Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.


Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données et mise en oeuvre du règlement (UE) 2016/679 du Parlement européen et du Conseil du 27 avril 2016 relatif à la protection des personnes physiques à l’égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la directive 95/46/CE (règlement général sur la protection des données), portant modification du Code du travail et de la loi modifiée du 25 mars 2015 fixant le régime des traitements et les conditions et modalités d’avancement des fonctionnaires de l’État.

Status: Adopted

SME exception

No Deviation


No Deviation


No Deviation


VARYING: Prohibition of processing genetic or biometric data for life insurance or medical insurance purposes.

CCTV (Art 6)

No Deviation


SPECIFYING: Employers can ask future employees to provide an extract of their criminal record in the recruitment process. The employer can use the extract only for recruitment purposes or human resources purposes and cannot be kept for more than one month.

Information obligation (Art 13 & 14)

SPECIFYING: Information obligations are applicable to the extent they do not violate the freedom of expression, freedom of journalism, or literary expression.

Automated individual decision making (Art 22)

No Deviation

Restrictions to data subject’s rights (Art 23)

No Deviation

Joint controller responsibilities (Art 26 (1))

No Deviation

Ad hoc notifications – records of processing activities (Art 30)

No Deviation

Security of processing (Art 32)

No Deviation

Data breach (Art 33 & 34)

No Deviation

Data protection impact assessment (Art 35)

VARYING: The CNPD has the authority to draw a list of “high-risk processing” that requires a DPIA but has not done so yet.

Data protection officer (Art 37(4))

No Deviation

Certification (Art 42)

No Deviation

Data transfer derogations (Art 49(5))

No Deviation

Powers of supervisory authorities (Art 58)

ADDITIONAL: The SA is appointed to a five-year term.

Class actions (Art 80(2))

SPECIFYING: The CNPD can intervene and examine a case pursuant to an application made under Article 80 of the GDPR.

Administrative sanctions (Art 83)

SPECIFYING: The CNPD may also impose penalties amounting to up to 5% of a company’s average daily turnover achieved during the previous financial year to motivate a company to provide requested information or if a company is not cooperating.

Penalties (Art 84)

SPECIFYING: Anybody who intentionally prevents or obstructs the performance of the CNPD’s duties may be subject to: (1) a prison sentence of between eight days and one year; and/or (2) a fine of €251–125,000.

Freedom of expression and information (Art 85)

No Deviation

HR processing (Art 88)

No Deviation

Processing for archiving, scientific, historical research, or statistical purposes (Art 89)

No Deviation


VARYING: Secrecy does not apply to communication with an attorney, notary public, or accountant or otherwise an activity covered by professional secrecy.

Local DPA guidance and legal sources

Act establishing the National Commission for Data Protection and implementing Regulation (EU) 2016/679 on the protection of individuals with regard to the protection of personal data processing of personal data and the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation), amending the Labor Code and the amended Law of 25 March 2015 laying down the salary system and the conditions and procedures for the advancement of State officials: Law of 1 August 2018 on the organization of the National Commission for Data Protection and the General Scheme on Data Protection