it law 4 - essential en

SUPINFO

2009-2010 COURSE

PERSONAL DATA PROTECTION WORLDWIDE

Confidential December 16, 2009

SUPINFO/COURS DROIT DES DONNEES PERSONNELLES 16 12 2009

TABLE OF CONTENTS

1. FUNDAMENTAL PRINCIPLES AND LEGAL SCOPE 6

1.1 THE NOTIONS OF “PROCESSING” AND “PERSONAL DATA” 6 1.1.1 Personal data 6 1.1.2 The notion of automatic or non-automatic processing 7 1.2 THE NOTION OF FAIR COLLECTION 7 1.2.1 Principles and limitations 7 1.2.2 Fundamental characteristics 8 1.3 THE RIGHTS OF DATA SUBJECTS 9 1.3.1 The right to obtain prior information 9 1.3.2 The right of access (right of interrogation and right of communication) 9 1.3.3 The right of rectification 10 1.4 THE CONTROLLER OF THE FILE AND HIS OBLIGATIONS 11 1.4.1 The controller of the file 11 1.4.2 The obligations to notify 11 1.4.3 Other obligations 13 1.5 THE DATA PROTECTION OFFICER 14 1.5.1 The role of the CIL: reducing formalities 14 1.5.2 The appointment of the CIL 15 1.5.3 The missions of the CIL 15

2. THE DIFFERENT INFORMATION SYSTEMS 16

2.1 THE MAIN INFORMATION SYSTEMS 16 2.1.1 Human resources information systems 16 2.1.2 Customer information systems 17 2.1.3 Purchase information systems 17 2.1.4 Archival information systems 18 2.2 TRANSBORDER FLOWS OF PERSONAL DATA 18 2.2.1 The notion of transborder flows 18 2.2.2 The protection of data subjects 18 2.2.3 The principle of prohibition of transborder data transfers outside the European Union,

except in case of sufficient protection 19 2.2.4 Countries considered as providing an adequate level of protection 19 2.2.5 Countries considered as not providing a sufficient level of protection 20 2.2.6 The exception to the principle of prohibition 20 2.2.7 Standard contractual clauses 21


3. TECHNO SURVEILLANCE 22

3.1 INTERCEPTION OF TELECOMMUNICATIONS 22 3.2 GEO-LOCATION 23 3.2.1 Legal framework of geo-location 23 3.2.2 Tracking employees 23 3.2.3 Tracking drivers 24 3.2.4 Tracking children 24 3.3 VIDEO SURVEILLANCE 25 3.3.1 Legal framework 25 3.3.2 Public security video surveillance 25 3.3.3 Private security video surveillance 26 3.4 THE TECHNO PROTECTION OF PRIVACY 27 3.4.1 Anonymization techniques 27 3.4.2 Encryption tools 27 3.4.3 Antitagging tools 27 3.4.4 Platforms for Privacy Preferences 28 3.5 WEB 2.0 28

4. IDENTIFICATION AND SURVEILLANCE TECHNOLOGIES 29

4.1 APPLICATIONS AND FUNCTIONNALITIES OF IDENTIFICATION TECHNOLOGIES 29 4.1.1 Biometrics 29 4.1.2 RFID 30 4.2 ISSUES UNDER THE FRENCH DPA 30 4.3 APPLICABLE LAWS AND REGULATIONS 31 4.4 PRECAUTIONS TO BE TAKEN 31

5. JUDICIAL FRAMEWORK 33

5.1 COMPLAINTS 33 5.1.1 Referring a matter to the CNIL 33 5.1.2 Effects 33 5.2 INSPECTIONS CARRIED OUT BY THE CNIL 34 5.2.1 The inspectors 34 5.2.2 Modalities of the inspections 34 5.2.3 The inspection procedure 34 5.2.4 Objecting to an inspection 35 5.3 THE SANCTIONS 35 5.3.1 The warning 35 5.3.2 The injunction 37 5.3.3 Financial penalties 38 5.3.4 The injunction to stop the processing 38 5.3.5 The withdrawal of the authorization 39 5.3.6 The sanction procedure 39 5.3.7 The emergency procedure before the CNIL 41 5.3.8 The summary procedure 42


