Legitimate processing – grounds
Every collection, processing or use of PII needs to be justified under French data protection law. Like Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR), the Law on Computer Technology and Freedom of 6 January 1978 (LIL) lists six legal bases on which personal data can be processed, including:
- obtaining the prior consent of the data subject;
- the respect of a legal obligation of the data controller;
- the protection of the data subject’s life (interpreted restrictively);
- the performance of a public service mission entrusted to the data controller or the data recipient;
- the performance of either a contract to which the data subject is a party or steps taken at the request of the data subject before entering a contract; or
- the pursuit of the data controller’s or the data recipient’s legitimate interest provided such interest is not incompatible with the funda- mental rights and interests of the data subject.
Legitimate processing – types of PII
French law is more restrictive for the processing of specific types of PII, known as sensitive personal data. As a matter of principle, the processing of sensitive data is prohibited.
The LIL provides a non-exhaustive list of sensitive PII by nature, which is PII that reveals, directly or indirectly, the racial and ethnic origins, the political, philosophical, religious opinions or trade union affiliation of individuals, or that concerns their health or sexual life. This category of sensitive data by nature can only be processed in the following cases, among others:
- the data subject gave prior express consent;
- the processing is necessary to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving his or her consent;
- the processing is carried out by a foundation, association or any other non-profit organisation with political, philosophical, religious or trade union objectives, in the course of its legitimate activities;
- the processing relates to PII that has been made public by the data subject; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Concerning the use of PII in the employment context, the National Commission for Data Protection and Liberties published several opin- ions on monitoring the activities of employees, video surveillance, discrimination, localisation data and collection of PII in the recruitment process. Moreover, in France, employers cannot rely on consent for processing involving PII of its employees, since the employees cannot freely consent as they are by nature subordinated to the employer.
Moreover, processing can be prohibited due to its context, such as the processing of PII relating to offences, convictions and secu- rity measures, which can only be carried out by a limited number of specific entities.
Further, according to the law on the protection of personal data, a minor may consent to the processing of personal data alone concerning the offer of information society services from the age of 15, which differs from the threshold of 16 years provided in the GDPR.
The law on the protection of personal data establishes a principle of prohibition of decisions producing legal effects on the sole basis of automated processing, including profiling intended to define the profile of the person concerned or to evaluate certain aspects of his or her personality. Such a provision maintains a certain gap with the GDPR since the law is based on a prohibition in principle of such automated processing while the GDPR refers to an ‘individual right’ of the person concerned ‘not to be the subject of a decision based solely on automated processing, including profiling’.
Finally, it is necessary to recall that if the data controller outsources the hosting of health data, considered as sensitive, to a service provider, the latter must be an approved or certified host for such hosting under the provisions of article L1111-8 of the French Public Health Code.