The CNIL blows the whistle for the end of the transition period. For the first time, the CNIL’s 2019 investigation program is not specific to an industry and potentially impacts controllers and processors throughout all sectors of business. Going forward, the CNIL will also be more thorough and less lenient. 2019 Program Investigation program CNIL’s … Continue Reading
Pursuant to Article 35.4 of the RGPD (GDPR), the CNIL has published a list of 14 categories of processing activities for which it deems it necessary to perform a Data Protection Impact Assessment (DPIA). On its website, the CNIL also provides examples of the types of processing activities for each of these categories.… Continue Reading
The General Data Protection Regulation (GDPR) applicable since 25 May 2018 , modifies the legal rules on the use of biometric data. The processing of biometric data for the purpose of “uniquely identifying a natural person” is, as a matter of principle, prohibited under Article 9 GDPR . Amongst the authorised exceptions is the processing “necessary … Continue Reading
The French data protection authority (CNIL) has published its annual investigation program for 2018, which is the first since the GDPR came into force on May 25, 2018. The report indicates that the CNIL intends to conduct over 300 investigations (onsite, online or per request of documentation or formal hearing) and will focus on the … Continue Reading
As some companies may have experienced already, the French Public Health Code (Article L.1111-8) requires that services providers hosting certain types of health/medical data (in French “hébergeurs de données de santé” or “HDS”) be accredited for this activity. The accreditation procedure is changing, effective 1 April 2018, from an authorisation procedure to a certification… Continue Reading
On 15 November 2017 the CNIL created a special page on its website with a view to highlighting its 2013 guidelines on processing of payment card data for online transactions (The 2013 guidelines were modified in July 2017).… Continue Reading
On December 13, 2017 the French Ministry of Justice published a draft law to accompany the implementation within France of the General Data Protection Regulation 2016/679 (GDPR) and the Directive 2016/680, governing the handling of data in law enforcement situations. The following are some of the noticeable change brought by the draft law with respect … Continue Reading
It is common for a company to create an exclusion file that allows it to identify “bad debtors” and exclude them from all future transactions. The Commission nationale de l’informatique et des libertés (“CNIL”) published on 13 November the following recommendations for this type of data base.… Continue Reading
The French National Agency for Safety of Medicines and Health Products (Agence nationale de sécurité du médicament et des produits de santé or ANSM) has announced on its website in October 2017 the creation of a “temporary specialized scientific committee” (comité scientifique spécialisé temporaire CSST) on the cybersecurity of medical device software.… Continue Reading
On the 22 November, the CNIL released on its website an open source ready to use software tool for DPIAs, which can be downloaded for free. The explanations on the website are currently only in French, but the CNIL’s intention is to have an English explanations as well.… Continue Reading
On October 17, 2017, the French data protection authority, the CNIL, released a “compliance pack” for connected cars. This toolkit provides guidance to stakeholders on how to integrate data protection by design and by default into their production pipeline, enabling data subjects to have effective control over their data. Developed by the CNIL in consultation with … Continue Reading
The latest data privacy Alert from the Squire Patton Boggs’ Data Protection & Cybersecurity team covers news from the week of 2 October 2017.… Continue Reading
The latest data privacy Alert from the Squire Patton Boggs’ Data Protection & Cybersecurity team covers news from the week of 25 September 2017.… Continue Reading
While the GDPR compliance clock is ticking for companies, EU Member States have also been preparing for the implementation of the General Data Protection Regulation (“GDPR”) which will become enforceable on May 25, 2018. The GDPR will be directly applicable in all EU Member States without the need for implementing national laws. However, apart from … Continue Reading