6. SECTOR-SPECIFIC DATA PROTECTION RULES 43

6.1 PUBLIC SECTOR 43 6.1.1 The State 43 6.1.2 National defense 45 6.1.3 Justice 47 6.1.4 Police, gendarmerie and customs 49 6.1.5 Private organizations entrusted with a public service mission 50 6.1.6 Local authorities 50 6.2 BANK – INSURANCE SECTOR 52 6.2.1 Bank 52 6.2.2 Insurance 56 6.3 THE DIRECT MARKETING SECTOR 57 6.3.1 Direct canvassing 57 6.3.2 Behavioral databases 58 6.3.3 The use of the credit card number 59 6.3.4 The assignment of files 59 6.3.5 E-mailing charter 59 6.3.6 Fight against spamming 60

7. REGULATORY AUTHORITIES IN EUROPE 62

7.1 THE EUROPEAN UNION (EU) 62 7.1.1 The United Kingdom 62 7.1.2 Spain 62 7.1.3 Belgium 63 7.1.4 Luxembourg 63 7.1.5 Germany 64 7.1.6 Romania 64 7.1.7 Adequacy decisions of the Commission 66 7.2 THE EUROPEAN ECONOMIC AREA (EEA) 66 7.2.1 Iceland 66 7.2.2 Norway 67 7.2.3 Liechtenstein 67 7.3 SWITZERLAND 68 7.3.1 National supervisory authority 68 7.3.2 Switzerland official‟s entry into the Schengen zone 68 7.4 PERSONAL DATA PROTECTION OFFICIALS (DPOS) 69 7.4.1 Overview 69 7.4.2 The German DPO 70 7.4.3 The French DPO 70


8. REGULATORY AUTHORITIES OUTSIDE EUROPE 71

8.1 AMERICA 71 8.1.1 United States of America (USA) 71 8.1.2 Canada, Québec 71 8.1.3 Argentina 72 8.2 AUSTRALIA 73 8.3 AFRICA 73 8.3.1 Tunisia 73 8.3.2 Mauritius 74 8.3.3 Burkina Faso 74 8.3.4 Senegal 75 8.4 ASIA 75 8.4.1 China 75 8.4.2 Hong Kong 75 8.4.3 South Korea 75

9. INTERNATIONAL COOPERATION 76

9.1 THE INTERNATIONAL CONFERENCE OF PRIVACY AND DATA PROTECTION COMMISSIONERS

76 9.1.1 Accreditation 76 9.1.2 The Conference 77 9.2 THE ARTICLE 29 DATA PROTECTION WORKING PARTY 77 9.2.1 The tasks of the Art. 29 Working Party 78 9.2.2 Types of issues examined by the Art. 29 Working Party 78 9.2.3 Cooperation between data protection authorities within the EU 79

APPENDIX 1: KEY TEXTS 80

APPENDIX 2: TABLE OF PENALTIES APPLICABLE IN FRANCE FOR OFFENCES

RELATED TO PERSONAL DATA 81

APPENDIX 3: BIBLIOGRAPHY 82


1. FUNDAMENTAL PRINCIPLES AND LEGAL SCOPE

1. The legislative and regulatory framework applicable to data protection in France has been

established by:

- the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual

Liberties (referred to below as “Data Protection Act” or “DPA”), as amended on 6

August 2004,

- in accordance with the European Directive of 24 October 1995 on the protection of

individuals with regard to the processing of personal data and on the free movement of

such data (referred to below as the “EC Directive”)1.

2. As a result, the French and European personal data legislations are very similar.

3. This module will outline the main principles of data protection and present the various

obligations laid down by the French legislation on data protection.

