Tag Archive: cnil

FRANCE: The French Data Protection Authority (CNIL) Publishes 6-Step Methodology For Compliance With GDPR

By Carol A.F. Umhoefer (carol.umhoefer@dlapiper.com) and Caroline Chancé (caroline.chance@dlapiper.com)


On March 15, 2017, the CNIL published a 6-step methodology for companies that want to prepare for the changes that will apply as from May 25, 2018 under the EU the General Data Protection Regulation (“GDPR”).

The abolishment under GDPR of registrations and filings with data protection authorities will represent fundamental shift of the data protection compliance framework in France., which has been heavily reliant on declarations to the CNIL and authorizations from the CNIL for certain types of personal data processing. In place of declarations, the CNIL underscores the importance of “accountability” and “transparency”, core principles that underlie the GDPR requirements. These principles necessitate taking privacy risk into account throughout the process of designing a new product or service (privacy by design and by default), implementing proper information governance, as well as adopting internal measures and tools to ensure optimal protection of data subjects.

In order to help organizations get ready for the GDPR, the CNIL has published the following 6 step methodology:


Step 1: Appoint a data protection officer (“DPO”) to “pilot” the organization’s GDPR compliance program

Pursuant to Article 37 of the GDPR, appointing a DPO will be required if the organization is a public entity; or if the core activities of the organization require the regular and systematic monitoring of data subjects on a large scale, or if such activities consist of the processing of sensitive data on a large scale. The CNIL recommends appointing a DPO before GDPR applies in May 2018.

Even when a DPO is not required, the CNIL strongly recommends appointing a person responsible for managing GDPR compliance in order to facilitate comprehension and compliance in respect of GDRP, cooperation with authorities and mitigation of risks of litigation.

Step 1 will be considered completed once the organization has appointed a DPO and provided him/her with the human and financial resources needed to carry out his/her duties.


Step 2: Undertake data mapping to measure the impact of the GDPR on existing data processing

Pursuant to Article 30 of the GDPR, controllers and processors will be required to maintain a record of their processing activities. In order to measure the impact of the GDPR on existing data processing and maintain a record, the CNIL advises organizations to identify data processing, the categories of personal data processed, the purposes of each processing, the persons who process the data (including data processor), and data flows, in particular data transfers outside the EU.

To adequately map data, the CNIL recommends asking:

  • Who? (identity of the data controller, the persons in charge of the processing operations and the data processors)
  • What? (categories of data processed, sensitive data)
  • Why? (purposes of the processing)
  • Where? (storage location, data transfers)
  • Until when? (data retention period)
  • How? (security measures in place)

Step 2 will be considered completed once the organization has identified the stakeholders for processing, established a list of all processing by purposes and categories of data processed, and identified the data processors, to whom and where the data is transferred, where the data is stored and for how long it is retained.


Step 3: Based on the results of data mapping, identify key compliance actions and prioritize them depending on the risks to individuals

In order to prioritize the tasks to be performed, the CNIL recommends:

  • Ensuring that only data strictly necessary for the purposes is collected and processed;
  • Identifying the legal basis for the processing;
  • Revising privacy notices to make them compliant with the GDPR;
  • Ensuring that data processors know their new obligations and responsibilities and that data processing agreements contain the appropriate provisions in respect of security, confidentiality and protection of personal data;
  • Deciding how data subjects will be able to exercise their rights;
  • Verifying security measures in place.

In addition, the CNIL recommends particular caution when the organization processes data such as sensitive data, criminal records and data regarding minors, when the processing presents certain risks to data subjects (massive surveillance and profiling), or when data is transferred outside the EU.

Step 3 will be considered completed once the organization has implemented the first measures to protect data subjects and has identified high risk processing.


Step 4: Conduct a privacy impact assessment for any data processing that presents high privacy risks to data subjects due to the nature or scope of the processing operations

Conducting a privacy impact assessment (“PIA”) is essential to assess the impact of a processing on data subjects’ privacy and to demonstrate that the fundamental principles of the GDPR have been complied with.

