Data Protection in France

Registration in France

EU regulation

There are no EU-wide systems of registration or notification and Recital 89 of the GDPR seeks to prohibit indiscriminate general notification obligations. However, Member States may impose notification obligations for specific activities (e.g. processing of personal data relating to criminal convictions and offences). The requirement to consult the supervisory authority in certain cases following a data protection impact assessment (Article 36) constitutes a notification requirement. In addition, each controller or processor must communicate the details of its data protection officer (where it is required to appoint one) to its supervisory authority (Article 37(7)).

In many ways, external accountability to supervisory authorities via registration or notification is superseded in the GDPR by rigorous demands for internal accountability. In particular, controllers and processors are required to complete and maintain comprehensive records of their data processing activities (Article 30), which must contain specific details about personal data processing carried out within an organisation and must be provided to supervisory authorities on request. This is a sizeable operational undertaking.


France regulation

Prior formalities with the CNIL are no longer required and are replaced by the obligation to hold a record of processing activities which include the same categories of information as those requested in the filing forms prior to the GDPR.

However, formalities are maintained for the processing of data in the health sector which is subject either to a declaration of conformity to specific requirements defined by the CNIL or an authorization by the CNIL. In this respect, the CNIL has issued eight (8) methodologies of reference ("Methodologies de Reference" or "MR") for various types of research in the health sector. A formal commitment to comply with these methodologies exempts the data controller – generally the sponsor of the research – from having to apply for a formal authorization with the CNIL.

Certain specific processing of personal data must be authorized by decree of the State Council (Conseil d’Etat) or ministerial order, taken after a motivated and public opinion of the CNIL. These processing are as follows:

  • Processing of the social security number (with a few exceptions);
  • Processing carried out by or on behalf of the State, acting in the exercise of its public authority prerogatives, of genetic or biometric data necessary to the authentication or identity control of individuals;
  • Processing carried out on behalf of the State (i) which concern State security, defense, national security, or (ii) which purpose is the prevention, investigation, detection or prosecution of criminal offences, or enforcement of criminal convictions or security measures.

Continue reading

  • no results

Previous topic
Back to top