1.1 THE NOTIONS OF “PROCESSING” AND “PERSONAL DATA”

1.1.1 Personal data

4. The French Data Protection Act protects personal data. Under French law: “Personal data

means any information relating to a natural person who is or can be identified, directly or

indirectly, by reference to an identification number or to one or more factors specific to him.

In order to determine whether a person is identifiable, all the means that the data controller or

any other person uses or may have access to should be taken into consideration”. (DPA,

Art 2).

5. More specifically, according to the French data protection agency, the “Commission

nationale de l‟informatique et des libertés” (referred to below as “CNIL”), personal data is

“any anonymous information allowing to identify a specific person (for example a fingerprint,

DNA or a sentence such as „the son of the doctor residing 11 boulevard Belleville in

Montpellier is a bad student‟)”.

6. Personal data can be a family name, a social security number, a vehicle registration number

or more generally any data that, without having a direct relation to an individual (last name,

first name, address...) allows to establish a link with such individual2.

1 See Appendix 1 “Legal Texts”.

2 See case law available on http://www.alain-bensoussan.com/pages/840/

MODULE No. 1 – The Basics & The Information Systems

http://www.alain-bensoussan.com/pages/840/


1.1.2 The notion of automatic or non-automatic processing

7. The French Data Protection Act primarily focuses on the notion of “processing of personal

data”, which is broader than the notions of “filing system” or “file”. The scope of application

of the DPA covers all automatic processing and non-automatic processing of personal data

that is or may be contained in a personal data filing system (DPA, Art. 2).

8. Thus, the automatic nature of the processing is not an essential condition for the application

of the DPA.

9. An automatic processing of personal data covers “any operation or set of operations in

relation to such data, whatever the mechanism used, especially the obtaining, recording,

organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by

transmission, dissemination or otherwise making available, alignment or combination,

blocking, deletion or destruction” (DPA, Art. 2).

10. An automatic processing can be constituted by only one of the elements described in

Article 2 above, e.g. the mere collection and registration of personal data3.

11. Moreover, the DPA does not make any distinction between personal data, depending on

whether they are or not accessory to the main purpose of the processing.

12. While the French DPA governs computer science, it does not limit itself to that field. The

notion of “processing of personal data” is indeed widely defined and the DPA applies to any

new automatic processing, whatever the nature of the media or technique used, to the extent

that the data collected is or may be contained in a personal data filing system.

13. Only automatic processing of personal data carried out for “exclusively private” or

domestic activities are excluded from the DPA (diaries and other personal address books),

subject to the conditions provided for in its Article 5.

14. For example, an address book used for “professional” purposes fall within the scope of the

DPA, even if used at home and outside the working hours.

1.2 THE NOTION OF FAIR COLLECTION

1.2.1 Principles and limitations

15. Data must be obtained and processed fairly and lawfully (DPA, Art. 6, 1°).

16. The DPA does not define what an unfair or unlawful fraudulent means may be. It is

therefore up to the courts to define these notions.

17. Case law4 considers that collecting information from third parties without the knowledge

of the data subjects is an unfair maneuver, because in such case they have not the possibility

to exercise their right to object to the collection in accordance with Article 38 of the DPA.

However, penal sanctions apply only if the data collected is registered or stored unlawfully,

and not if the data is merely collected.






18. The CNIL has issued many decisions on the unfair and unlawful collection of data.

19. For example, it has decided that obtaining subscriber numbers through random selection

or through the production of sequences from a dialing code was a collection of data made via

an unfair or fraudulent means within the meaning of Article 25 of the DPA.

20. Certain data are considered as “sensitive”. Sensitive data is personal data that reveals,

directly or indirectly, the racial and ethnic origins, the political, philosophical, religious

opinions or trade union affiliation of persons, or which concern their health or sexual life5.