The CNIL recommends to conduct a PIA before collecting data and starting processing, and any time processing is likely to present high privacy risks to data subjects. A PIA contains a description of the processing and its purposes, an assessment of the necessity and proportionality of the processing, an assessment of the risks to data subjects, and measures contemplated to mitigate the risks and comply with the GDPR.

The CNIL has published guidelines in 3 volumes to help organizations conduct PIAs (see here, here and here).

Step 4 will be considered completed once the organization has implemented measures to respond to the principal risks and threats to data subjects’ privacy.


Step 5: Implement internal procedures to ensure a high level of protection for personal data

According to the CNIL, implementing compliant internal procedures implies adopting a privacy by design approach, increasing awareness, facilitating information reporting within the organization, responding to data subject requests, and anticipating data breach incidents.

Step 5 will be considered completed once the organization has adopted good practices in respect of data protection and knows what to do and who to go to in case of incident.


Step 6: Document everything to be able to prove compliance to the GDPR

In order to be able to demonstrate compliance, the CNIL recommends that organizations retain documents regarding the processing of personal data, such as: records of processing activities, PIAs and documents regarding data transfers outside the EU; transparency documents such as privacy notices, consent forms, procedures for exercising data subject rights; and agreements defining the roles and responsibilities of each stakeholder, including data processing agreements, internal procedures in case of data breach, and proof of consent when the processing is based on the data subject’s consent.

Step 6 will be considered completed once the organization’s documentation shows that it complies with all the GDPR requirements.


The CNIL’s methology includes several useful tools (template records, guidelines, template contract clauses, etc.) and will be completed over time to take into account the WP29’s guidelines and the CNIL’s responses to frequently asked questions.


For more information, please contact carol.umhoefer@dlapiper.com or caroline.chance@dlapiper.com

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-french-data-protection-authority-cnil-publishes-6-step-methodology-for-compliance-with-gdpr/

FRANCE: New rules for processing patient health data

France’s Law for the Modernization of the Health System, adopted earlier this year, applies to all processing of health data for the purpose of evaluating or analyzing medical treatments and preventive actions.

The Law amends the Data Protection Law of 1978, creating a new framework for obtaining authorization to process health data, as well as a new consent requirement.

Requirements for processing interventional and non-interventional human biomedical research data (such as clinical trial data) are not affected by the new law.

New Authorization Procedure

There are four steps to the new authorization procedure:

  1. Processing personal data for research, study or evaluation purposes will require authorization from a new agency, the National Health Data Institute, created by the Law for the Modernization of the Health System.
  2. The request for authorization will be relayed to the new Expert Committee on Health Research, Study and Evaluation, which must within a month issue an opinion on the project methodology, the necessity of processing personal data, the pertinence of such data in light of the purposes of processing, and the scientific value of the project. The Committee replaces the soon to be defunct CCTIRS, Consultative Committee for the Processing of Health Research Data. In conjunction with the Expert Committee opinion, the French Data Protection Authority (the CNIL) or the Health Ministry has the option of petitioning the newly created INDS (National Health Data Institute) for an opinion on the public interest in the research, study, or evaluation that justifies the data processing. Alternatively, INDS can take the initiative to issue an opinion. In all cases, INDS has one month to issue its opinion.
  3. The CNIL must authorize the project, taking into consideration data protection principles and the benefits of the project. In particular, for each authorization request, the CNIL will verify whether the project is consistent with the petitioner’s organizational purpose, the need to process personal data, the security measures deployed, and the guarantees provided in terms of medical secrecy. The CNIL will also determine the appropriate data retention period. For-profit entities – in particular entities that market health products, credit institutions, insurers and reinsurers – must meet additional requirements to obtain an authorization. These entities must demonstrate that their methodology precludes any use of the data for any prohibited purpose. Failing that, these entities must contract with a public or private research laboratory or research center to undertake the data processing. The research laboratory or center must certify compliance with a standard setting forth requirements for confidentiality, expertise, and independence.
  4. If the processing requires access to data in the new National Health Data System, then the petitioner must provide INDS the CNIL’s authorization and a statement of interest related to the purpose of the processing and the project protocol, specifying the means for evaluating the validity and results of the study. The INDS will publish the CNIL authorization, the statement of interests and the results and method.

