Global Data and Cyber Handbook

France

Select a Topic
Start Comparison
Legal Bases for Processing of Personal Data
Jump to
Legal Bases for Processing of Personal Data Start Comparison
Is an identified legal basis required in order to collect or process non-sensitive personal data?

Last review date: January 2025

Yes.

The following are potential legal bases for processing personal data:

☒        the data subject has provided consent to the processing for the identified purposes

☒        the personal data is necessary to perform a contract with the data subject

☒        the personal data is necessary to comply with a legal obligation

☒        the personal data is necessary to protect the vital interests of a natural person

☒        the personal data is necessary for a public interest

☒        the personal data is necessary to fulfil a legitimate interest of the controller or third party (provided that the interest is not overridden by the data subject's privacy interests and the data subject has not made use of his/her right to object)

Is an identified legal basis required in order to collect or process sensitive personal data?

Last review date: January 2025

Yes.

The following are potential legal bases for processing special categories of personal data:

☒        the data subject has given consent to the processing, where consent is measured to the same standard as non-sensitive personal data

☒        processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law

☒        processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent

☒        processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and further conditions

☒        processing relates to personal data which are manifestly made public by the data subject

☒        processing is necessary for the establishment, exercise or defense of legal claims

☒        processing is necessary for reasons of substantial public interest

☒        processing is necessary for the purposes of medicine, the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services

☒        processing is necessary for reasons of public interest in the area of public health

☒        processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

☒        other

Pursuant to article 44 of Data Protection Act, processing sensitive personal data is also permitted if:

  • processing is necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services data and processing is carried out by healthcare professionals or other persons subject to the obligation of professional secrecy pursuant to article 226-13 of the French Criminal Code
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, after an opinion has been given by the CNIL
  • data is processed by employers or administrations involving biometric data strictly necessary to control access to workplaces and to equipment and applications used in the context of tasks entrusted to employees, agents, trainees, or service providers, or
  • processing relates to the re-use of public information contained in judgments and decisions, provided that such processing has neither the purpose nor the effect of allowing the re-identification of the persons concerned.
Are there special requirements that apply to the collection or processing of personal data from minors?

Last review date: January 2025

Yes.

A minor within the meaning of data privacy laws is a person below the age of 15.

In what circumstances do these special requirements apply?

Last review date: January 2025

☒        in the context of information society services (e.g., a commercial website) only if processing is based on consent

What are the special requirements that apply to collecting or processing personal data from minors?

Last review date: January 2025

☒        consent must be given or authorized by the parent/ guardian of the minor

☒        additional data subject rights are granted to minors (e.g., deletion, access, transparency)

Pursuant to article 70 of the Data Protection Act, and in the context of medical research, a minor aged 15 or over may object to holders of parental authority having access to data concerning him or her collected in the course of the related medical research, study or evaluation. The minor then receives the information and exercises his or her rights alone.

For the same processing operations, a minor aged 15 or over may object to holders of parental authority being informed of data processing if the fact of participating in it leads to the disclosure of information on a preventive action, screening, diagnosis, treatment or intervention for which the minor has expressly opposed the consultation of holders of parental authority, pursuant to Articles L. 1111-5 and L. 1111-5-1 of the French Public Health Code, or if the family ties are severed and the minor personally receives reimbursement of benefits from sickness and maternity insurance and supplementary cover. The minor then exercises their rights alone.

☒        other

Pursuant to article 48 of the Data Protection Act, the controller shall draft, in clear and simple terms, and easily understandable by the minor, the information and communications relating to the processing concerning them.

In addition, article 51(II) of the Data Protection Act adds some details on the manner the right to be forgotten should be handled by the data controller. It specifies that "the data controller is required to erase as soon as possible any personal data collected in connection with the provision of information society services when the data subject was a minor at the time of collection. Where it has transmitted the data in question to a third party which is itself responsible for processing, it shall take reasonable measures, including technical measures, taking into account the technologies available and the costs of implementation, to inform the third party processing the data that the data subject has requested the deletion of any link to it, or of any copy or reproduction of it.

In the event of failure to erase personal data, or in the absence of a response from the data controller within one month of the request, the data subject may lodge a complaint with the Commission Nationale de l'Informatique et des Libertés, which will rule on the request within three weeks of receipt of the complaint."

 On 9 June 2021, the CNIL published guidelines to reinforce the protection of minors in the digital environment, focusing on three main areas:

  • Taking into account the need for autonomy and the rights of the minors while ensuring their protection online
  • Affirming the fundamental role of parents and educators in supporting the minors in the digital environment
  • Making online service providers aware of their increased responsibility towards minors when processing their personal data

On 17 February 2022, the CNIL published specific guidelines for public and private organizations that offer social and medico-social support to reinforce the protection of individuals under 21 years of age, available here.

On 2 March 2022, France published a law aimed to strengthen parental control over Internet access devices, available here. According to this law, Internet-connected devices sold in France (smartphones, computers, video game consoles, etc.) must feature an easily accessible and comprehensible parental control system. Activation of this device must be offered free of charge as soon as the device is first put into service.

On 9 March 2023, the CNIL issued its opinion on the decrees specifying the various functionalities that parental control devices installed on connected devices must incorporate. Link to the CNIL's opinions here and here and to the decrees here and here.

In its opinion, the CNIL reiterates its support for parental control systems. The introduction of such devices is an appropriate way of protecting minors from the risks to which they are exposed online (harassment, scams, access to unsuitable content, etc.).

It also stresses that these tools must be developed in such a way as to ensure a balance between controlling access to inappropriate content and respecting children's privacy and empowerment. They must also integrate privacy by design and by default. Furthermore, the CNIL indicates that the implementation of minimal functionalities (blocking the downloading of applications or content to which access is forbidden to minors) should not result in the transmission of personal data to servers.

On 11 October 2024, the CNIL issued its opinion on the French audiovisual authority's (“ARCOM”) guidelines for access to pornographic sites (link here). These guidelines related to age verification systems incorporates a large number of the CNIL's previous recommendations (link here) concerning the protection of personal data and privacy.

{{ $store.state.loadingScreen.message }} ...