Last review date: January 2025
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒ reasonable security controls
☒ encryption
Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.
In 2018, the CNIL published a guide relating to "Security of Personal Data" where it provides further details and precise instructions about encryption. The guide, which is neither a list of mandatory requirements about data security, nor an exhaustive list of measures to be implemented, gives some recommendations on the methodology to determine the right level of protection of personal data. The CNIL updated the guide in April 2023. The updated guide includes the CNIL updated recommendations and other guidance on logging, IT developments and passwords for user authentication. The changes also take into account changes in current best practices, which focus inter alia into encryption.
The CNIL updated its Guide relating to "Security of Personal Data" in 2024. The CNIL added five new themes which are: cloud computing, mobile applications, artificial intelligence (AI), application programming interfaces (APIs) and data security management (link here).
In 2022, ANSSI also published a Cybersecurity Guide to help small companies by answering 13 major questions.
☒ obligation to take specific security measures e.g., encryption
Please refer to the CNIL's guide on security (available here).
☒ requirement to undertake third party due diligence (security assessment of third-party providers)
Please refer to the CNIL's guide on security (available here).
☒ other
As mentioned above, the CNIL has recently specified the rules on the passwords for user authentication. In this recommendation, the CNIL introduces inter alia the notion of entropy which allows to calculate the degree of password complexity, hence its level of robustness. The CNIL requires a minimum level of entropy according to the type of business activities.
Last review date: January 2025
☒ public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)
☒ network information security requirements (broader than telecommunications)
☒ health regulatory requirements
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ digital or connected (IoT) products
☒ Data privacy
☒ Securities or public company
☒ network information security
☒ health
☒ financial services
☒ telecommunications
☒ critical infrastructure
Last review date: January 2025
Yes.
"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
Last updated date: January 2025
☒ data protection authorities
☒ affected individuals
Article 34, paragraph 1 of the aforementioned Regulation provides that "the controller shall communicate the personal data breach to the data subject." The Regulation does not further specify any required or appropriate timeframe.
☒ other
According to article 34, paragraph 3, point c of Regulation (EU) 2016/679 of 27 April 2016, affected individuals may not be directly informed if "it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner." No specific timeframe is specified.
Last review date: January 2025
☒ controller/ owner
Last review date: January 2025
Yes.
☒ cybersecurity authorities
☒ health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ other
If so, please provide brief details of the relevant law / guidance and indicate which body/bodies must be notified of the breach.
Details regarding the identified data security breach notification requirements
Several authorities may be notified depending on the sector of activity of the organization and its sensitivity to security, the nature of the data collected and the type of processing.
The article further provides that "Where such breach may infringe on the personal data or privacy of a subscriber to the service or another natural person, the provider shall also notify the concerned person without delay".
However, notification of a personal data breach to the concerned person is not necessary if the CNIL has found that appropriate protection measures have been implemented by the provider to make the data incomprehensible to any person who is not authorized to access it and have been applied to the data affected by the breach.
Article L. 33-14 of the French Telecommunications Code provides that when events likely to affect the security of information systems are detected, electronic communications providers shall inform the National Authority for Information Systems' Security ("ANSSI") "without delay".
The Banque de France assesses the incident and takes appropriate measures, if necessary, and if it deems it necessary, it informs the ACPR. Where the incident has or is likely to have an impact on the financial interests of its payment service users, "the payment service provider shall inform its payment service users without undue delay following the incident and of any available measures they may take to mitigate the harmful effects of the incident."
The concerned healthcare institutions are required to report significant or serious security incidents (i.e., events that give rise to an exceptional situation, and in particular: incidents with potential or proven consequences for the safety of care; incidents that affect the confidentiality or integrity of health data; incidents affecting the normal functioning of the establishment, body or service concerned).
The notification of serious security incidents shall be made on the website dedicated to reporting adverse health events (https://signalement.social-sante.gouv.fr) on the "health professionals" section by filling in the dedicated form.