Organizations located outside the jurisdiction processing regulated subjects data are considered as data controllers within the personal data legislation : Yes

Organizations with economic activities within the jurisdiction are considered as data controllers within the personal data legislation : Yes

Differentiation between how data controller and data processor are defined : Yes

Organizations located outside the jurisdiction monitoring regulated subjects data are considered as data controllers within the personal data legislation : Yes

Special/sensitive personal data definition

Definition of personal data that are "special" or "sensitive": financial data : No

Definition of personal data that are "special" or "sensitive": genetic data : Yes

Definition of personal data that are "special" or "sensitive": medical/health data : Yes

Definition of personal data that are "special" or "sensitive": biometric data : Yes

Definition of personal data that are "special" or "sensitive": criminal records data : Yes

Definition of personal data that are "special" or "sensitive": racial/ethnic origin : Yes

Definition of personal data that are "special" or "sensitive": political opinions : Yes

Definition of personal data that are "special" or "sensitive": religious/philosophical beliefs : Yes

Definition of personal data that are "special" or "sensitive": trade union membership : Yes

Definition of personal data that are "special" or "sensitive": geo-location data : No

Legal bases for data processing

Potential legal bases for processing personal data: appropriate notice has been provided to or made available to the data subject : No

Potential legal bases for processing personal data: the data subject has provided consent to the processing for the identified purposes : Yes

Potential legal bases for processing personal data: the personal data is necessary to perform a contract with the data subject : Yes

Potential legal bases for processing personal data: the personal data is necessary to comply with a legal obligation : Yes

Potential legal bases for processing personal data: the personal data is necessary to protect the vital interests of a natural person : Yes

Potential legal bases for processing personal data: the personal data is necessary for a public interest : Yes

Potential legal bases for processing personal data: the personal data is necessary to fulfil a legitimate interest of the controller or third party : Yes

Enforcement and penalties

Provision of administrative penalties by laws : Yes

Max value of monetary penalties for violations (in euros) : 20000000

Consideration of turnover rates for penalties? : Yes

Provision of criminal penalties - fines : Yes

Subject private remedies - presence of individual personal actions? : Yes

Subject private remedies - representative actions? : Yes

Subject private remedies - class actions? : Yes

Subject private remedies - file complaints with Data Protection Authorities? : Yes

Provision of criminal penalties - imprisonment : No

Data processing and security controls

Audit or supervise Data Processors : Yes

Requirement of a DPIA : Yes

Ensuring encryption/pseudonymisation as a security control : Yes

Requirement for Controller to notify subjects of a data breach : Yes

Requirement for Controller to notify DPA of a data breach : Yes

Requirement for Processor to notify controller of data breach : Yes

Requirement for Processor to notify DPA of data breach : No

Requirement for Processor to notify subjects of data breach : No

Obligation to maintain information security control to protect personal data from unauthorized access or processing: general technical/physical/organizational security controls : Yes

Rights of data subjects

Right to object data use or/opt out : Yes

Right to data portability : Yes

Right against automated decision making : Yes

Right to be informed : Yes

Consent required for processing children's data : Yes

Right to access information : Yes

Right to rectification : Yes

Right to erase : Yes

Right to withdraw consent : Yes

Right to restrict data processing : Yes

International data transfer and data localization

Legal basis for international data transfer: approved jurisdictions : Yes

Legal basis for international data transfer: approved standard contractual clauses : Yes

Legal basis for international data transfer: derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims : Yes

Legal basis for international data transfer: binding corporate rules : Yes

Data localisation requirements: retention of personal data in local jurisdiction : No

Data localisation requirements: tax or financial record laws : Yes

Legal basis for international data transfer: EU/EEA adequacy : Yes

Legal basis for international data transfer: Convention 108 : Yes

Data localisation requirements: national security laws : No

Legal basis for international data transfer: APEC CBPRs : No

Data localisation requirements (such data is part of another type of record or dataset): retention or storage of personal data in the local jurisdiction or otherwise prohibit the transfer or disclosure of the personal data outside of the local jurisdiction : Yes

Data localisation requirements: anti-investigatory/blocking statutes that restrict any activity on local territory that aids a foreign government investigation : Yes

Data localisation requirements: other data localization regulations (export control laws/medical laws/employment laws etc.) : Yes

Data protection officer (DPO) requirements

Consulting the supervisory authority (DPA) before data processing : Yes

Mandatory appointment of a DPO : Yes

Requirement of professional/legal qualification/expert knowledge for DPO : Yes

Clear DPO role specification : Yes

Group appointments: a group of undertakings to appoint a single DPO : Yes