Data Protection in France

Collection and processing in France

EU regulation

Data protection principles

Controllers are responsible for compliance with a set of core principles which apply to all processing of personal data. Under these principles, personal data must be (Article 5):

  • processed lawfully, fairly and in a transparent manner (the "lawfulness, fairness and transparency principle");
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (the "purpose limitation principle");
  • adequate, relevant and limited to what is necessary in relation to the purpose(s) (the "data minimization principle");
  • accurate and where necessary kept up-to-date (the "accuracy principle");
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purpose(s) for which the data are processed (the "storage limitation principle"); and
  • processed in a manner that ensures appropriate security of the personal data, using appropriate technical and organizational measures (the "integrity and confidentiality principle").

The controller is responsible for and must be able to demonstrate compliance with the above principles (the "accountability principle"). Accountability is a core theme of the GDPR. Organizations must not only comply with the GDPR but also be able to demonstrate compliance perhaps years after a particular decision relating to processing personal data was taken. Record-keeping, audit and appropriate governance will all form a key role in achieving accountability.

Legal basis under article 6

In addition, in order to satisfy the lawfulness principle, each use of personal data must be justified by reference to an appropriate basis for processing. The legal bases (also known lawful bases or lawful grounds) under which personal data may be processed are (Article 6(1)):

  • with the consent of the data subject (where consent must be "freely given, specific, informed and unambiguous", and must be capable of being withdrawn at any time);
  • where necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract;
  • where necessary to comply with a legal obligation (of the EU) to which the controller is subject;
  • where necessary to protect the vital interests of the data subject or another person (generally recognized as being limited to 'life or death' scenarios, such as medical emergencies);
  • where necessary for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller; or
  • where necessary for the purposes of the legitimate interests of the controller or a third party (which is subject to a balancing test, in which the interests of the controller must not override the interests or fundamental rights and freedoms of the data subject. Note also that this basis cannot be relied upon by a public authority in the performance of its tasks).

Special category data

Processing of special category data is prohibited (Article 9), except where one of the following exemptions applies (which, in effect, operate as secondary bases which must be established for the lawful processing of special category data, in addition to an Article 6 legal basis):

  • with the explicit consent of the data subject;
  • where necessary for the purposes of carrying out obligations and exercising rights under employment, social security and social protection law or a collective agreement;
  • where necessary to protect the vital interests of the data subject or another natural person who is physically or legally incapable of giving consent;
  • in limited circumstances by certain not-for-profit bodies;
  • where processing relates to the personal data which are manifestly made public by the data subject;
  • where processing is necessary for the establishment, exercise or defense of legal claims or where courts are acting in their legal capacity;
  • where necessary for reasons of substantial public interest on the basis of Union or Member State law, proportionate to the aim pursued and with appropriate safeguards;
  • where necessary for preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, provision of health or social care or treatment of the management of health or social care systems and services;
  • where necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of health care and of medical products and devices; or
  • where necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with restrictions set out in Article 89(1).

Member States are permitted to introduce domestic laws including further conditions and limitations for processing with regard to processing genetic data, biometric data and health data.

Criminal convictions and offences data

Processing of personal data relating to criminal convictions and offences is prohibited unless carried out under the control of an official public authority, or specifically authorized by Member State domestic law (Article 10).

Processing for a secondary purpose

Increasingly, organizations wish to 're-purpose' personal data - i.e. use data collected for one purpose for a new purpose which was not disclosed to the data subject at the time the data were first collected. This is potentially in conflict with the core principle of purpose limitation; to ensure that the rights of data subjects are protected. The GDPR sets out a series of factors that the controller must consider to ascertain whether the new process is compatible with the purposes for which the personal data were initially collected (Article 6(4)). These include:

  • any link between the original purpose and the new purpose
  • the context in which the data have been collected
  • the nature of the personal data, in particular whether special categories of data or data relating to criminal convictions are processed (with the inference being that if they are it will be much harder to form the view that a new purpose is compatible)
  • the possible consequences of the new processing for the data subjects
  • the existence of appropriate safeguards, which may include encryption or pseudonymisation.

If the controller concludes that the new purpose is incompatible with the original purpose, then the only bases to justify the new purpose are consent or a legal obligation (more specifically an EU or Member State law which constitutes a necessary and proportionate measure in a democratic society).

