FRANCE

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Project de loi relatif à la protection des données personnelles

Status: DRAFT

LAWFULNESS OF PROCESSING (ART 6)

No Deviation

CHILD'S CONSENT (ART 8)

No Deviation

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

ADDITIONAL/SPECIFYING REQUIREMENT: In addition to the exceptions provided by the GDPR, certain categories of processing of health data are not subject to the requirements of the French Act: (1) processing for educational purposes; (2) processing for reimbursement purposes; (3) processing carried out by doctors within conditions in specific legislation; and (4) processing carried out by regional health agencies. Processing of health data in case of medical emergency is only to a limited extent subject to conditions in the GDPR. Notwithstanding this, the principle shall be that the CNIL adopts regulations, in cooperation with the National Institute of Health, allowing processing health data (authorizations by the French DPA are still possible but will become the exception). Processing of health data carried out for research purposes is either legitimized upon authorization from or upon prior notification to the French DPA (Art 13 French Act) (Art 9(4) GDPR).

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

SPECIFYING REQUIREMENT: Data related to criminal convictions and related security measures can only be processed by the public bodies specifically prescribed by law (Art 11 French Act) (Art 10 GDPR).

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

ADDITIONAL REQUIREMENT: The French Act foresees that the Council of State (Conseil d’Etat) may lay down the processing operations and processing categories that are exempted from the individual notification obligation in case of a data breach, if such notification would lead to a national security risk or a risk to national defense or public security, and shall apply when the processing is carried out for a legitimate interest of the controller (Art 15 French Act) (Art 23 and 34 GDPR).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

SPECIFYING REQUIREMENT: Prior notifications of data processing operations are abolished by the French Act, but it does maintain a specific formality for processing of national identification numbers (NIR). This processing operation will be governed by legislative decree, which shall determine the categories of controllers as well as the processing purposes (Art 9 French Act) (Art 30 and 6 GDPR).

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

ADDITIONAL REQUIREMENT: The French Act foresees that the Council of State (Conseil d’Etat) may lay down the processing operations and processing categories that are exempted from the individual notification obligation in case of a data breach, if such notification would lead to a national security risk or a risk to national defense or public security, and shall apply when the processing is carried out for a legitimate interest of the controller (Art 15 French Act) (Art 23 and 34 GDPR).

DATA PROTECTION OFFICER (ART 37(4))

No Deviation

DATA TRANSFER DEROGATIONS (ART 49(5))

ADDITIONAL REQUIREMENT: The French DPA and Conseil d’Etat can request the European Court of Justice (ECJ) to assess the validity of an adequacy decision by the European Commission or of appropriate safeguards determined by the commission. The Conseil d’Etat may decide to suspend the data transfer based on the disputed commission decision in anticipation of the ECJ judgment (Art 17 French Act) (Art 49 GDPR).

POWERS SUPERVISORY AUTHORITIES (ART 58)

No Deviation

CLASS ACTIONS (ART 80 (2))

SPECIFYING REQUIREMENT: The French Act allows individuals to mandate an organization or association to exercise their rights with the French DPA or against the DPA in judicial court proceedings (Art 16 French Act) (Art 80(2) GDPR).

ADMINISTRATIVE SANCTIONS (ART 83)

No Deviation

PENALTIES (ART 84)

No Deviation

HR PROCESSING (ART 88)

No Deviation

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

ADDITIONAL REQUIREMENT: In the case of archiving purposes in the public interest, the access, correction, restriction, portability, and objection rights of the individual shall not apply when a balancing of interests weighs in favor of the controller (Art 12 French Act) (Art 89 GDPR).

OBLIGATIONS OF SECRECY (ART 90)

No Deviation

REMARKS

The French Act amends the current French Data Protection Act (la loi n° 78-17 du 6 janvier 1978 relative à l’informatique, aux fichiers et aux libertés). It does not repeal the existing Act. This is the first draft that has been published.