Several exceptions to the authorization requirement are contemplated, including processing of medical data or therapeutic data used by persons who administer treatment for their sole use, or processing for reimbursement or monitoring by organizations responsible for managing the national health insurance system.

The CNIL may decide to simplify the authorization procedure by issuing standard methodologies and security standards.

These methodologies and standards (including security standards) will be developed by the CNIL with input from the Expert Committee and public and private institutions representing relevant stakeholders. The CNIL followed a similar procedure for establishing a reference methodology for processing clinical trial data (the so-called MR-001), the reference methodology for non-interventional studies of in vitro diagnostic devices (MR-002), and, most recently, a reference methodology for research that does not require explicit or written consent of the patient (MR-003).

The CNIL is also empowered to simplify the authorization procedure by issuing so-called Single Authorizations.

Single Authorizations are one-time authorizations issued by the CNIL. Any controller that complies with the conditions set forth in a Single Authorization can certify its compliance therewith and within a few days obtain an authorization to process data. The CNIL has already adopted, after consultation with ASIP-Santé, a Single Authorization for the processing of health data by secured messaging systems. Other Single Authorizations already issued by the CNIL relate to cancer diagnoses, pharmacovigilance, and temporary use authorizations.

The CNIL can also determine exceptions to the authorization requirement, in particular for aggregated data sets.

New Notice Requirements

Finally, a forthcoming decree will set forth notice requirements to patients regarding the use of their indirectly identifying data for research or evaluation. The CNIL will be issuing an opinion on the decree, which it is hoped will be adopted by the Supreme Administrative Court before the end of the year.

Learn more about these developments by contacting either Jeanne Bossi Malafosse or Carol Umhoefer.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-new-rules-for-processing-patient-health-data/

FRANCE: The CNIL Fines Google €100,000 Over Right To Be Forgotten

The French data protection authority (the “CNIL”) will not settle for a compromise, or so says its recent decision to fine Google Inc. €100,000 for failing to properly implement the so-called “right to be forgotten”.

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) and Caroline Chancé (Caroline.Chance@dlapiper.com).

Earlier this month, Google announced it was adapting its approach to the right to be forgotten following discussions between the Mountain View, California firm and EU data protection authorities, in particular the CNIL, which in May 2015 issued a cease and desist order against Google Inc. (see previous post here) and rejected its appeal in September 2015 (see previous post here).

Despite reports that some EU data protection authorities saw this as a potentially acceptable solution, on March 10, 2016, the French regulator ordered Google Inc. to pay a €100,000 fine for violation of individuals’ right to object to the processing of their personal data and the right to delete their personal data, in light of the landmark decision of the Court of Justice of the European Union (“ECJ”) in Costeja v. Google[1].

For the CNIL, in order to be compliant with French law, Google Inc. must delist links from all Google Search extensions globally, and unconditionally. Google Inc. argued that this extraterritorial reach of the right to be forgotten is likely to raise conflict of laws issues and impair other States’ sovereignty (see previous post here). In particular, Google expressed concerns that a global delisting would disproportionately undermine the freedom of expression and information. But the CNIL countered that the purpose of its decision is to ensure “effective and complete protection of data subjects“, as required by the ECJ.

A Google spokesman has already confirmed they will appeal the CNIL’s decision[2].