21. It is prohibited to collect, record or store sensitive data except in certain cases (essentially

listed in Article 8-II of the DPA) including, but not limited in to the following cases:

- the controller has received the express consent of the data subject (in writing);

- the processing is necessary for the protection of human life, but to which the data

subject is unable to give his consent because of a legal incapacity or physical

impossibility;

- a philosophical, political or trade union body keeps the list of its members;

- the processing is justified by the public interest (processing carried out by the Ministry

of Defense and of the Interior);

- the processing is necessary for the establishment, exercise or defense of a legal claim.

22. Recording or storing sensitive data other than in the above cases is considered an illegal

collection of data sanctioned by five years‟ imprisonment and a 300,000 euro fine (French

Penal Code, Art. 226-18).

23. For legal entities, the fine is multiplied by five, i.e. 1,500,000 euros, and may be

pronounced together with the sanctions set out in Article 131-39 of the French Penal Code.

1.2.2 Fundamental characteristics

24. Under French law, personal data may be managed only if they meet the six fundamental

characteristics below. Data must be:

- accurate: i.e. corresponds to the actual situation of the data subject;

- adequate: the information must not only be accurate at the time of the collection but

also when it is used; this implies that the processing is adequate, i.e. it does not distort

the data when it is aggregated and restored;

- relevant: this implies a conformity between the data and its implementation.

- legitimate: a balance is struck between the interests of the data subjects and the

interests of the data controller;

- not excessive: this remains a difficult concept to grasp. It is pragmatically defined by

the CNIL according to the nature of the personal data and the sensibility of the initial

and onward processing operations;

- complete: to avoid mistakes, data controllers must ensure that they have all the

information required for quality processing results;

- in addition, data must be maintained in operational condition: the adequate, relevant,

not excessive, and complete nature of the data must be maintained throughout their

implementation period. To this effect, the data controller must update, delete, correct

or supplement the data when required.




1.3 THE RIGHTS OF DATA SUBJECTS

25. Everyone has the right to privacy. To protect their privacy, data subjects, i.e. the

individuals to whom the data covered by the processing relate, have been granted certain

rights, including but not limited to:

- the right to obtain prior information;

- the right of access (right of interrogation and right of communication);

- the right of rectification.

1.3.1 The right to obtain prior information

26. The French Data Protection Act establishes a right to information for data subjects.

Pursuant to its Article 32-I, any data subject from whom data is directly obtained must be

provided with the following information:

- the identity of the data controller and of his representative, if any;

- the purposes of the processing for which the data are intended;

- whether replies to the questions are compulsory or optional;

- the possible consequences for him of the absence of a reply;

- the recipients or categories of recipients of the data;

- the right of objection and rectification;

- the intended transfer of personal data to State that is not a Member State of the

European Community;

- the existence of a right of access or rectification.

27. It is the responsibility of the data controller to take any measures to provide this

information to the data subjects, in particular when data is obtained via questionnaires.

28. If data is collected indirectly, e.g. via cookies on the Internet, the data subject must be

informed in a clear and complete manner by the data controller or his representative

regarding:

- the purpose of any action intended to provide access, by means of an electronic

transmission, to information stored in his connection terminal equipment, or to record

information in his connection terminal equipment by the same means;

- the means he has to object to such action (DPA, Art. 32-II).

29. Failure to comply with these provisions is sanctioned by the penalties provided for petty

offense of the fifth class under Decree No. 81-1142 of 23 December 1981.

1.3.2 The right of access (right of interrogation and right of communication)

30. The right of access is the right for data subjects (i) to know whether the personal data

relating to them form part of a processing and (ii) to be informed of said data (DPA, Art. 39).

The right of access is an essential right that puts forward the status of citizen of a data subject

before his status of member of the public.

31. The right of access allows to prevent abuse and promotes transparency in the exploitation

of the personal data processed.


32. With such right, a data subject can interrogate the controller of an automatic processing on

whether the processing contains or not information about him or her. If yes, the data subject is

entitled to be provided with relevant information.

33. The right of access can be exercised only by the individual concerned and can only covers

data about him or her.

