Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations

Are there specific security obligations that must be complied with?

Both French law and the EU General Data Protection Regulation (GDPR) state that data controllers and data processors must ensure that the processing and storage of personal data are carried out in a secure and confidential manner. This includes the obligation not to let any unauthorised person or body access the data. Certain authorities (eg, judges or administrative agents in specific cases) are authorised by law, as well as any person under the direct authority of the data controller or its subcontractors.

As for actual security measures, the French data protection authority, the Commission Nationale Informatique et Libertés (CNIL), requires data controllers to undertake systematic risk assessments before processing data and maintain scrutiny over the stability and efficiency of their security systems. 

Moreover, the EU Directive on the Security of Network and Information Systems (NIS) came into force in France on 25 May 2018. The directive aims to raise levels of the overall security and resilience of network and information systems across the European Union. It provides the legal framework for the following:

  • To ensure that EU member states have a national framework in place so that they are equipped to manage cyber security incidents and oversee the application of the directive. This includes a national cyber security strategy, a Computer Security Incident Response Team (CSIRT) and a national NIS competent authority or authorities.
  • To set up a cooperation group among EU member states to support and facilitate strategic cooperation and the exchange of information. Member states will also need to participate in a CSIRT network to promote swift and effective operational cooperation on specific network and information system security incidents, as well as sharing information about risks.
  • To ensure that organisations within vital sectors which rely heavily on information networks (eg, utilities, healthcare, transport and digital infrastructure sectors) are identified by each EU member state as operators of essential services (OES). The OES must take appropriate and proportionate security measures to manage risks to their network and information systems, and they must notify the relevant national authority of any serious incidents. Industry participation is therefore crucial in the implementation of the directive.

Breach notification

Are data owners/processors required to notify individuals in the event of a breach?

When the personal data breach is likely to result in a high risk to the rights and freedoms of individuals, the data controller must communicate the personal data breach to the data subject without undue delay. The notification must describe in clear and plain language the nature of the personal data breach and contain (at least) this information and actions taken to repair the breach.

It is not necessary to inform the individuals involved if:

  • the data controller has implemented the appropriate technical and organisational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it (eg, encryption);
  • the data controller has taken subsequent measures which ensure that there is no longer any high risk to the rights and freedoms of data subjects; or
  • it would involve disproportionate effort, in which case there should be a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

Are data owners/processors required to notify the regulator in the event of a breach?

In the case of a personal data breach, the data controller must without undue delay and no later than 72 hours after having become aware of it, notify the breach to the supervisory authority, unless this personal data breach is unlikely to result in a risk to the rights and freedoms of individuals.

The notification must at least:

  • describe the nature of the personal data breach, including (where possible) the categories and approximate number of data subjects and records concerned;
  • communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  • describe the likely consequences of the personal data breach; and
  • describe the measures proposed or taken by the data controller to address the personal data breach, including (where appropriate) measures to mitigate its possible adverse effects.

Click here to view the full article.