If the CNIL’s decision becomes definitive, Google will have to further adapt its approach to the right to be forgotten or face up to € 300,000 in additional administrative fines.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] Case C-131/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014

[2]France fines Google over ‘right to be forgotten’“, Julia Fioretti, Reuters, March 24, 2016 (http://www.reuters.com/article/us-google-france-privacy-idUSKCN0WQ1WX)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-cnil-fines-google-e100000-over-right-to-be-forgotten/

RIGHT TO BE FORGOTTEN: Google Adapts Its Approach To The EU Right To Be Forgotten

Will the arm wrestling between Google and the EU data protection authorities regarding the implementation of the so-called “right to be forgotten” come to an end?  Almost a year after the CNIL issued a cease and desist against Google, the search engine announced it will expand the right to be forgotten to all Google domains, based on geolocation, starting this week.

By Carol Umhoefer (Carol.Umhoefer@dlapiper.com) & Caroline Chancé (Caroline.Chance@dlapiper.com).

On March 4, 2016, Google announced that it will use geolocation signals (like IP addresses) to restrict access to delisted URL on all Google search engine domains, including google.com, when accessed from the country of the person requesting the removal. This new approach will be applied prospectively but also “retrospectively”, to all previous delistings by Google under the ECJ’s decision in Costeja v. Google[1].

What does this change? Until now, Google delisted search results from all EU versions of the Google search engine, such as google.fr, google.co.uk or google.de, as well as from the Andorra, Icelandic, Liechtenstein, Norwegian and Swiss extensions, regardless of the country of origin of the request. This meant that delisted results were no longer accessible to Internet users using those extensions, but were still available on other versions of Google, such as google.com, google.ca or google.co.jp.

The EU data protection authorities did not consider Google’s approach to be compliant. In the view of the French data protection authority, the CNIL, the various geographic extensions are simple means of access to processing. Therefore, if a search engine agrees to delist a result, it must do it on all the extensions. The CNIL’s reasoning is that to do otherwise deprives the right to be forgotten of its effectiveness. In fact, the CNIL issued a cease and desist to Google, Inc. in May 2015, ordering it to de-index the entirety of Google’s indexing services and thus all extensions of the search engine.  Google appealed to no avail (see previous posts here and here).

Google has now proposed, in addition to its existing practice, to delist results from all extensions, but only for persons searching in the specific country where the delisting request was made. This means that users in other EU countries will still be able to find those results and the search engine will still be processing the data of the person requesting the delisting, even though the negative consequences will obviously be mitigated as people in the same country won’t have access to the delisted links, whatever extension they use.

Will this new approach satisfy the EU data protection authorities? The CNIL has not yet issued its position. Nevertheless, filtering may be an acceptable (or possibly interim) compromise, particularly if applied to the entire EU, as opposed to limiting it to the country where the request was made. People in other EU countries presumably have a lesser interest in finding information regarding the person who made the delisting request. Moreover, if results are completely delisted in the country where the request was made, completely delisting in the EU should not be a problem, either technically or legally. As for the rest of the world, the right to be forgotten could still conflict with other jurisdictions’ laws.

It will therefore be interesting to see whether EU regulators will insist that links be completely delisted for anyone worldwide, as the CNIL first requested in its formal notice, essentially putting search engines in a situation where they would certainly be exposed to financial sanctions in the EU or violate other jurisdictions’ freedom of speech principles  (see previous post here).

In any case, the right to be forgotten will not be forgotten, and in fact has been taken up outside the EU. For example, it has been reported[2] that a Japanese court recently ordered Google to delete from its search engine news reports of Japanese man convicted of a sex offense involving minors who invoked his right to be forgotten.

For further information, please contact Carol.Umhoefer@dlapiper.com or Caroline.Chance@dlapiper.com.

