Except for certain data processing that is subject to exemption, authorisation, ministerial order or decree, the processing of personal data requires a prior declaration to the CMIL.

The prior declaration to the CMIL shall specify, where relevant, inter alia:

• the identity and the address of the data controller (responsable du traitement) (i.e. the natural or legal person who either alone or jointly with other persons determines the purpose and the means of the personal data processing and implements such processing itself or appoints a data processor for that purpose);

• the purpose(s) of the processing;

• the interconnections between databases;

• the types of personal data processed, their origins and the categories of persons affected by the processing;

• the duration for which the data will be kept;

• the department or persons in charge of implementing the data processing;

• the existence of data transfer to other country;

• the measures taken in order to ensure the security of the processing;

• the use of a data processor (sous-traitant).

The CMIL has to issue its decision on any authorisation application 2 months following receipt of the application. An additional time period of 2 months can be added to this period after decision of the President of the CMIL. The absence of decision of the CMIL during these periods is considered as a refusal of the application.