All questions

Data protection

i Requirements for registration

A major change brought about by the GDPR is that, for most of the processing, data controllers no longer have to file declarations or authorisations with the CNIL. In return, the responsibilities of the employers are strengthened; they are now accountable for proving that they comply with the requirements of the applicable regulations (e.g., notification of data breaches to the data privacy agency, implementation of internal policies and appointment of a data protection officer).

The staff representatives are consulted before the implementation or modification of certain automated processing. The employees are individually informed of the purpose of the procedure, the recipient of the data, the length of time for which the files will be kept and the rights attached to setting up such processing (right of access, rectification, to data portability, to object). Employers must take all useful precautions to maintain the security of the data and, in particular, prevent unauthorised third parties from gaining access thereto.

Processing personal data without complying with the above formalities is punishable by administrative sanctions by the CNIL and criminal sanctions of up to five years' imprisonment and a fine of €300,000, or €1.5 million if the offender is a company. The GDPR creates significant fines if it is breached (up to €20 million or 4 per cent of the undertaking's total annual worldwide turnover).

A law dated 6 January 1978 relating to computers, files and freedoms was aligned with the GDPR by a new amendment, adopted by Parliament on 14 May 2018. The French government announced that an ordinance – which will focus on rewriting the entirety of the above-mentioned law in order to simplify the text, include formal corrections, and promote consistency with the implementation of the GDPR – will be adopted next year.

ii Cross-border data transfers

Data transfers within the European Union are subject to the same conditions as the national process.

If the personal data processed is transferred outside the European Union, the employer must state this on the declaration or request for authorisation.

The country of destination of the data must be recognised by way of a decision of the European Commission as offering a sufficient level of protection. This is the case, for example for Argentina, Canada, Israel, Uruguay and Switzerland.

If the country to which the data is transferred does not offer such a level of protection, the employer must mention in its declaration either (1) the standard contract clauses adopted by the European Commission and signed by the entity importing and exporting data; or (2) the binding corporate rules (BCR) that constitute an intra-group code of conduct for transfers of personal data.

The CNIL now proposes to issue a single authorisation decision to each group that has implemented BCRs. The group's affiliates that are data controllers and bound by the BCRs will then need to submit only a simplified registration for all their data transfers outside the European Union, based on the group's BCRs. The affiliates do not need to obtain the CNIL's prior authorisation for each data transfer. It was previously possible for companies based in the United States to transfer the data when the company was compliant with Safe Harbour principles. However, the European Supreme Court decided that the Safe Harbour system does not ensure an adequate level of protection of personal data, so this mechanism was made invalid. As a consequence, companies cannot use this system to transfer their data any more.

Employees whose data is transferred must be informed of the transfer and have a right of access and rectification, as well as the right to object to the transfer of the data pertaining to them. Their consent is, however, not required. All onward transfers must guarantee the same level of protection as the original transfer.

These elements have changed since the GDPR came into effect on 25 May 2018. The GDPR notably allows data transfers to countries identified by the European Commission located outside the European Union when they ensure an adequate level of protection.

In the absence of a decision from the European Commission, data can also be transferred to a country located outside the European Union when the company is covered by binding corporate rules or a code of conduct complying with GDPR principles.

iii Sensitive data

Data that discloses information on the racial origins, political, philosophical or religious opinions, trade union membership, health or sex life of the employee is regarded as sensitive data of which the processing is prohibited.

It is possible to derogate on an exceptional basis from this prohibition where the processing concerns data that the employee in question has himself or herself made public, where such processing is necessary to safeguard human life or for the recording, exercise or defence of a right before the courts.

iv Background checks

The employer may ask the candidate for various information and for a certain number of documents. However, the information requested must be used solely for the purpose of assessing his or her ability to perform the job and it must have a direct and necessary connection with such post.

An employer should never seek information on the state of health of the employee or his or her credit report, as such practices could be held to be discriminatory. However, a criminal record extract may be presented during the recruitment procedure if the job in question could make such a requirement legitimate, for example if it involves handling funds.