[1] Case C-121/12, Google Spain and Google Inc. v. Agencia Espanola de Protección de Datos (AEPD) and Mario Costeja Gonzalez, May 13, 2014
[2] Justin McCurry, “Japan recognises ‘right to be forgotten’ of man convicted of child sex offences”, The Guardian, March 1, 2016 (http://www.theguardian.com/technology/2016/mar/01/japan-recognises-right-to-be-forgotten-of-man-convicted-of-child-sex-offences)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/right-to-be-forgotten-google-adapts-its-approach-to-the-eu-right-to-be-forgotten/

FRANCE: CNIL Adopts New “Compliance Pack” for the Insurance Sector

In November 2014, the French Data Protection Authority (“CNIL”) issued a new “compliance pack” for the insurance sector, following consultations with trade associations.

By Carol Umhoefer and Mathilde Hallé

The CNIL has started promoting compliance packs as a new tool for regulating the processing of personal data in specific sectors. The packs, adopted by the CNIL after stakeholder consultations, are intended to offer actionable information (notably with respect to CNIL filings) to comply with French data protection law.

The new compliance pack for the insurance sector has been prepared in collaboration with several major trade associations representing the largest French insurance groups. The pack includes (i) two preexisting Simplified Standards for the insurance industry, No. 16 relating to insurance policy management and No. 56 relating to client data management (both revised on July 11, 2013, see our previous post here), as well as (ii) three more recent Single Authorizations: Single Authorization No. 31 for the collection of social security numbers and access to the French National Directory of Identification of the Individuals (adopted on January 23, 2014), Single Authorization No. 32 for the collection of data concerning criminal offenses, (adopted on January 23, 2014), and Single Authorization No. 39 for the implementation by the insurance sector of anti-fraud measures (adopted on July 17, 2014).

The compliance pack also includes several practical information sheets to enable insurers and other professionals in the sector to better understand the legal framework applicable to personal data collection and processing in connection with their business.

The compliance pack also announces the creation of a “compliance club” in which the CNIL will to continue to work with the main stakeholders to develop and adapt filing requirements to regulatory  changes.

Readers will recall that Simplified Standards enable companies without internal data protection officers that choose to adhere to the conditions set forth in such Standards to make simplified filings with the CNIL, thus avoiding having to file the much more detailed normal filing. Similarly, the Single Authorization procedure allows companies that intend to process personal data for certain specific purposes to  implement such processing in compliance with French data protection law if they self-certify to the CNIL that the processing will comply with the specific conditions set forth by the CNIL. Insurance, capitalization, and reinsurance companies and insurance intermediaries that already filed on the basis on the aforementioned Simplified Standards and Single Authorizations are not required to make any additional filing with the CNIL.

Should you have any further questions regarding to the above, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-cnil-adopts-new-compliance-pack-for-the-insurance-sector/

FRANCE: Jean Bossi-Malafosse joins DLA Piper data protection and healthcare practices

We have strengthened our data protection and healthcare practices with the hire of Jeanne Bossi-Malafosse.  Jeanne, who is based in our Paris office, is former ASIP-Sante General Counsel and CNIL Official.

The convergence of innovative technologies with multiplying health data is a driver of opportunities for clients across the health care and IT spectrum.  Regulators however are not sanguine and seek limitations on the proliferation of patient data that increasingly is collected on smart devices, transmitted through the cloud, and exploited by Big Data analytics.

As more and more clients turn to us to explore the possibilities in a world where cell phone traffic data is used to fight Ebola, and medical devices communicate with doctors half-way across the world, we are pleased to announce the hire of Jeanne Bossi-Malafosse.

Jeanne joins from ASIP Santé, the Agency for Shared Information Systems in Healthcare, where she held the position of General Counsel.  In particular, Jeanne was responsible for ASIP’s review of applications to host patient data.  Jeanne helped to establish ASIP Santé in 2009 and prior to that spent 18 years at the French Data Protection Authority (CNIL), serving consecutively as the Chair of the Public and Social Affairs Department, and then Deputy Director of Constituent Relations and Investigations.

