The collection, use and disclosure of personal data are mainly regulated by Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and the French DPA ("Data Protection Laws").

In addition:

• Article 9 of the French Civil Code institutes the right to privacy.
• Articles L34-1 and following of the French Post and Electronic Communications Code (CPCE), which transpose provisions of Directive 2002/58/EC (e-Privacy Directive), regulate the processing of personal data in relation to electronic communications.
• Articles L251 and following of the French Internal Security Code (CSI) regulate the installation of video protection systems, including some by public authorities. 
• The French Public Health Code regulates the hosting of health data. 
• The French Consumer Code (CC) regulates direct marketing by phone. 
• The French Labour Code regulates the monitoring of employees. 
• Articles 226-16 and following of the French Criminal Code provide criminal sanctions in case of non-compliance with some of the above texts.

Data Protection Laws (GDPR, Article 4) apply to:

• controller, i.e. the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by EU laws or EU Member national laws, the controller or the specific criteria for its nomination may be provided for by EU laws or EU Member national laws;
• processor, i.e. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; and
• data subject, i.e. the individual to whom the personal data relates.

The Data Protection Laws apply to the processing of personal data:

• in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not (GDPR, Article 3(1) and French DPA, Article 3-I);
• of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to (GDPR, Article 3(2) and French DPA, Article 3-I): 
  • the offering of goods or services irrespective of whether a payment of the data subject is required, to such data subjects in the EU; or
  • the monitoring of their behaviour as far as their behaviour takes place within the EU; and
• by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law (GDPR, Article 3(3)).

When the French DPA provides for supplemental rules (as allowed by the GDPR), those rules will apply whenever the data subject resides in France, including when the data controller is not established in France — to the exception of rules specifically adopted in relation to processing carried out for purposes of journalistic, academic, artistic or literary expression, which will be those applicable in the EU country where the controller is established (French DPA, Article 3-II).

The GDPR provides for a one-stop-shop mechanism allowing organisations established in the EU and engaged in cross-border processing of personal data to deal with a single lead supervisory authority for most of their processing activities. This cooperation mechanism does not apply to issues falling under the e-Privacy Directive, e.g. sanctions regarding cookies and trackers.

Data Protection Laws regulate all processing of personal data, whether operated wholly or partly by automated means, or operated other than by automated means, when personal data forms part, or is intended to form part, of a filing system (GDPR, Article 2). 

The processing of personal data is defined under Article 4(2) of the GDPR as any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The GDPR does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity, e.g., correspondence, holding of addresses, or social networking and online activity undertaken within the context of such activities (GDPR, Recital 18, Article 2).

The use of cookies and trackers, which does not necessarily involve the processing of personal data, for storing or accessing information on an individual terminal, is also regulated by Article 82 of the French DPA transposing Article 5(3) of the e-Privacy Directive (see below, Question 7). 

Data Protection Laws regulate personal data within the meaning of Article 4 of the GDPR, i.e. any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

Data Protection Laws do not apply to “anonymous information” i.e. information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable (GDPR, Recital 26), which is to be distinguished from pseudonymous information (i.e. personal data that cannot be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person (GDPR, Article 4(5)). The CNIL has a very strict interpretation of what is anonymous information. 

The following types of personal data are subject to a higher level of protection:

• special categories of personal data (GDPR, Article 9(1) and French DPA, Article 6-I), e.g. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation; 
• criminal data (GDPR, Article 10 and French DPA, Article 46), which may only be processed by a limited number of natural or legal persons exhaustively listed;
• gender identity (French Criminal Code, Article 226-19), which may only be placed or kept in computer memory with the express consent of the data subject;
• health data which, in addition to the requirements of Article 9 of the GDPR, may be subject to specific French law requirements (French DPA, Articles 64 to 77);
• children’s data (GDPR, Recital 38, Article 8); and
• other data subject to a higher level of protection (e.g. social security number, credit card data, location data).

All processing of personal data must comply with the main principles set forth in Article 5 of the GDPR: lawfulness, fairness and transparency; purpose limitation; data minimisation and accuracy; storage limitation; and integrity and confidentiality.

To lawfully process personal data, there must be a valid legal basis for the processing (GDPR, Article 6), such as:

• data subjects’ consent. Consent must be freely given, specific, informed and unambiguous (GDPR, Article 7);
• necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• necessity for compliance with a legal obligation to which the controller is subject;
• necessity to protect someone’s vital interests; 
• necessity to perform a task in the public interest or in the exercise of official authority vested in the controller; or
• necessity for the controller or a third party’s legitimate interests, subject to the data subject’s interests or fundamental rights and freedoms.

Regarding validity of consent, the CNIL considers that given the dependency resulting from the employer/employee relationship, it is unlikely that employees would freely give their consent to their employer. Hence, for the majority of data processing at work, the lawful basis shall not be the consent of the employees.

Regarding rules applicable specifically to direct marketing, see below, Question 10. 

Regarding cookies and trackers, Article 82 of the French DPA provides that prior informed consent must be obtained from the user before storing or accessing any information on their terminal, unless these actions are strictly necessary for the provision of an online communication service expressly requested by the user, or are exclusively intended to enable or facilitate communication by electronic means. 

