GDPR
I. Introduction
On June 20, 2018, France adopted Law No. 2018-493 on the protection of personal data, implementing the General Data Protection Regulation (GDPR). This law revises and consolidates the 1978 law on data protection.
The National Commission for Information Technology and Civil Liberties (CNIL), as the national supervisory authority, is responsible for overseeing, guiding, and enforcing the GDPR and its implementing regulations in France.
Thus, France has established a personal data protection system that complies with European Union requirements.
II. Scope
The regulations implementing the GDPR in France apply to:
any data controller or subcontractor established in French territory;
any organization located outside of France offering goods or services to people located in France, or monitoring their behavior on French territory.
Regardless of where the processing takes place, as long as it concerns the personal data of individuals located in France, the law applies.
It covers both automated and non-automated processing that is part of a file system.
Activities of an exclusively personal or domestic nature are not covered by its scope.
III. Principles of Data Processing
Lawfulness, fairness and transparency: all processing must be based on a clear legal basis and be carried out in complete transparency.
Limitation of purposes: data can only be used for specific and legitimate purposes.
Data minimization: only strictly necessary data should be collected.
Accuracy: the data must be accurate and updated regularly.
Limitation of retention: data should only be kept for the period strictly necessary, then deleted or anonymized.
Security and confidentiality: appropriate technical and organizational measures must be put in place to prevent any breach, alteration or loss of data.
IV. Rights of the persons concerned
In accordance with the GDPR and French law, individuals have the following rights:
Right to information and access;
Right of rectification;
Right to erasure (right to be forgotten);
Right to restriction of processing;
Right to data portability;
Right to object.
For minors under 15 years of age, the processing of their data requires the consent of a parent or legal guardian, and the information must be provided to them in clear and understandable language.
V. Obligations of subcontractors
Subcontractors must:
strictly comply with the written instructions of the data controller;
implement appropriate security measures;
assist the data controller in the performance of its obligations, in particular to respond to requests from data subjects;
notify the data controller without delay in the event of a data breach, who must then inform the CNIL within 72 hours.
Data controllers must maintain a record of processing activities and conduct a data protection impact assessment (DPIA) if there is a high risk.
Some organizations must also appoint a data protection officer (DPO) and register with the CNIL (French Data Protection Authority).
VI. International Data Transfers
When a transfer to a non-EU country is envisaged, the data controller must guarantee an adequate level of protection. This can be achieved by:
an adequacy decision by the European Commission;
or the signing of standard contractual clauses (SCC).
Since the invalidation of the "Privacy Shield" on July 16, 2020, French companies must use the new standard contractual clauses adopted on June 4, 2021 or any other legal mechanism.
VII. Control and Implementation
The CNIL has extensive powers, including:
drafting warnings or formal notices;
the limitation or prohibition of certain treatments;
the imposition of fines of up to 20 million euros or 4% of global turnover, whichever is higher.
French law also allows individuals to give instructions regarding the use of their data after their death. Otherwise, the processing must comply with applicable regulations.
The French framework for implementing the GDPR aims to guarantee the rights of individuals, strengthen business compliance, and promote trust in the digital environment.
VIII. Contact
Store name: La Brusse Emmanue
Email: info@labrusseemmanue.com
Customer service number: +33 1 42 08 62 62
Address: 26 Boulevard Magenta 75010 Paris France
Opening hours: Monday to Saturday, 9:00 AM to 6:00 PM (CET)