Personal data processing in France is supervised by the National Commission for Data Processing and Liberties. Under Law 78-17 of January 6 1978 the processing of personal data encompasses any automatic operations (i) relating to the collection, recording, development, modification, storage and destruction of personal data, or (ii) dealing with the use of files or…
Personal data processing in France is supervised by the National Commission for Data Processing and Liberties. Under Law 78-17 of January 6 1978 the processing of personal data encompasses any automatic operations (i) relating to the collection, recording, development, modification, storage and destruction of personal data, or (ii) dealing with the use of files or databases and the interconnection, consultation or disclosure of personal data.
Law 78-17 states that any automated processing of personal data on behalf of parties other than the state, public establishments, territorial authorities or private legal entities managing a public service must be declared to the commission in advance.
The legislation governing data processing permits individuals to be identified (i) directly, by the use of their surname or first name, or (ii) indirectly, by identifying individuals without the use of their names (eg, by using credit card numbers, phone numbers or addresses).
Declarations to the commission
Two kinds of declaration exist, depending on the type of data being processed. A normal declaration applies to data processing which may breach privacy rights (eg, employee databases), while a simplified declaration applies to common data processing. A simplified declaration may only be used if the data processing corresponds to one of the 40 standard processing activities defined by the commission as not infringing privacy or liberties. For instance, client files or processing of real assets management correspond to a standard activity and can benefit from the simplified declaration.
The declaration must be completed by the processing entity and responses to certain questions must be supplemented by specific exhibits. Three copies must be filed with the commission, either by registered mail with return receipt requested or by filing directly with the commission against receipt. Filing is free.
The duration of each database must be disclosed in the application and is therefore limited to the time it is necessary to hold the information. This time limit depends on the nature of the data. The personal data that is processed should also be limited to information which is necessary for the purposes for which it is being processed.
A declaration must be sent to the commission before the commencement of the operation. The commission will examine whether this declaration has been properly completed and, if so, deliver a receipt permitting the commencement of the operation. This does not prevent the commission from carrying out checks during the operation. Article 17 of Law 78-17 provides that registration does not exclude the liability of the filing company with respect to the processing of personal data.
Subsequent changes to the data processing system must be declared to the commission using a further declaration form.
Transfer to foreign countries
The transfer of data to an EU member state does not raise any specific problem. However, many countries outside the European Union, such as the United States, are considered to provide too low a standard of protection for personal data. Thus, the commission requires that the applicant describe all the measures taken to oblige the recipient to comply with the principles held in Law 78-17 and Convention 108 of the Council of Europe 1981 (to which France is a signatory).
The commission requires that an executed contract between the French and the non-EU entities be attached to this declaration, under which these entities undertake to abide by the principles of French law. In the absence of such an agreement, the commission will request additionalinformation and will not send acknowledgement of receipt.
However, if the data transferred outside the European Union is only transferred to the United States, the execution of a data transfer agreement may be avoided if the US recipient subscribes to the safe harbour principles implemented by the US Department of Commerce (for further information please refer to the department’s website).
Additional Legal Requirements
Under Law 78-17 the processing of personal data must be carried out fairly. The fair processing rules require the company, either before or at the time of obtaining the information, to:
· ensure that the data subject knows that the company has access to his or her personal data;
· inform the data subject of the purposes for which his or her personal data may be used and of any transfer of the information to a third party;
· assure the data subject that the storage of his or her personal data will be made in a secure area;
· ensure that the data subject is aware of (i) whether answers are obligatory or optional, (ii) the consequences of failure to answer, (iii) the people or companies to whom the information is given, and (iv) his or her right to access, object to, rectify and delete information.
Right of access
Under Article 34 of Law 78-17, data subjects benefit from a right of access and rectification authorizing any individual who is able to confirm his or her identity to question the person responsible for the data processing, in order to determine whether such processing involves personal data, and, if so, to obtain access to it. This right belongs exclusive to individuals.
Right of rectification
A person may require the correction, addition, clarification, updating or withdrawal of data which concerns him or her and which is inaccurate, incomplete, ambiguous or outdated. He or she may also object to the acquisition, use, disclosure or storage of his or her data.
The consent of the data subject to the registration and use of the database is not required unless the personal data deals with certain sensitive information regarding, for instance, racial origin, political, philosophical and religious opinions, or membership of trade unions.
Storage of the data
Personal data must not be stored by name beyond the period authorized. The term of the storage depends upon the nature and purpose of each personal data processing operation. Law 78-17 also provides for security measures to ensure that unauthorized processing of personal data does not occur, and to protect data from any deterioration, damage or communication to any unauthorized third party.
The person responsible for managing the data processing and complying with applicable laws is the person or entity implementing the data processing – that is, the person or entity which initiates that data processing.
Violations of Law 78-17 fall within the provisions of the Criminal Code, which provides that companies can be declared criminally liable and are punishable by fines five times greater than those applicable to individuals. Specific penalties can also apply, such as the winding-up of the company or publication of the couWith regard to civil remedies, victims can also seek damages for breach of their privacy under Article 9 of the Civil Code.
Any act which hinders the proper activities of the commission is punishable by a five-year prison term and a fine of €15,000. These acts include the following:
· preventing on-the-spot checks;
· refusing to provide agents of the commission with information and documents useful to carry out their duties;
· concealing or removing such documents; or
· communicating false or unintelligible information.
A breach of Law 78-17 could prompt an investigation by the commission, which has the power to serve the company with notice to comply with French law or, in more serious cases, to lodge a complaint in court. According to the Data Protection Directive (95/46/EC) (which came into effect on October 25 1998, but has not yet been implemented in France), the powers of the commission must be increased. The commission will thus have greater powers of investigation and penalties will be strengthened.
A draft bill of January 31 2002 has been prepared in order to implement the directive and adopted by the Senate the 01 April This bill is before the National Assembly. We will comment this Bill in the next few days.
A.M. & C.d.C.
Article published with the courtesy of the International Law Office Review