Under Data Protection Laws, processing of personal data is subject to:

• compliance with data protection principles (see above, Question 7); 
• the existence of a valid legal basis for the processing (see above, Question 7);
• the provision of a complete and transparent information to data subjects (GDPR, Articles 12 to 14);
• the possibility given to data subjects to exercise their rights (see below, Question 9);
• data protection by design and by default (GDPR, Article 25);
• documenting relations with data processors (GDPR, Article 28);
• the inclusion of the processing in a record of processing activities (as a data controller or processor) (GDPR, Article 30);
• security obligations (GDPR, Article 32); and
• notification of personal data breaches to the supervisory authority when there is a risk for the data subject (GDPR, Article 33) and communication to the data subject when the risk is high (GDPR, Article 34).

In addition to CNIL notifications, in case of data breach, there are sector-specific notification obligations with other authorities (e.g. in the payment, health or military sectors):

• performance of data protection impact assessments when the processing is likely to result in a high risk to the rights and freedoms of natural persons (GDPR, Article 35);
• appointment of a data protection officer if required (Article 37); and
• ensuring the legality of transfers of personal data outside of the EU (see below, Question 11).

Specific rules may also apply to the processing of the data referred to in Question 6, above. 

Data subjects have the following rights:

• Right to information about how and why their personal data is being processed and by whom (GDPR, Articles 13 and 14).
• Right to access, rectify, or request erasure or deletion of their personal data (GDPR, Articles 15 to 17).
• Right to restrict the processing (GDPR, Article 18). 
• Right to data portability (GDPR, Article 20). 
• Right to object to the processing (GDPR, Article 21).
• Right with respect to automated decision-making and profiling (GDPR, Article 22).
• Right to define instructions for the storage, deletion and communication of personal data after their death (French DPA, Article 85).

Commercial or direct marketing operated by non-automated phone or by post

Data subjects must, at the time of collection of their personal data: (i) receive information as to the use of their personal data for commercial or direct marketing purpose; and (ii) be given the possibility to object to such use (opt-out).

Data subjects may oppose any future phone marketing by registering on the “Bloctel” opposition list. However, they may still be contacted in relation to an existing agreement (CC, Article L223-1).

Commercial or direct marketing operated through electronic means (emails/SMS)

Independently from the regime applicable as described below, any email/SMS for commercial or direct marketing should: (i) specify the identity of the sender/advertiser; and (ii) offer an unsubscribe link. 

The recipient is a prospective customer

The recipient’s prior consent must be obtained through a positive action, for example through ticking a box (opt-in) (CPCE, Article L34-5).

The recipient is an existing customer

The recipient’s prior consent is not necessary, and commercial or direct marketing communications can be sent on an opt-out basis, but only if it concerns similar products or services provided by the same entity (CPCE, Article L34-5).

The recipient is not an existing client and a professional

The CNIL has adopted a flexible approach, and considers that it is acceptable to send commercial or direct marketing communications based on an “opt-out” approach, subject to the additional conditions:

• the communication should be related to the position of the recipient, e.g. a communication promoting the security of a software sent to the IT security director of a company; and
• ensuring that the address is indeed a professional address (with the name of the recipient company), and not a personal address (e.g. Gmail).

Transfers of personal data outside the EU are regulated by Chapter V of the GDPR, which sets out the basis on which such transfers may occur:

• an adequacy decision (GDPR, Article 46(2)(a));
• binding corporate rules (GDPR, Articles 46(2)(b) and 47);
• standard data protection clauses (GDPR, Article 46(2)(c) and (d));
• approved code of conduct (GDPR, Article 46(2)(e));
• approved certification mechanism (GDPR, Article 46(2)(f)); and
• derogations for specific situations, e.g., data subject’s explicit consent, performance of a contract concluded in the data subject’s interest between the controller and another person, necessity for public interest, necessity for the establishment, exercise or defence of legal claims (GDPR, Article 49). 

The CNIL is empowered to control all organisations established in France or that process personal data of persons residing in France. The control missions the CNIL carries out may be triggered because:

• the topic is part of the CNIL’s annual control program;
• the CNIL has received complaints from data subjects;
• the topic is “hot” (e.g. in the news, or results from a large data breach), prompting a spontaneous investigation; or
• the CNIL wishes to check whether the entity has performed commitments taken as part of a previous control.

The CNIL is also in charge of controlling video protection systems. 

On its Chair’s decision, the CNIL may carry out four types of controls:

• on-site control;
• summoned hearing;
• online control; or
• documentary control.

CNIL agents who are called upon to participate in the implementation of control missions may take copies of any documents necessary for the accomplishment of their mission, but may not seize the documents. A report is drawn up at the end of the control, setting out all the information gathered by CNIL’s agents and their findings. All documents copied during the control are listed in the report. 

Article 83 of the GPDR sets out the general conditions for supervisory authorities to impose administrative fines, on controllers or processors, of up to EUR 20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

The CNIL’s restricted committee, in charge of sanctions, may also impose non-monetary sanctions such as a warning or an injunction with daily penalties. 

Breaches of the provisions of Data Protection Laws may also be punished by five years’ imprisonment and a criminal fine of EUR 300,000; but in practice, such criminal sanctions are hardly ever applied.

The CNIL is very active in terms of the amount and number of sanctions, e.g. in 2021 it issued a EUR 150 million sanction.