Transparency (privacy notices)

The GDPR places considerable emphasis on transparency, i.e. the right for a data subject to understand how and why his or her data are used, and what other rights are available to data subjects to control processing. The presentation of granular, yet easily accessible, privacy notices should, therefore, be seen as a cornerstone of GDPR compliance.

Various information must be provided by controllers to data subjects in a concise, transparent and easily accessible form, using clear and plain language (Article 12(1)).

The following information must be provided (Article 13) at the time the data are obtained: 

  • the identity and contact details of the controller;
  • the data protection officer's contact details (if there is one);
  • both the purpose for which data will be processed and the legal basis for processing, including, if relevant, the legitimate interests for processing;
  • the recipients or categories of recipients of the personal data;
  • details of international transfers;
  • the period for which personal data will be stored or, if that is not possible, the criteria used to determine this;
  • the existence of rights of the data subject including the right to access, rectify, require erasure, restrict processing, object to processing and data portability;
  • where applicable, the right to withdraw consent, and the right to complain to supervisory authorities;
  • the consequences of failing to provide data necessary to enter into a contract;
  • the existence of any automated decision making and profiling and the consequences for the data subject; and
  • in addition, where a controller wishes to process existing data for a new purpose, they must inform data subjects of that further processing, providing the above information.

Somewhat different requirements apply (Article 14) where information has not been obtained from the data subject.

Rights of the data subject

Data subjects enjoy a range of rights to control the processing of their personal data, some of which are very broadly applicable, whilst others only apply in quite limited circumstances. Controllers must provide information on action taken in response to requests within one calendar month as a default, with a limited right for the controller to extend this period thereby a further two months where the request is onerous.

Right of access (Article 15)

A data subject is entitled to request access to and obtain a copy of his or her personal data, together with prescribed information about the how the data have been used by the controller.

Right to rectify (Article 16)

Data subjects may require inaccurate or incomplete personal data to be corrected or completed without undue delay.

Right to erasure ('right to be forgotten') (Article 17)

Data subjects may request erasure of their personal data. The forerunner of this right made headlines in 2014 when Europe’s highest court ruled against Google (Judgment of the CJEU in Case C-131/12), in effect requiring Google to remove search results relating to historic proceedings against a Spanish national for an unpaid debt on the basis that Google as a data controller of the search results had no legal basis to process that information.

The right is not absolute; it only arises in quite a narrow set of circumstances, notably where the controller no longer needs the data for the purposes for which they were collected or otherwise lawfully processed, or as a corollary of the successful exercise of the objection right, or of the withdrawal of consent.

Right to restriction of processing (Article 18)

Data subjects enjoy a right to restrict processing of their personal data in defined circumstances. These include where the accuracy of the data is contested; where the processing is unlawful; where the data are no longer needed save for legal claims of the data subject, or where the legitimate grounds for processing by the controller are contested.

Right to data portability (Article 20)

Where the processing of personal data is justified either on the basis that the data subject has given his or her consent to processing or where processing is necessary for the performance of a contract, then the data subject has the right to receive or have transmitted to another controller all personal data concerning him or her in a structured, commonly used and machine-readable format (e.g. commonly used file formats recognized by mainstream software applications, such as .xsl).

Right to object (Article 21)

Data subjects have the right to object to processing on the legal basis of the legitimate interests of the data controller or where processing is in the public interest. Controllers will then have to suspend processing of the data until such time as they demonstrate “compelling legitimate grounds” for processing which override the rights of the data subject.

In addition, data subjects enjoy an unconditional right to object to the processing of personal data for direct marketing purposes at any time. 

The right not to be subject to automated decision making, including profiling (Article 22)

Automated decision making (including profiling) "which produces legal effects concerning [the data subject] … or similarly significantly affects him or her" is only permitted where: 

  1. necessary for entering into or performing a contract;
  2. authorized by EU or Member State law; or 
  3. the data subject has given their explicit (i.e. opt-in) consent.

Further, where significant automated decisions are taken on the basis of grounds (a) or (c), the data subject has the right to obtain human intervention, to contest the decision, and to express his or her point of view.


France regulation

Special category data

The Law contains specific provisions regarding the processing of special categories of personal data, in particular regarding the processing of health data (eg. see above regarding authorization requirements).

