Data Protection in France

National data protection authority in France

EU regulation

Enforcement of the GDPR is the prerogative of data protection regulators, known as supervisory authorities (for example, the CNIL in France or the ICO in the UK). The European Data Protection Board (the replacement for the so-called Article 29 Working Party) is comprised of delegates from the supervisory authorities, and monitors the application of the GDPR across the EU, issuing guidelines to encourage consistent interpretation of the Regulation.

The GDPR creates the concept of "lead supervisory authority". Where there is cross-border processing of personal data (i.e. processing taking place in establishments of a controller or processor in multiple Member States, or taking place in a single establishment of a controller or processor but affecting data subjects in multiple Member States), then the starting point for enforcement is that controllers and processors are regulated by and answer to the supervisory authority for their main or single establishment, the so-called "lead supervisory authority" (Article 56(1)).

However, the lead supervisory authority is required to cooperate with all other "concerned" authorities, and a supervisory authority in another Member State may enforce where infringements occur on its territory or substantially affect data subjects only in its territory (Article 56(2)).

The concept of lead supervisory authority is therefore of somewhat limited help to multinationals.


France regulation

The ÂŤ Commission Nationale de l’Informatique et des LibertĂŠs Âť or ÂŤ CNIL Âť is the French supervisory authority

Address

3 place de Fontenoy
TSA 80175
75334 Paris Cedex 07

Telephone

01 53 73 22 22

Website

cnil.fr

The CNIL has different missions and powers, which mainly include:

  1. informing data subjects and data controllers / processors (whether public or private) about their rights and obligations;
  2. ensuring compliance of all personal data processing with French and EU data protection rules as well as data protection rules resulting from international commitments of France;
  3. anticipating new challenges and issues arising from innovation and the use of new technologies, including privacy in general and ethics;
  4. controlling and sanctioning.

In addition, the Law provides for mutual assistance and joint operations with other EU Supervisory Authorities, as well as cooperation with non-EU supervisory authorities.

The CNIL has a range of tools to complete its missions including e.g., publication of reference frameworks created after consultations with the stakeholders or sectors at hand, among which standard regulations (which are mandatory in respect of processing of biometric, genetic, health or criminal convictions and offences data), reference methodologies in the sector of health, guidelines, recommendations and standards, approval of codes of conduct and certifications, broad range of on-site and off-site investigation powers and sanctions. The Law provides further precisions on the functioning of the CNIL and its specific tasks and powers, notably the extent of on-site investigations and procedural requirements, in connection with the missions described above.

Continue reading

  • no results

Previous topic
Back to top