Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data collection, storage and processing must follow a set of cumulative rules.

First, the collection and processing must be fair, lawful and conducted in a transparent manner. This obligation is assessed by judges and implies that the data controller must inform data subjects of the processing to which their data is subject.

Processing operations must also serve a specified, explicit and legitimate purpose. Data controllers must submit justification of the purpose of the processing to the Commission National Informatique et Liberté (CNIL) (the French data protection authority) before engaging in such operations. Data collection, use, storage and processing are lawful only insofar as they fall within the declared purpose of the processing; this obligation is strictly interpreted by judges.

The gathered data must be adequate, relevant and not excessive in relation to the declared purpose of the processing. The processed data must also be exact, complete and up to date.

The duration of data storage must be limited in accordance with the purpose of the processing. In most cases data collection requires the consent of the data subject.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The gathered data must be kept only for a duration that is in line with the purpose of its processing. Once the objective of the data collection has been met, the data must be deleted.

However, specific categories of data can and must sometimes be archived, according to relevant legal obligations (eg, a lessor of social housing must keep records of tenants in case of a confidential ministerial investigation) or where the data still holds an interest (eg, if it can be used to meet an obligation or prevent a legal dispute). It can then be stored only for as long as this interest still exists. There is no storage time limit if the data holds a historical, scientific or statistical interest.

The time limit for data storage also varies according to the type of data that is to be stored. For example, cookies can be actively held for 13 months only. As another example, within the European Union internet service providers and web hosts must keep users’ personal information for one year for potential police or judicial investigation needs.

Do individuals have a right to access personal information about them that is held by an organisation?

Individuals have a right to access personal data about them that is held, stored or in any other way processed by a natural or legal person. The data controller must provide direct, free access to the individual’s data on such request. However, certain data – such as data processed by a public entity that holds a national interest (eg, sensitive national security data regarding a data subject which may be used for the conduct of a secret police investigation) – can be accessed indirectly through the CNIL. 

Do individuals have a right to request deletion of their data?

Individuals have a right to oppose and request the deletion of their data for legitimate and decisive reasons.

Individuals also have the right to demand deletion of their data if it is inaccurate, incomplete, obsolete, ambiguous or unlawfully used, transferred or stored. This also applies when the data storage period is excessive in relation to the declared purpose of the processing.

Deletion is not necessarily guaranteed. Depending on the purpose of the processing, certain relevant data may be preserved.

Consent obligations

Is consent required before processing personal data?

Before processing personal data, the data controller must obtain the individual’s explicit, free, specific and informed consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

Consent to personal data processing is not required in five cases. The data controller must prove that it fulfils several requirements. In particular, there is no need for consent if:

  • the data controller processes data in order to respect a legal obligation;
  • the data processing is necessary in order to protect the data subject’s life;
  • the data processing is necessary in order to accomplish a mission of public interest;
  • the data processing is necessary in order to sign or fulfil a contract; or
  • the data processing serves a legitimate interest that does not harm the data subject’s own personal interests or rights.

What information must be provided to individuals when personal data is collected?

Upon data collection, the individual must be given information about:

  • the identity of the data controller and its processor (if they participate in the processing);
  • the purpose of the processing;
  • any obligation of the individual to respond and the consequences of failure to respond;
  • the recipients or categories of recipient of the collected data;
  • the individual’s rights concerning his or her data (regarding access, opposition, correction and deletion); and
  • in case of cross border transfer, the conditions of the transfer, the country to which it will be transferred, the level of data protection, the purpose of the transfer and the recipient of the data.

Click here to view the full article.