Jeanne will work with Paris partner Carol Umhoefer as part of the firm-wide data protection team and with Michèle Anahory, who recently joined DLA Piper in France to boost the Health Care Practice.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-jean-bossi-malafosse-joins-dla-piper-data-protection-and-healthcare-practices/

FRANCE: The French Data Protection Authority (CNIL) Orders a French Company to Pay a EUR 5,000 Fine for the Non-compliance of its Customer Geolocation System with French Data Protection Law

By Carol Umhoefer & Mathilde Hallé

On July 22, 2014, the French Data Protection Authority (“CNIL”) found that a luxury car rental company had failed to comply with the French data protection law with respect to the implementation of a customer geolocation system. In particular, the CNIL considered that the rental company had failed (i) to fulfill the formalities required prior to processing customer geolocation data, (ii) to limit the collection of geolocation data to cases of non-return or theft of vehicles, (iii) to inform its customers of the aforementioned processing, and (iv) to ensure the security of the data.

In October 2012, a customer filed a complaint with the CNIL regarding the geolocation system implemented in connection with its rental luxury cars. In December 2012, the CNIL sent a first letter to the rental company summarizing the provisions of the French Data Protection Law pertaining to the implementation of a geolocation system. This letter remained unanswered, which led the CNIL to send two successive letters in January and March 2013. Likewise, these letters remained unanswered and the CNIL decided to conduct an on-site inspection in June 2013. Following such inspection, the CNIL sent a cease and desist letter to the rental company, requiring the latter to comply with applicable data protection law. However, the rental company failed to ensure such compliance, which was brought to light following a subsequent investigation. As a result of the foregoing, the CNIL ordered the rental company to pay a EUR 5,000 fine.

The CNIL’s decision was based on the following legal grounds:

  • First, the rental company had failed to file with the CNIL the required declarations prior to processing personal data in connection with (i) the geolocation of cars rented to customers, and (ii) customer management.
  • Second, the CNIL considered that the rental company had failed to comply with the principles of adequacy, relevance and non-excessive nature of the data. Indeed, the geolocation system was set for a 24/7 use and could not be deactivated, and therefore the car rented by customers could be located at any time by the rental company. The system thus enabled the collection and processing of various numerous data, including time and location-related data, that the CNIL considered as excessive in relation to the purposes for which it had been collected. The CNIL found that the rental company should have limited the collection of geolocation data to cases where the vehicle is stolen or not returned.
  • In addition, the CNIL considered that the rental company had failed to fulfill its obligation to give adequate notice to customers. In this respect, the rental company claimed that customers were verbally informed of the geolocation system. However, the CNIL noted that the rental company had not provided any evidence to support its claim. The CNIL thus considered that the rental company had not demonstrated that its customers were duly informed. It has to be noted that in its decision the CNIL does not consider that the customers’ consent would have been required. The CNIL further ruled that the rental company had failed to demonstrate its compliance that it had notified customers regarding the processing of their data for customer management generally.
  • Last, the CNIL stated that the rental company had failed to comply with its obligation to ensure the security of customers’ data. During on-site inspection, the CNIL had accessed the geolocation software at issue from a computer located at the reception desk of the company, and noted that the authentication process to access this software only required a user name and a password that had not been renewed since it had been set up (more than two years prior), as no password management policy was in place.

For further information, please contact Carol Umhoefer (Carol.Umhoefer@dlapiper.com) or Mathilde Hallé (Mathilde.Halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-french-data-protection-authority-cnil-orders-a-french-company-to-pay-a-eur-5000-fine-for-the-non-compliance-of-its-customer-geolocation-system-with-french-data-protection-law/

GLOBAL: Sweep Day 2014: Global Coordinated Enforcement

Read here an article by DLA Piper Partner Carol Umhoefer, published in E-Commerce Law & Policy in July 2014 discussing how Internet Sweep Day illustrates trends in the data protection regulatory space.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/sweep-day-2014-global-coordinated-enforcement/

FRANCE: CNIL to begin cookies enforcement in october

By Carol Umhoefer, Jeanne Dauzier & Mathilde Hallé

Starting in October 2014, the French Data Protection Authority (the “CNIL”), will monitor compliance with its Recommendation on the use of cookies and tracking technologies

The CNIL’s inspections will follow the “cookies sweep day” which is due to take place from September 15, to September 19, 2014 and during which Data Protection Authorities across the European Union will review how Internet users are notified of the use of cookies, and how their consent to such use is obtained.

