Global Data and Cyber Handbook

France

Select a Topic
Start Comparison
International Data Transfer
Are there restrictions on the transfer of personal data to third countries?

Last review date: January 2025

Yes.

Transfers of personal data to third countries are only permissible if there is a legal basis for the processing/transfer and one of the following applies:

☒        approved adequate/whitelisted jurisdictions

☒        to holders of specific certifications or followers of specific code of conduct programs each approved by the relevant data protection and cybersecurity authority

☒        approved standard contractual clauses

☒        binding corporate rules

☒        derogations, such as consent, contract performance, necessity to establish, exercise or defend legal claims

☒        other solutions

Please see separate question for information on data localization provisions that are not restricted to personal data.

  • ad-hoc contractual clauses approved by the CNIL
  • administrative agreement or legally binding and enforceable text adopted to enable cooperation between public authorities (i.e., Memorandum of Understanding, international conventions)

In February 2022, the CNIL ordered French companies that used a certain audience analytics tool that allegedly involved illegal cross-border data transfers to comply with the GDPR. As per the CNIL, standard contractual clauses are not sufficient for purposes of GDPR compliance. However, the CNIL considered that the use of a proxy properly set up can be an operational solution to limit risks for data subjects. Since the entry into force of the European Commission's adequacy decision on the EU-US cross-border agreement ("Data Privacy Framework") on 10 July 2023, transfers to certified US entities can be made freely. The CNIL states that proxyfication remains a solution for audience measurement tools involving data transfers to non-certified U.S. entities (not on the list made available by the U.S. Department of Commerce) or other non-adequate countries, and is in any case a good practice to ensure a high level of personal data protection (guidance available here).

On 27 August 2024, the CNIL made available a tracking tool to help entities with BCRs verifying their implementation, and describing the steps involved in deploying it (link here). It consists of two questionnaires (available in French and in English), one aimed at the local entity and one for the main entity to ensure a smooth compliance with the BCR's in place.

{{ $store.state.loadingScreen.message }} ...