La Loi Informatique et Libertés is the national data protection law of France, which has been enforced since June 1, 2019. The French Data Protection Act comprises provisions that apply to general processing and are related to state security, national defense, etc., and police-justice processing. It also refers to the provisions covered by EU-GDPR, especially the ones related to “national margins of maneuver.” Despite referring to EU-GDPR in certain cases, the intention has not been to completely incorporate the provisions of EU-GDPR. However, the French independent administrative authority, CNIL, or the National Commission for Information Technology and Libertés, advises organizations processing personal data of French residents to understand the requirements of both FDPA and EU-GDPR to better comprehend and comply with this legal framework.
Scope of the French Data Protection Act
The French Data Protection Act applies to all data controllers processing the personal data of French residents, whether they are established in France or not. For residents of France, the provisions from EU-GDPR that refer to the national law and adapt to or supplement the rights and obligations of FDPA protect the personal data of the data subjects. In addition, since France is a Member State of the European Union, the provisions mentioned in EU-GDPR are also applicable.
Principles to Protect Personal Data
Article 4 of Chapter I, Principles, and Definitions from Tier I, Common Provisions of FDPA, explains the six data protection principles.
To protect the personal data of French citizens, the data controller and processor must adhere to the following principles:
- The processing of personal data must be conducted in a lawful, transparent, and fair manner.
- The collection of personal data must be for specific, legitimate, and explicit purposes. Unless the purpose is statistical, scientific, historical research, or archival in the public interest, the compatibility of the initial purpose must be proven.
- The relevancy, necessity, and adequacy of personal data processed should be maintained.
- The accuracy of personal data should be maintained, and as per the need, the data should be updated. Without delay, inaccurate data must either be erased or rectified.
- Article L. 212-3 (Heritage Code) elaborates that personal data can be retained beyond the period it was meant to be processed for exclusively for archival purposes in the public interest or for statistical, scientific, or historical purposes.
- Data processing must be done in such a way that unlawful or unauthorized processing, damage, destruction, accidental loss, or access by unauthorized persons are avoided. Organizations are obligated to maintain data integrity and confidentiality by taking adequate technical measures.
Rights of the Data Subjects
La Loi Informatique et Libertes, or FDPA, grants the data subjects rights that they can exercise in order to protect their personal data, question it, and restrict its unlawful processing. Chapter II, Rights of the Data Subjects of Tier II, Processing covered by the personal data protection regime provided for by Regulation (EU) 2016/679 of April 27, 2016, covers the rights of the data subjects, which are explained below:
- Right to Information (Article 48): The data subject can seek, orally or by electronic means, information such as identity and contact details from the controller under the conditions provided in EU-GDPR Articles 12-14. This right empowers the data subject to know the source of data collection, whether obtained from themselves or not. Article 13 defines the provisions for data collected from minors.
- Right of Access (Article 49): This right is exercised under the conditions of Article 15, Regulation (EU) 2016/679 of April 27, 2016, and allows the data subject to obtain confirmation from the controller about their personal data being processed. If the answer is affirmative, then they can request to have their data erased or rectified.
- Right of Rectification (Article 50): The data subject has the right to get their incomplete personal data completed and inaccurate personal data rectified without undue delay. This right can be exercised under the conditions specified in Article 16 of the EU-GDPR.
- Right to Erasure (Article 51): The right to erasure, also known as the right to be forgotten under the conditions mentioned in Article 17 of EU-GDPR, empowers the data subject to get their personal data erased as per below:
- The purpose for which the personal data was collected no longer exists
- The consent to continue processing personal data has been withdrawn
- There are no legal/legitimate grounds for processing
- The unlawful processing of personal data has been carried out
- The collected was done in relation to information society services
- A legal obligation in Union or Member State law requires the erasure of personal data for compliance
- Right to Limitation of Processing (Article 53): This right lets the data subject get processing of their personal data restricted under the conditions provided in Article 18, Regulation (EU) 2016/679 of April 27, 2016:
- Unlawful processing of personal data has taken place, and the data subject has requested a restriction on processing instead of erasure.
- The data subject contests the accuracy of personal data
- The data subject requires personal data for defense, establishment, or exercise of legal claims.
- The processing of personal data has been objected to by the data subject.
- Right to Data Portability (Section 55): This right of data portability is governed by the provisions stated in Article 20 of the EU-GDPR. Without affecting others’ rights and freedoms, the data subjects have the right to obtain their personal data in a usual, machine-readable, and structured format. Additionally, this right permits them to get their data transmitted to another data controller wherever feasible and without hindrance.
Note: To learn more about the rights of data subjects for purposes other than those explained above, refer to Chapter 3 of Title III: Provisions applicable to processing covered by Directive (EU)2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of prevention, detection, investigation, and prosecution of criminal offenses or the execution of criminal sanctions, and the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, and Chapter 1 of Title IV: Provisions applicable to processing affecting state security and defense.
Penalties in Cases of Non-Compliance Under FDPA
Section 3: Corrective measures and sanctions of Title I, Common Provisions, elaborates under Section 20 on the consequences that the data controller or its subcontractor has to face due to non-compliance with FDPA. Violating the FDPA or the provisions of Regulation (EU) 2016/679 of 27 April 2016 can result in warnings, notices, suspension of certificates or approvals, penalties, and/or legal proceedings from the President of the Commission Nationale de l’Informatique et des Libertés (CNIL). They can issue a formal notice and set a deadline within which the data controller or its subcontractor needs to comply with the requests made by the data subject, informing the data subject about the breach unless it concerns state security or defense. The data controller also needs to ensure the processing activities comply with the provisions of FDPA. If the request was to erase or rectify personal data, then the necessary action must be taken.
Unless the processing of personal data is implemented by the State, the amount of the fine under FDPA is:
- 2% of the total annual global turnover of the previous FY or an administrative fine of less than 10 million euros (whichever is higher)
- 4% of the said turnover, or 20 million euros, due to an increase in ceilings in the case of hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016
How to Comply with FDPA?
Controllers, government bodies, competent authorities, and subcontractors are all obligated to comply with the provisions of the French Data Protection Act (FDPA) and EU-GDPR as listed above in order to safeguard the personal data of French residents (data subjects). Article 57 of Section 1, General Obligations of Chapter III, Obligations of the data controller and the processor, also references appointing a data protection delegate.
In order to comply with FDPA — the ‘right to be forgotten’ or ‘right to erasure’ the prominent rights of the data subjects, organizations need to use professional data wiping software like
BitRaser that erases data permanently from drives and devices without leaving any scope of data recovery. The software generates a data erasure certificate that helps organizations demonstrate compliance with FDPA, EU-GDPR, and the like. For auditors, it is a verifiable record of erasure, establishing trust and transparency. BitRaser is tested and approved by global certification bodies like the Common Criteria, ADISA, NIST, and DHS.
+1-844-775-0101
