On March 6, 2020, the CNIL published recommendations on the collection of personal data in the context of COVID-19. Health data is particularly protected within the framework of a series of regulations (notably GDPR, French Data Protection Act and French Public Health Code). Restrictions The CNIL insists that employers cannot take measures likely to impair … Continue Reading
On 21 January 2020, the CNIL launched a public consultation on the proposed guidelines for cookies and other trackers, which is open until 25 February 2020. The proposed guidelines are presented as “non-binding” and aim to assist organisations to comply with the regulation by providing practical examples of how to obtain consent. However, the CNIL … Continue Reading
The French government has launched a public consultation on the transposition of Directive (EU) 2018/1972 December 11, 2018, establishing the EU Electronic Communications Code (EECC), which must be transposed before December 21, 2020. What Is It About? The consultation concerns the draft modification of the French Postal Services and Electronic Communications (CPCE) and French Consumer … Continue Reading
Under article 87 regulation (EU) 2016/679 General Data Protection Regulation GDPR, member states may define the specific conditions for the processing of a national identification number or any other identifier of general application. As discussed below, France has made an interesting application of this rule regarding, in particular, the social security number. … Continue Reading
The French Council of State considers legal, the Commission Nationale de l’Informatique et des Libertés (CNIL), decision to engage in a consultation to define the new practical modalities of expression of consent in the matter of targeted advertising, and to grant a period of adaptation to the stakeholders. Context Pending the finalization of the new … Continue Reading
The CNIL blows the whistle for the end of the transition period. For the first time, the CNIL’s 2019 investigation program is not specific to an industry and potentially impacts controllers and processors throughout all sectors of business. Going forward, the CNIL will also be more thorough and less lenient. 2019 Program Investigation program CNIL’s … Continue Reading
Pursuant to Article 35.4 of the RGPD (GDPR), the CNIL has published a list of 14 categories of processing activities for which it deems it necessary to perform a Data Protection Impact Assessment (DPIA). On its website, the CNIL also provides examples of the types of processing activities for each of these categories.… Continue Reading
The General Data Protection Regulation (GDPR) applicable since 25 May 2018 , modifies the legal rules on the use of biometric data. The processing of biometric data for the purpose of “uniquely identifying a natural person” is, as a matter of principle, prohibited under Article 9 GDPR . Amongst the authorised exceptions is the processing “necessary … Continue Reading
The French data protection authority (CNIL) has published its annual investigation program for 2018, which is the first since the GDPR came into force on May 25, 2018. The report indicates that the CNIL intends to conduct over 300 investigations (onsite, online or per request of documentation or formal hearing) and will focus on the … Continue Reading
As some companies may have experienced already, the French Public Health Code (Article L.1111-8) requires that services providers hosting certain types of health/medical data (in French “hébergeurs de données de santé” or “HDS”) be accredited for this activity. The accreditation procedure is changing, effective 1 April 2018, from an authorisation procedure to a certification… Continue Reading
On 15 November 2017 the CNIL created a special page on its website with a view to highlighting its 2013 guidelines on processing of payment card data for online transactions (The 2013 guidelines were modified in July 2017).… Continue Reading
On December 13, 2017 the French Ministry of Justice published a draft law to accompany the implementation within France of the General Data Protection Regulation 2016/679 (GDPR) and the Directive 2016/680, governing the handling of data in law enforcement situations. The following are some of the noticeable change brought by the draft law with respect … Continue Reading
It is common for a company to create an exclusion file that allows it to identify “bad debtors” and exclude them from all future transactions. The Commission nationale de l’informatique et des libertés (“CNIL”) published on 13 November the following recommendations for this type of data base.… Continue Reading
The French National Agency for Safety of Medicines and Health Products (Agence nationale de sécurité du médicament et des produits de santé or ANSM) has announced on its website in October 2017 the creation of a “temporary specialized scientific committee” (comité scientifique spécialisé temporaire CSST) on the cybersecurity of medical device software.… Continue Reading
On the 22 November, the CNIL released on its website an open source ready to use software tool for DPIAs, which can be downloaded for free. The explanations on the website are currently only in French, but the CNIL’s intention is to have an English explanations as well.… Continue Reading
On October 17, 2017, the French data protection authority, the CNIL, released a “compliance pack” for connected cars. This toolkit provides guidance to stakeholders on how to integrate data protection by design and by default into their production pipeline, enabling data subjects to have effective control over their data. Developed by the CNIL in consultation with … Continue Reading
The latest data privacy Alert from the Squire Patton Boggs’ Data Protection & Cybersecurity team covers news from the week of 2 October 2017.… Continue Reading
The latest data privacy Alert from the Squire Patton Boggs’ Data Protection & Cybersecurity team covers news from the week of 25 September 2017.… Continue Reading
While the GDPR compliance clock is ticking for companies, EU Member States have also been preparing for the implementation of the General Data Protection Regulation (“GDPR”) which will become enforceable on May 25, 2018. The GDPR will be directly applicable in all EU Member States without the need for implementing national laws. However, apart from … Continue Reading
