Security obligations
Data controllers must protect PII against accidental or unlawful destruc- tion, loss, alteration and disclosure, particularly when processing involves data transmission over networks.
Data controllers are required to take steps to:
- ensure that PII in their possession and control is protected from unauthorised access and use;
- implement appropriate physical, technical and organisational secu- rity safeguards to protect PII; and
- ensure that the level of security is appropriate with the amount, nature and sensitivity of the PII.
The National Commission for Data Protection and Liberties (CNIL) issued guidelines on 23 January 2018 on the security measures to be implemented by data controllers, in line with the requirement of Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR), to guarantee the security of personal data processing. These guidelines encourage data controllers to perform a privacy impact assessment, which shall be carried out in consideration of the two following pillars:
- the principles and fundamental rights identified as ‘not negotiable’, which are set by law and must be respected. They shall not be subject to any modulation, irrespective of the nature, seriousness or likelihood of the risks incurred; and
- the management of risks on data subjects that allows data control- lers to determine which appropriate technical and organisational measures shall be taken to protect the PII.
Notification of data breach
With the GDPR, there is a general obligation for PII controllers to report PII data breaches to the CNIL without undue delay and, where feasible, not later than 72 hours after becoming aware of it. However, an excep- tion to this notification exists when the data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the noti- fication is not made within 72 hours, reasons will have to be provided to the supervisory authority.
The notification shall at least:
- describe the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;
- communicate the name and contact details of the data protec- tion officer or another contact point where more information can be obtained;
- describe the likely consequences of the personal data breach; and
- describe the measures taken or proposed to be taken by the owner to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Moreover, when the data breach is likely to result in a high risk to the rights and freedoms of data subjects, the controller shall notify the data breach to the data subject without undue delay. This notification can be waived if the CNIL considers that:
- the controller has taken subsequent measures that ensure the high risk to the rights and freedoms of data subjects is no longer likely to materialise;
- appropriate technical and organisational protection was in place at the time of the incident (eg, encrypted data); or
- the notification would trigger disproportionate efforts (instead, a public information campaign or ‘similar measures’ should be relied on so that affected data subjects can be effectively informed).
The Law on Computer Technology and Freedom of 6 January 1978 specifies that such notification is not required if the CNIL has found that appropriate safeguards have been implemented to render the data unintelligible to any person not authorised to access it and have been applied to the data affected by such breach.
The PII owner must keep an updated record of all PII breaches, which must contain the list of conditions, effects and measures taken as remedies. This record must be communicated to the CNIL on request.
Failure to meet the above requirements exposes the owners of PII to an administrative fine of up to €10 million or, in the case of an under- taking, up to 2 per cent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Providers of electronic communication services are also subject to an obligation to notify the CNIL within 24 hours in the event of a PII breach. In this respect, when the PII breach may affect PII or the privacy of a data subject, the PII controller shall also notify the concerned data subject without delay.
Data protection officer
Controllers and processors may decide to appoint a data protection officer (DPO). However, this is mandatory for public sector bodies, those involved in certain listed sensitive processing or monitoring activities or where local law requires an appointment to be made.
The DPO assists the owner or the processor in all issues relating to the protection of personally identifiable information (PII). Simply, the DPO must:
- monitor compliance of the organisation with all regulations regarding data protection, including audits, awareness-raising activities and training of staff involved in processing operations;
- advise and inform the owner or processor, as well as their employees, of their obligations under data protection regulations;
- act as a contact point for requests from individuals regarding the processing of their personal data and the exercise of their rights; and
- cooperate with the data protection authorities (DPAs) and act as a contact point for DPAs on issues relating to processing.
A single DPO may be appointed for several competent authorities, depending on their organisational structure and size.
Record keeping
PII controllers are required to maintain a record of processing activities under their responsibilities as referred to in article 30 of Regulation (EU) 2016/679 (General Data Protection Regulation) (GDPR). Processors of PII are also required to maintain such a record about personal data that controllers engage them to process.
While an exemption from the above obligations applies to organi- sations employing fewer than 250 people, this exemption will not apply where sensitive data is processed and where owners or processors of PII find themselves in the position of:
- carrying out processing likely to result in a risk (not just a high risk) to the rights of the data subjects;
- processing personal data on a non-occasional basis; or
- processing sensitive data or data relating to criminal convictions.
New processing regulations
Since the GDPR is directly effective in France, controllers and proces- sors of PII are required to apply a privacy by design approach by implementing technical and organisational measures to show that they have considered and integrated data compliance measures into their data-processing activities. These technical and organisational measures might include the use of pseudonymisation techniques, staff training programmes and specific policies and procedures.
Also, when processing is likely to result in a high risk to the rights and freedoms of natural persons, owners and controllers are required to carry out a detailed privacy impact assessment (PIA). Where a PIA results in the conclusion that there is indeed a high, and unmitigated, risk for the data subjects, controllers must notify the supervisory authority and obtain its view on the adequacy of the measures proposed by the PIA to reduce the risks of processing.
Controllers and processors may decide to appoint a DPO.