The CNIL recently announced that, as from October 2014, it will verify compliance with its Recommendation on cookies and tracking technologies issued on December 5, 2013. Compliance checks will be conducted through on-site and online inspections.

The CNIL may review:

  • The types of cookies used by internet websites (e.g.: HTTP cookies, local shared object, finger printing techniques, etc.);
  • The purpose of the cookies: (i) whether website operators are aware of the purpose of all the cookies that are set or read from their websites (including first-party and third-party cookies), and (ii) whether cookies are set that have no purpose (e.g.: obsolete cookies).

Furthermore, in cases where the cookies’ purpose requires obtaining users’ prior consent, the CNIL will review:

  • How users’ consent is obtained;
  • The visibility, quality and simplicity of the information pertaining to the use of cookies;
  • The consequences of users’ refusal to consent to the use of cookies;
  • The possibility for users to withdraw their consent at any time;
  • Cookies’ lifespan and consent period (the CNIL recommends a maximum validity of 13 months).

The other statutory provisions pertaining to the use of cookies (e.g.: data security, sensitive data, etc.) may be subject to compliance checks as well. Depending on the inspections’ outcome, the CNIL may issue cease and desist letters and sanctions.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com), Jeanne Dauzier (jeanne.dauzier@dlapiper.com), or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-cnil-to-begin-cookies-enforcement-in-october/

FRANCE: The CNIL Adopts a Reference Framework for Certification of Online Data Storage Services

By Carol Umhoefer & Mathilde Hallé

The French Data Protection Authority (CNIL) has adopted a new reference framework for the certification of online data storage services offering a high level of personal data protection.

The CNIL certifies products and processes that offer a high level of personal data protection. To obtain certification, such products and processes must meet the requirements of a specific reference framework published by the CNIL. The CNIL has created reference frameworks for organizations that provide training or conduct audits to ensure compliance with French data protection law.

Following a request and in light of the increasing number of online data storage services, the CNIL has decided to create a new certification for online data storage services and to that end has adopted a specific reference framework based on its previous Recommendations issued on September 19, 2013 (see our previous post here).

This reference framework describes how to create and manage online data storage services eligible for certification, and sets forth 22 requirements, regarding notably:

The categories of data to be processed. In particular, health data cannot be stored except if the provider holds a specific authorization for storage of patient health records.

  • Access to the data. Only the customer (or any individual specifically authorized by the customer) can access the data. 
  • Notice to customers. In case of any transfer of personal data to any country outside the European Union, the service provider must specify if the authorities of such country are entitled to directly access the data.
  • Security measures to be implemented. Strong means of authentication must be implemented (e.g., one-time password or transmission of access codes by SMS). In addition, stored data must be encrypted.

Any applicant for certification must prove that the service meets the requirements of the reference framework, notably by supplying evidence of compliance and relevant documentation.

The CNIL further specifies that applicants must both contract with customers and operate the online data storage service. If different parties contract with customers and provide the service, certification must be requested jointly by both parties, and both shall provide all relevant documentation and evidence of compliance with the CNIL reference framework.

For further information, please contact Carol Umhoefer (carol.umhoefer@dlapiper.com) or Mathilde Hallé (mathilde.halle@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/france-the-cnil-adopts-a-reference-framework-for-certification-of-online-data-storage-services/

Older posts «