Last review date: January 2025

Yes.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒         reasonable security controls

☒         encryption

Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.

In 2018, the CNIL published a guide relating to "Security of Personal Data" where it provides further details and precise instructions about encryption. The guide, which is neither a list of mandatory requirements about data security, nor an exhaustive list of measures to be implemented, gives some recommendations on the methodology to determine the right level of protection of personal data. The CNIL updated the guide in April 2023. The updated guide includes the CNIL updated recommendations and other guidance on logging, IT developments and passwords for user authentication. The changes also take into account changes in current best practices, which focus inter alia into encryption.

The CNIL updated its Guide relating to "Security of Personal Data" in 2024. The CNIL added five new themes which are: cloud computing, mobile applications, artificial intelligence (AI), application programming interfaces (APIs) and data security management (link here).  

In 2022, ANSSI also published a Cybersecurity Guide to help small companies by answering 13 major questions.

☒          obligation to take specific security measures e.g., encryption

Please refer to the CNIL's guide on security (available here).

☒          requirement to undertake third party due diligence (security assessment of third-party providers)

Please refer to the CNIL's guide on security (available here).

☒      other

As mentioned above, the CNIL has recently specified the rules on the passwords for user authentication. In this recommendation, the CNIL introduces inter alia the notion of entropy which allows to calculate the degree of password complexity, hence its level of robustness. The CNIL requires a minimum level of entropy according to the type of business activities.

Last review date: January 2025

☒      public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒      network information security requirements (broader than telecommunications)

☒      health regulatory requirements

☒      financial services requirements

☒      telecommunication requirements

☒      providers of critical infrastructure

☒      digital or connected (IoT) products

☒     Data privacy

☒     Securities or public company

☒     network information security

☒     health

☒     financial services

☒     telecommunications

☒     critical infrastructure

Last review date: January 2025

Yes.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Last updated date: January 2025

☒        data protection authorities

• in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
• without undue delay and, where feasible, not later than after having become aware of it.

☒        affected individuals

• Pursuant to article 58 of Act n° 78-17 of 06 January 1978 ("French Data Protection Act"), the data controller shall "communicate to the data subject any personal data breach pursuant to Articles 33 and 34 of Regulation (EU) 2016/679 of 27 April 2016."

  Article 34, paragraph 1 of the aforementioned Regulation provides that "the controller shall communicate the personal data breach to the data subject." The Regulation does not further specify any required or appropriate timeframe.

• if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:

• the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
• the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize.

☒        other

According to article 34, paragraph 3, point c of Regulation (EU) 2016/679 of 27 April 2016, affected individuals may not be directly informed if "it would involve disproportionate effort. In such a case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner." No specific timeframe is specified.

Last review date: January 2025

☒        controller/ owner

• in case of a personal data breach, irrespective of a risk to the rights and freedoms of the data subjects
• Article 34, paragraph 2 of Regulation (EU) 2016/679 of 27 April 2016 provides that "the processor shall notify the personal data breach to the data controller without undue delay after becoming aware of a personal data breach." The Regulation does not further specify on the required or appropriate timeframe.

Last review date: January 2025

Yes.

☒        cybersecurity authorities

☒        health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

☒        financial services requirements

☒        telecommunication requirements

☒        providers of critical infrastructure

☒        other

If so, please provide brief details of the relevant law / guidance and indicate which body/bodies must be notified of the breach.

• Banking and financial services: Article L. 521-10 of the French Monetary and Financial Code and the "Instructions for IT risk management for companies in the banking, payment services and payment and investment services and investment services" (available here).
• National Defense: Articles L. 1332-6-2, R1332-41-10 and R1332-41-11 of the French Defense Code.
• Any cyberattack may be reported to the law enforcement authorities : Article L12-10-1 of the insurance code.

Details regarding the identified data security breach notification requirements

Several authorities may be notified depending on the sector of activity of the organization and its sensitivity to security, the nature of the data collected and the type of processing.

