Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Both French law and the EU Data Protection Regulation state that the data controller and the processor must ensure that the processing and the storage of personal data are carried out in a secure and confidential manner. This includes the obligation not to let any unauthorised person or body access the data. Certain authorities (eg, judges or administrative agents in specific cases) are considered to be authorised by law, as well as any person under the direct authority of the data controller or its subcontractors.

As for actual security measures, the Commission National Informatique et Liberté (CNIL) (the French data protection authority) requires data controllers to undertake systematic risk assessments before processing data and maintain scrutiny over the stability and efficiency of their security systems. 

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

If electronic communication service providers (eg, internet service providers) suffer a personal data breach – which includes deliberate security breaches by third parties and accidental loss or corruption of data – they must inform the individuals whose personal data or privacy could be violated without unnecessary delay, unless the CNIL determines that the security measures taken by the target of the data breach are satisfactory, in which case the communication service provider is not required to inform individuals.

Are data owners/processors required to notify the regulator in the event of a breach?

If an electronic communication service provider suffers a personal data breach – regardless of whether it threatens a specific individual’s rights – the CNIL must be informed within 24 hours of discovery of the breach. This notification must include a precise description of the extent and nature of the breach, along with the measures taken or suggested by the data controller in order to remedy the breach and limit subsequent damage. 

Click here to view the full article.