GDPR in France – Decree n°2019-536 (May 29, 2019) implementing the French Data Protection Act
This Decree finally ends the process of adapting national law to the GDPR: with its publication, the entire new legal framework came into force. The French Data Protection Act (or the « FDPA ») and its implementing Decree n°2019-536 now allow individuals and organizations handling data to more clearly understand their rights and obligations with regard to the protection of personal data.
Other national laws :
– Act n°78-17 (January 6, 1978) « relative à l’informatique, aux fichiers et aux libertés » (the French Data Protection Act or the « FDPA »)
– Act n°2004-575 21 June 2004 on Confidence for the digital economy
– Act n°2018-493 (June 20, 2018) amending the FDPA (according to GDPR) and its implementing Decree (August 1, 2018)
General Note on Application and Territorial Scope of the FDPA (Article 3 of FDPA)
FDPA laws shall apply:
- for processing of personal data carried out by the data controller or the processor according to its establishment’s activities in France even if the processing is not established in France;
- for data subjects residing in France even if the relevant data controller is not established in France;
provided, however, that if the processing of the data subject’s personal data is carried out for journalistic purposes, or for the purpose of academic, artistic, or literary expression, then the applicable rules will be those of the laws of the European country where the data controller is established.
Age of Consent for Processing Children’s Data (Article 45 of FDPA)
Children may consent to the processing of their data at 15 years of age or older.
Processing Special Categories of Data (Articles 4, 5 and 6 of FDPA for principles and definitions – Article 44 of FDPA )
Processing of Special Categories of Data (as defined under GDPR) is prohibited, except in the following circumstances:
- with the data subject’s express consent (unless the law provides that the data subject’s consent is insufficient for lifting the prohibition);
- to protect human life, where the data subject cannot consent because of legal incapacity or material impossibility;
- processing is carried out by an association or other non-profit organization of a religious, philosophical, political, or trade union nature, provided that the data relates to the purpose of the organization and concerns only its members (or persons who have regular contact), and the data is not communicated to third parties without the data subjects’ express consent;
- the processing relates to data made public by the data subject;
- the processing is necessary to establish, exercise, or defend a legal claim;
- the processing is necessary for purposes of preventative medicine, medical diagnosis, administration of care or treatment, or management of health services, and is carried out by members of a health profession or others bound by the obligation of professional secrecy under Article 226-13 of the Criminal Code;
- statistical processing carried out by the National Institute of Statistics and Economic Studies or one of the ministerial statistical offices in accordance with Act No. 51-711 of 7 June 1951 on statistical obligation, coordination and confidentiality, after consulting the National Council for Statistical Information;
- processing involves health data justified by the public interest and in accordance with the provisions of Chapter 3 Section III of the FDPA;
- processing is in accordance with standard regulations set forth in (c) of (2°) of (I) of FDPA Article 8, implemented by employers or administrations concerning biometric data strictly necessary for the control of access to the workplace and to equipment and applications used by employees, agents, trainees or service providers;
- processing relates to the reuse of public information contained in the judgments and decisions referred to in Article L. 10 of the Code of Administrative Justice and Article L. 111-13 of the Code of Judicial Organization respectively, provided such processing has neither the purpose nor the effect of reidentifying the persons concerned;
- processing is necessary for public research within the meaning of Article L. 112-1 of the Research Code, carried out under the conditions provided for in Article 9 (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, after a reasoned opinion has been delivered and published by the French Data Protection Authority in accordance with the procedures laid down in Article 34 of the FDPA;
- the data is promptly subject to a process of anonymization in accordance with a method approved by the French Data Protection Authority;
- processing, whether automated or not, is justified by the public interest and authorized under the conditions set forth in Article 31 (II) and Article 32 of the FDPA.
Processing Personal Data Relating to Criminal Convictions and Offenses (Articles 46 and 47 of FDPA)
Processing of personal data relating to criminal convictions and offenses may only be carried out by:
- courts, public authorities, and legal persons managing a public service and acting within the scope of their legal powers, as well as legal persons governed by private law who collaborate in the public service of justice and belonging to categories the list of which is determined by decree of the “Conseil d’Etat”, taken after reasoned opinion and published by the French Data Protection Authority, to the extent strictly necessary for their missions;
- auxiliaries of justice, for the strict needs of the exercise of the missions entrusted to them by law;
- natural or legal persons, for the purpose of enabling them to prepare and, where appropriate, to initiate and follow legal proceedings as victims, defendants, or on their behalf, and to enforce the decision rendered, for a period strictly proportionate to these purposes. Communication to a third party is then only possible under the same conditions and to the extent strictly necessary for the pursuit of these same purposes;
- legal persons mentioned in Articles L. 321-1 and L. 331-1 of the Intellectual Property Code, acting in respect of the rights they manage or on behalf of the victims of infringements of the rights provided for in books I, II, and III of the same Code for the purpose of defending these rights;
- the re-users of public information contained in the judgments referred to in Article L.10 of the Code of Administrative Justice and the decisions referred to in Article L. 111-13 of the Code of Judicial Organization, provided that the processing carried out has neither the purpose nor the effect of allowing the re-identification of the persons concerned.
Exemptions and Restrictions to Certain Data Subject Rights (FDPA Articles 78 and 102)
- Certain data subject rights (such as the rights to access, rectification, restriction, and objection) may be restricted where data processing is for the purpose of archival purposes in the public interest, for scientific or historical research, or for statistical purposes, and such data subject rights render impossible or seriously hinder the achievement of those purposes (FDPA Article 78).
- Certain exemptions to the obligation to inform data subjects of breaches will be (but have not yet been) adopted by decree for circumstances under which the notification of the breach is determined to likely represent a risk to national security, national defense, or public security (FDPA Article 102).
Privacy Impact Assessments (FDPA Article 90)
Controllers must conduct a privacy impact assessment if data processing is likely to involve a high risk to the rights and freedoms of natural persons, in particular, when it relates to special categories of data under FDPA Article 6 (I). Additional requirements exist where the processing is carried out on behalf of the State.
Processing of National Identification Numbers (FDPA Article 30)
National registration numbers may only be processed in certain circumstances, including but not limited to, processing by the French administration to offer specific services, or for limited purposes for public statistics (where data does not include sensitive categories or criminal conviction data), or scientific or historical research. Other exceptions or restrictions may apply.