• Providers of electronic communications services: Pursuant to article 83 of Data Protection Act, providers of electronic communications services to the public on electronic communications networks open to the public, including those supporting data collection and identification devices, are required to notify the CNIL, "without delay", of any personal data breach.

The article further provides that "Where such breach may infringe on the personal data or privacy of a subscriber to the service or another natural person, the provider shall also notify the concerned person without delay".

However, notification of a personal data breach to the concerned person is not necessary if the CNIL has found that appropriate protection measures have been implemented by the provider to make the data incomprehensible to any person who is not authorized to access it and have been applied to the data affected by the breach.

Article L. 33-14 of the French Telecommunications Code provides that when events likely to affect the security of information systems are detected, electronic communications providers shall inform the National Authority for Information Systems' Security ("ANSSI") "without delay".

• Providers of essential services/providers of critical infrastructure: Pursuant to article 7 of Act n° 2018-133 of 26 February 2018 relating to implementation of EU provisions in the field of security (implementing the NIS Directive), operators of essential services shall declare to ANSSI, "without delay after becoming aware of them, incidents affecting networks and information systems necessary for the provision of essential services, where such incidents have or are likely to have a significant impact on the continuity of these services, taking into account in particular the number of users and the geographical area affected and the duration of the incident."

• Banking and financial services: Pursuant to article L. 521-10 of the French Monetary and Financial Code, payment service providers shall inform the French Prudential Supervision and Resolution Authority ("ACPR") "without undue delay of any major operational incident." This article further provides that "payment service providers shall inform the Banque de France without undue delay of any major security incident."

The Banque de France assesses the incident and takes appropriate measures, if necessary, and if it deems it necessary, it informs the ACPR. Where the incident has or is likely to have an impact on the financial interests of its payment service users, "the payment service provider shall inform its payment service users without undue delay following the incident and of any available measures they may take to mitigate the harmful effects of the incident."

• National Defense: Pursuant to article L. 1332-6-2 of the French Defense Code, operators mentioned in articles L. 1332-1 and L. 1332-2 (i.e., public or private operators running or using facilities and structures, the unavailability of which could significantly reduce the Nation's war or economic potential, security or capacity to survive, as well as operators running nuclear facilities) shall inform the Prime Minister, "without delay" of incidents affecting the operation or security of the aforementioned information systems under the conditions of Article R1332-41-10 and R1332-41-11 of the same Code.
• Providers of digital services : Pursuant to Article 13 of Act n° 2018-133 of 26 February 2018 relating to implementation of EU provisions in the field of security and Article 20 of the Decree n°2018-384 of May 28^th, 2018, providers of digital services shall declare to ANSSI any incident having a significant impact on the provision of their services.
• Entities processing classified data : Pursuant to an interministerial instruction on controlled items in information systems security shall declare to ANSSI, entities processing classified data shall declare to ANSSI any compromise of such items.
• Providers of qualified products or services : Pursuant to the ANSSI's Product and Services Qualifying Processes, providers of such products and services shall declare to ANSSI (i) any security incident affecting or likely to be affecting the qualified (range of) products or the users' sensitive data of the qualified product/service; (ii) the qualified service and the users' sensitive data.

• Health regulatory requirements: Pursuant to article L. 1111-8-2 of the French Public Health Code, establishments, organizations and services engaged in preventive, diagnosis or healthcare activities (such as hospitals, clinics, care centers, establishments for the elderly, disabled and dependent persons), as well as medico-social establishments, are required to notify, "without delay", significant or serious security incidents in their information systems, to the administrative bodies responsible for implementing health policy at a regional level and to the Digital Health Agency.

The concerned healthcare institutions are required to report significant or serious security incidents (i.e., events that give rise to an exceptional situation, and in particular: incidents with potential or proven consequences for the safety of care; incidents that affect the confidentiality or integrity of health data; incidents affecting the normal functioning of the establishment, body or service concerned).

The notification of serious security incidents shall be made on the website dedicated to reporting adverse health events (https://signalement.social-sante.gouv.fr) on the "health professionals" section by filling in the dedicated form.