Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.
Collection and storage of data
Collection and management
In what circumstances can personal data be collected, stored and processed?
Personal data collection, storage and processing must follow a set of cumulative rules.
First, the collection and processing must be fair and lawful. This obligation is assessed by judges and implies that the data controller must inform data subjects of the processing to which their data is subject.
Processing operations must also serve a precise, explicit and legitimate purpose. Data controllers must submit justification of the purpose of the processing to the national authority for data control (CNIL) before engaging in such operations. Data collection, use, storage and processing are lawful only insofar as they fall within the declared purpose of the processing; this obligation is strictly interpreted by judges.
The gathered data must be adequate, relevant and not excessive in relation to the declared purpose of the processing. The processed data must also be exact, complete and up to date.
The duration of data storage must be limited in accordance with the purpose of the processing. In most cases data collection requires the consent of the data subject.
Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?
The gathered data must be kept only for a duration that accords with the purpose of its processing. Once the objective of the data collection has been met, the data must be deleted.
However, specific data can and must sometimes be archived, according to relevant legal obligations (eg, a lessor of social housing must keep records of tenants in case of a confidential ministerial investigation) or where the data still holds an interest (eg, if it can be used to meet an obligation or prevent a legal dispute). It can then be stored only for as long as this interest still exists. There is no storage time limit if the data holds a historical, scientific or statistical interest.
The time limit for data storage also varies according to the type of data that is to be stored. For example, cookies can be actively held for 13 months only. As another example, within the European Union internet service providers and web hosts must keep users’ personal information for one year for potential police or judicial investigation needs.
Do individuals have a right to access personal information about them that is held by an organisation?
Individuals have a right to access personal data about them that is held, stored or in any other way processed by a natural or legal person. The data controller must provide direct, free access to the data for the individual. However, certain data – such as data processed by a public entity that holds a national interest (eg, data that is important for the conduct of a confidential police investigation) – can be accessed indirectly through the CNIL.
Do individuals have a right to request deletion of their data?
Individuals have a right to oppose the processing of their data for legitimate, decisive reasons.
Individuals also have the right to demand deletion of their data if it is inaccurate, incomplete, obsolete, ambiguous or unlawfully used, transferred or stored. This also applies when the data storage period is excessive in relation to the declared purpose of the processing.
Deletion is not necessarily guaranteed. Depending on the purpose of the processing, certain relevant data may be preserved.
Is consent required before processing personal data?
Before processing personal data, the data controller must obtain the individual’s explicit, free, specific and informed consent.
If consent is not provided, are there other circumstances in which data processing is permitted?
Consent to personal data processing is not required in five cases. The data controller must prove that it fulfils all requirements for one of these cases. In particular, there is no need for consent if:
- the data controller processes data in order to respect a legal obligation;
- the data processing is necessary in order to protect the data subject’s life;
- the data processing is necessary in order to accomplish a mission of public interest;
- the data processing is necessary in order to sign or fulfil a contract; or
- the data processing serves a legitimate interest that does not harm the data subject’s own personal interests or rights.
What information must be provided to individuals when personal data is collected?
Upon data collection, the individual must be given information about:
- the identity of the data controller and its subcontractors (if they participate in the processing);
- the purpose of the processing;
- any obligation of the individual to respond and the consequences of failure to respond;
- the recipients or categories of recipient of the collected data;
- the individual’s rights concerning his or her data (regarding access, opposition, correction and deletion); and
- if the data will be transferred internationally, the conditions of the transfer, the country to which it will be transferred, the level of data protection, the purpose of the transfer and the recipient of the data.
Data transfer and third parties
Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?
French legislation (and therefore EU legislation as well) is considered to set the standard for the required level of personal data protection. Thus, cross-border personal data transfers are normally possible only if the data is transferred to a state that provides a level of protection comparable to that of France.
However, there are exceptions to this general rule. The national authority for data control (CNIL) can officially recognise which states offer satisfactory data protection and can negotiate with such states regarding the rules applicable to cross-border transfers (EU member states are by default considered as having a sufficient level of data protection; the CNIL usually follows the European Commission’s recognition of foreign states’ level of data protection). Once an agreement is concluded, it can become a framework for both parties to provide a satisfactory protection level.
Otherwise, the European Commission issues standard contractual clauses that, once signed between a private personal data issuer and receiver, ensure compliance with data protection rules. Within an international corporation or group based in multiple states with differing privacy rules, binding corporate rules can be implemented to guarantee compliant cross-border data transfers.
Personal data can also be transferred to states that do not provide a sufficient level of data protection if one of the following conditions is met:
The data subject has expressly agreed to the transfer (however, the CNIL does not accept this condition as being fulfilled if the consent is given for repeated or structural data transfers);
The transfer is necessary in order to:
- save a human life;
- serve a public interest;
- establish the existence of, defend or exercise a legal claim;
- consult a public registry;
- sign or fulfil a contract between the data subject and the data controller; or
- sign or fulfil a contract between the data controller and a third party acting in the data subject’s interest; or
The transfer has been specifically authorised by the CNIL or by decree of the Council of State.
Are there restrictions on the geographic transfer of data?
Personal data can be transferred only to states that provide a satisfactory level of data protection or to other countries under the procedures detailed above.
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?
The transfer of data from a data controller to a subcontractor for processing must be contractually arranged and set the same security and confidentiality obligations for the receiver as for the data controller itself. The EU General Data Protection Regulation should also create many possibilities for the subcontractor to inherit most – if not all – of the data controller’s obligations, should its role exceed that of a simple performer for the data controller.
Click here to view the full article.