34. Data subjects who decide to exercise their right of access do not need to give any

justification. This right needs not to be motivated.

35. However, this right may be misused, e.g. data subjects can make many requests in order to

deliberately hinder the activity of the company owing the data files. This is the reason why the

CNIL has the power to release a company from its obligation to answer requests made by

individuals under with their right of access.

36. On the other hand, the CNIL reserves the right, when asked to do so by the data subject, to

demand that a company communicate data within a very short period of time, even is there is

no emergency.

37. To restrict excessive and repetitive requests of access, the DPA has established that data

subjects willing to obtain a copy of their personal data may be required to pay a sum of

money. The amount of such sum is fixed in a ministerial order.

38. Lastly, concerning sensitive data, the DPA has created an “indirect” right of access

(Articles 40 to 42). For example, access to medical data is made indirectly through a doctor.

39. Failure to comply with the right of access is sanctioned by the penalties provided for petty

offense of the fifth class, i.e. to date a fine of 1,500 euros maximum or 3,000 euros in case of

second offense6.

1.3.3 The right of rectification

40. The right of rectification is a right completing the right of access. It is not, however,

subject to the same conditions and is governed by distinct provisions (DPA, Art. 40).

41. Individuals who have made a request for access do not have not all powers on their data.

They can only complete, update, clarify their data or request their deletion.

42. While the right to information and communication does not need to be motivated, the

exercise of the right of rectification is subject to specific conditions7.

43. Failure to comply with the right of rectification is sanctioned by the penalties provided for

petty offense of the fifth class, as well as the publication of the court decision at the expense

of the losing party, where applicable.






1.4 THE CONTROLLER OF THE FILE AND HIS OBLIGATIONS

1.4.1 The controller of the file

44. According to the French Data Protection Act, the data controller is a person, public

authority, department or any other organization who determines the purposes and means of

the data processing (DPA, Art. 3, I).

45. Data controller have to fulfill a number of obligations, the most important being the

obligation to notify their processing of personal data to the data protection agency.

46. Case law has ruled that a notifying party is any individual or entity having the power to

decide the creation of a computer file, even if the exploitation of the automatic processing is

entrusted to another company8.

47. It is the individual or his representative, or the representative of the legal entity who has

the power to decide the implementation of the processing who signs the notification

formalities carried out with the CNIL.

48. In the CNIL‟s opinion, the notifying organization is the organization that implements a

processing and exploits it itself. Moreover, an organization that implements a processing, but

subcontracts its exploitation, remains the notifying party.

49. If an organization implements a processing and transfers some of the data processed to

another organization, which itself exploit them for itself, the two organizations are both

notifying parties. Each of them must therefore carry out the formalities with the CNIL

required for their own data.

1.4.2 The obligations to notify

50. Although the DPA does not specify who has to notify the processing to the CNIL, it is the

data controller who carries out the prior formalities with the CNIL, whatever the service or

organization actually exploiting the processing.

51. If the data controller is not established on French territory or in any other Member State of

the European Community, but uses means of processing located on French territory (with the

exception of processing used only for the purposes of transit), he must appoint a

representative who shall represent him for the fulfillment of the notification formalities (DPA,

Art. 5).

52. There are two types of prior notification formalities to be carried out with the CNIL,

according to the nature and purpose of the processing: (i) the notification (DAP, Art. 23 and

24) or (ii) the authorization (DPA, Art. 25, 26 and 27).

53. The notification procedure is the normal regime. It is applicable to standard processings,

i.e. processings not likely to jeopardize privacy or liberties. Notification is based on three

procedures, with different levels of complexity and formalism.

54. The notification procedure requires to build up a complete dossier describing the

functional and legal environment of the automatic processing of personal data implemented9.






55. Most common processing can be notified via a straightforward procedure based on

simplified standards adopted by the CNIL (DPA, Art. 24 I). The CNIL can also exempt from

notification certain categories of processings (DPA, Art. 24 II).

