Data Protection and Privacy in France: Part 5

Registration

PII controllers or processors are not required to register with the National Commission for Data Protection and Liberties (CNIL).

Since the entry into force of Regulation (EU) 2016/679 (General Data Protection Regulation), owners and processors no longer have the obligation to declare the PII processing they carry out to the CNIL.

However, the law on personal data maintains the requirement of prior authorisation from the CNIL for biometric or genetic data gathered by the state for research, and study or evaluation in the field of health.

Formalities

The formalities of registration for data processing requiring prior authorisation must be performed for each new PII processing operation. The formalities are free of charge and can be realised on the CNIL website and are non-renewable since they remain valid for the whole duration of the processing. The following information must be provided:

• the identity and the address of the data controller;

• the purposes of the processing and the general description of its functions;

• if necessary, the combinations, alignments or any other form of relationship with other processing;

• the PII processed, its origin and the categories of data subjects to which the processing relates;

• the period of retention of the processed information;

• the department responsible for carrying out the processing;

• the authorised recipients to whom the data may be disclosed;

• the function of the person where the right of access is exercised, as well as the measures relating to the exercise of this right;

• the steps taken to ensure the security of the processing and data, the safeguarding of secrets protected by law and, if necessary, information on recourse to a sub-contractor; and

• if applicable, any transfer of PII that is envisaged outside of the European Economic Area.

Penalties

Failure to comply with the registration obligation can be punished by imprisonment for a maximum period of five years and a criminal fine of up to €300,000 (articles 226-16 and 226-16-1 A of the Criminal Code).

Refusal of registration

The CNIL can refuse its registration if some of the information to be provided is missing or if the PII collected for the processing is too broad concerning its purpose. In such cases, the PII owner cannot carry out the intended data processing. Failure to comply with a refusal of the CNIL to authorise processing is subject to criminal sanctions.

Public access

On 30 August 2017, the CNIL published on its website a register that lists the formalities completed since 1979 by data controllers (public and private). This register can be accessed on the CNIL website.

Effect of registration

The PII controller may only be allowed to start carrying out the processing upon registration and receipt of authorisation from the CNIL.

The registration as such does not exempt a data controller from any of its other obligations. After the registration, data controllers still need to ensure that the processing complies with the information disclosed in the notification and with data protection standards.