Criminal convictions and offences data

The following categories of persons can process such personal data:

  • Courts, public authorities and legal persons entrusted with a public service, acting within the scope of their legal functions, as well as entities collaborating with judicial entities as listed in the Decree;

  • Auxiliaries of justice, for the strict exercise of their functions;

  • Individuals and private entities to prepare, bring or defend a claim in court as a victim or defendant, and to execute the court decision, for the duration strictly necessary for these purposes. It is possible to share such information with third parties under the same conditions and for the same purposes;

  • Collective IP rights management organizations for the purpose of defending those rights; and

  • Persons reusing public information appearing in published rulings, provided that the processing has neither the purpose or effect of allowing the re-identification of the concerned persons.

In addition, the following categories of persons are authorized by the Decree to process personal data relating to criminal convictions, offenses or related security measures:

  • Victims support associations contracted by the Ministry of Justice;

  • Associations of assistance to the reintegration of persons placed under the authority of justice, in the respect of their social object;

  • The establishments mentioned in 2 ° of I of Article L. 312-1 of the Code of Social Action and Families as part of their mission of medico-social support;

  • The establishments and services mentioned in 4 ° and 14 ° of I of Article L. 312-1 of the Code of Social Action and Families;

  • The drop-in and reception centers mentioned in III of Article L. 312-1 of the Code of Social Action and Families; The medical or medico-educational establishments authorized mentioned in articles 15 and 16 of the order No. 45-174 of  2 February 1945 relating to delinquent childhood;

  • The public or private educational or vocational training institutions, authorized and appropriate boarding schools for juvenile school-aged offenders mentioned in Articles 15 and 16 of the aforementioned order of  2 February 1945;

  • Private legal entities exercising a public service mission or the authorized associations mentioned in Article 16 of the aforementioned order of  2 February 1945;

  • The legal representatives for the protection of the adults mentioned in Article L. 471-1 of the Code of Social Action and Families.

The CNIL may issue standard regulations, prescribe additional measures to be implemented, including of a technical and organizational nature, and / or complementary warranties for processing of special categories of data, including notably criminal convictions and offences data, by public and private entities (except for processing carried out in connection with the exercise of public authority by or on behalf of the State).

In addition, processing of criminal convictions and offences data which purpose is the prevention, investigation, detection or prosecution of criminal offences, or enforcement of criminal convictions or security measures by or on behalf of the State is subject to an order of the competent Ministry.

Transparency (privacy notices)

The Law mandates data controllers to provide data subjects with information relating to their right to define directives relating to the processing of their personal data after their death (digital legacy).

In addition, where the data is collected from a data subject under 15, the data controller must provide the mandatory information provided for by Art. 13 GDPR in a clear and easily accessible language.

French data subjects should be also provided with the information relating to the processing of their personal data in French (notably in accordance with Act no. 94-665 dated 4 August 1994 related to the use of the French language and with the CNIL’s requirements as set out in deliberation No. SAN-2023-023 of 29 December 2023). 

Rights of the data subjects

The Decree describes the conditions in which the data subjects can exercise their rights (and more precisely, the conditions to check the identity of the data subject making the request).

Data subjects’ rights can be restricted notably to avoid obstructing administrative investigations, inquiries or procedures, to safeguard the prevention, investigation, detection and prosecution of criminal offences, as well as of administrative enquiries, or to protect the rights and freedoms of others.

Right of access

In 2024, as part of a coordinated action at the EU level, the CNIL has carried out a series of investigations to ensure that the right of access was properly taken into account. Based on these investigations, the CNIL has taken repressive measures against organizations that only partially responded to these requests.

Digital legacy

Data subjects have the right to give instructions regarding the storage, deletion and communication of their personal data after their death (Articles 48 and 85 of the Law). Such instructions can be either:

  • General, in which case they apply to all their personal data, irrespective of who the controller is. Such instructions can be given to a trusted third party certified by the CNIL; however, the implementing decree in this respect has never been adopted since the adoption of this provision in 2016; or

  • Specific to one or several services, in which case the data subject can also give his / her instructions to the relevant data controller. It is required to obtain the specific consent of the data subject, and such consent cannot derive from his / her consent to general terms and conditions.

If the data subject has not given any instructions in his / her lifetime, then his / her heirs can exercise certain rights, in particular:

  • The right of access, if it is necessary for the settlement of the succession; and

  • The right to close the deceased’s accounts and to cease the processing of his / her personal data or, request the update of the personal data of the deceased.

Back to top