56. The authorization procedure is applicable to “sensitive” processings, i.e. processings that

may infringe privacy and freedoms in light of their purposes and characteristics (DPA,

Art. 25), as well as to certain processings carried out on behalf of the State (DPA, Art. 26 and

27).

57. Article 25 of the DPA lists eight categories of “sensitive” processings10

:

- processing, whether automatic or not, of the special categories of data mentioned in

Article 8, where they are carried out by the National Institute of Statistics and

Economic Studies (INSEE) or one of the statistical services of Ministries, or where

they may be within a short period of time, to be subject to an anonymization procedure

which the CNIL has earlier approved as compliant, or where it is justified by the

public interest;

- automatic processing of genetic data, unless carried out for preventive medicine,

medical diagnosis or the administration of care or treatment;

- processing, whether automatic or not, of data relating to offences, convictions or

security measures, except for those carried out by representatives of justice when

necessary to carry out their task of defending data subjects;

- automatic processing which may, due to its nature, importance or purposes, exclude

persons from the benefit of a right, a service or a contract in the absence of any

legislative or regulatory provision;

- automatic processing whose purpose is the combination of files of one or several legal

entities who manage a public service and whose purposes relate to different public

interests;

- processing relating to data which contain the NIR (registration number of natural

persons in the national register for the identification of individuals, i.e. social security

number) and processing that requires the consultation of this register;

- automatic processing of data comprising assessments of the social difficulties of

natural persons;

- automatic processing comprising biometric data necessary for the verification of an

individual‟s identity.

58. Articles 26 and 27 cover categories of processings carried out on behalf of the State. Such

categories of processings are subject to the authorization procedure, even if the DPA refers to

them as processing subject to a request for opinion.

10

See case law available on http://www.alain-bensoussan.com/pages/863/



59. These processings are, depending on the case, authorized by a ministerial order, a decree

subject to a prior opinion of the “Conseil d‟Etat”, or a decision of the authority concerned11

:

- processing which involves State security, defense or public safety;

- processing whose purpose is the prevention, investigation, or proof of criminal

offences, the prosecution of offenders or the execution of criminal sentences or

security measures;

- processing relating to the specific categories of data mentioned in Article 8 of the Act;

- processing relating to data containing the registration number of individuals in the

national register for the identification of individuals (“NIR”, i.e. social security

number) or that requires a consultation of the NIR without including the registration

number to this register and carried out on behalf of the State, a legal entity governed

by public law or a legal entity governed by private law that manages a public service;

- processing carried out on behalf of the State relating to biometric data necessary for

the identification or verification of the identity of individuals;

- the processing carried out by departments that have the mission, either to determine

the conditions for the creation or the scope of citizens‟ rights, to control or collect

taxation or taxes of any nature or to establish the basis for doing this, or to establish

statistics.

60. Anyone who caries out automatic processing of personal data without having notified

such processing is sanctioned by five years‟ imprisonment and a fine of €300,000.

61. Processing data or causing personal data to be processed without respecting the

formalities required by Articles 24 and 25 of the DPA is sanctioned by five years‟

imprisonment and a fine of €300,000, even where committed through negligence.

1.4.3 Other obligations

62. In addition to the notification formalities, the French Data Protection Act of 6 January

1978 also imposes on any person processing personal data other obligations linked to:

- legality12

;

- security;

- the transfer of data to third parties;

- the taking of decisions on the basis of standard profiles.

63. Firstly, the DPA states that the data controller shall take all useful precautions, with regard

to the nature of the data and the risks of the processing, to preserve the security of the data

and in particular prevent their alteration and damage, or access by non-authorized third parties

(DPA, art. 34).

64. Such security obligation applies to all automatic or non-automatic processing of personal

data within the purview of the DPA13

.

11

See case law available on http://www.alain-bensoussan.com/pages/864/ and http://www.alain-

bensoussan.com/pages/865/ 12

See § 1.2 above about fair and lawful collection. 13







65. Where data are processed by a processor, such processor shall offer adequate guarantees

to ensure the implementation of the security obligation (DPA, Art. 35(3)).

66. The violation of the obligation of security is sanctioned by criminal penalties: five years‟

imprisonment and a fine of €300,000 (French Penal Code, Art. 226-17). For legal entities, the

fine is multiplied by five, i.e. 1,500,000 euros, and may be pronounced together with the

sanctions set out in Article 131-39 of the French Penal Code.

67. Secondly, the assignment of personal data to third parties provided that the initial

notification, application for authorization or request for opinion referred to the assignment and

specified if the processing may be aligned, combined or otherwise related with other

processings.

68. If the assignment was not provided for in the initial notification, a company willing to

loan, lease or assign its data should promptly inform the CNIL and modify its initial

notification; otherwise it may be punished by the same sanction punishing the fact of

diverting data from its proper purpose.

69. Lastly, the DPA does not prohibit decision-making operations based on the standard

profiles. It authorizes selection operations from an automatic processing of personal data, but

regulates customer segmentation and targeting operations, for example to elaborate standard

consumer profiles.

70. However, no court decision involving the assessment of an individual‟s behavior may be

based on an automatic processing of personal data intended to assess some aspects of his

personality, and no other decision having a legal effect on an individual may be taken solely

on the grounds of automatic processing of data intended to define the profile of the data

subject or to assess some aspects of his personality. (DPA, Art. 10(1) and (2))14

.

1.5 THE DATA PROTECTION OFFICER

71. The “CIL”, i.e. “correspondant à la protection des personal data”, is the French data

protection officer.

1.5.1 The role of the CIL: reducing formalities

72. The main role of the CIL is to streamline the process and cut the red tape: a company with

a CIL is exempted from notification formalities (DPA, Art. 22).

73. However, this is only possible for standard processings governed by Articles 23 and 24 of

the DPA.

74. Besides, processings subject to the authorization procedure (DPA, Art. 25, 26 and 27) and

processings implying the transfer of data to a non-EU State are not eligible for that

exemption.

75. Public or private companies can both appoint a CIL.

14




1.5.2 The appointment of the CIL

76. The missions, functions and obligations of the CIL15

are described in the French Decree of

20 October 2005 enacted for the application of the DPA (as amended by Decree of 25 March

2007).

77. The appointment of a CIL must first be notified by the data controller to the staff

representative body concerned by registered letter return receipt requested, and then to the

CNIL.

78. A CIL may be an individual or a legal entity.

79. CILs are chosen among the individuals working inside the company. They may be

individuals external to the company only where less than 50 persons are in charge of the

implementation or have an access to the automatic processing.

80. Companies subject to the same control, Economic Interest Group or professional bodies of

the same branch of industry have the possibility to appoint only one single CIL.

81. The data controller or his legal representative may not be appointed as CIL.

Other functions or activities carried out simultaneously by the CIL “must not lead to conflicts

of interest in the performance of his duties as a data protection officer”.

1.5.3 The missions of the CIL

82. The CIL shall ensure compliance with the requirements of the Data Protection Act. For

this purpose, the CIL:

- may make recommendations to the data controller;

- shall be consulted about any new processing before their implementation;

- shall receive requests and complaints from the data subjects;

- shall inform the data controller of the failings noted before any notification to the

CNIL;

- shall prepare an annual report on his activities that shall be presented to the data

controller and made available to the CNIL.

83. In addition, within three months of being appointed, the CIL shall draw up the list of the

automatic processings implemented by his company. The CIL will be responsible for

providing a copy of such list to any individual who requests it.

84. The data controller shall provide the CIL with all the material that may help him draw up

and regularly update the list of automatic data processing implemented within the premises,

department or the body for which he is appointed.

85. The CIL may refer any difficulty encountered while carrying out his missions to the CNIL

at any time.

15

See Alain Bensoussan, « Le correspondant à la protection des données à caractère personnel: un maillon

important de la réforme », Gazette du Palais n° 284 à 286 du 10 au 12 octobre 2004, available on

http://www.alain-bensoussan.com/Documents/ARTICLE%20AB%20GTA%20OCTOBRE.pdf

http://www.alain-bensoussan.com/Documents/ARTICLE%20AB%20GTA%20OCTOBRE.pdf


2. THE DIFFERENT INFORMATION SYSTEMS

86. An organization or company, whether public or private, may exploit many information

systems. They may be cross-cutting (purchase, HR, invoicing, accounting, archives, etc.) or

sector-based (insurance and risks, social and health, bank and stock exchange, etc.).

2.1 THE MAIN INFORMATION SYSTEMS

87. The main information systems are relating to human resources, customer, purchase and

archives.

2.1.1 Human resources information systems

88. Human resources concerns a range activities within a company: recruitment; payroll;

management and training of staff; directories and intranets; management and controls of

access to premises; catering; relations with staff representative bodies...

89. HR information systems of public and private companies are regulated by the CNIL in a

very similar manner. HR information systems are mainly subject to the following texts:

- Recommendation No. 89 of the Council of Europe (Recommendation 89 of 18

January 1989 on the protection of personal data used for employment purposes);

- French Labor Code, in particular its Articles relating to individual and collective

liberties, to collection of information and transparency on collection devices, to

professional equality between men and women, and to the information of the staff

representative bodies.

90. HR information systems are usually guided by three principles:

- transparency;

- proportionality;

- purpose.

91. The CNIL has enacted a series of simplified standards for the prior formalities applicable

to HR information systems:

- Simplified Standard No. 46: Deliberation 2005-002 dated 13 January 2005 adopting a

standard intended to simplify the obligation to notify processings implemented by

public and private organizations for the management of their staff (amended);

- Simplified Standard No. 42: Deliberation 02-001 dated 8 January 2002 concerning the

automatic processing of personal data implemented on the workplace to manage the

control of access to the premises, of working hours and catering;

- Simplified Standard No. 47: Deliberation 2005-019 dated 3 January 2005 creating a

simplified standard concerning the automatic processing of personal data implemented

with respect to use of fixed and mobile telephony at the workplace;

- Simplified Standard No. 51: Deliberation 2006-067 dated 16 March 2006 adopting a

simplified standard concerning the automatic processing of personal data implemented

by public or private organizations in order to locate geographically the vehicles used

by their employees;


92. Moreover, the CNIL has issued exemptions and single authorizations for certain HR-

related processings:

- Exemption No. 1: Deliberation 2004-096 dated 9 December 2004 exempting from

notification processings for the management of remunerations implemented by the

State, local communities, legal entities governed by public law or legal entities

governed by private law that manage a public service;

- Exemption No. 2: Deliberation 2004-097 dated 9 December 2004 exempting from

notification processings for the management of remunerations implemented by legal

entities governed by private law other than those managing a public service;

- Single Authorization No. AU-004: Deliberation 2005-305 dated 8 December 2005 for

automatic processings of personal data implemented within the framework of

whistleblowing systems.

93. Lastly, the CNIL has also elaborated recommendations on the collection and processing of

personal data within the framework of recruitment operations (Deliberation 02-017 dated 21

March 2002).

2.1.2 Customer information systems

94. Customer information systems generally concern electronic canvassing, customer

relations, profiles, segmentation, customer loyalty, contractual difficulties (outstanding

payments and complaints) and transborder flows.

95. The CNIL elaborated in 200516

a “multisector” simplified standard for the automatic

processing of personal data relating to the management of customer and prospect data, which

has been amended by Deliberation 2005-276 dated 17 November 2005.

96. Only customer information systems from the banking and insurance sectors are excluded

from the scope of that standard. As a result, they must be notified to the CNIL according to

the ordinary procedure applicable to any processing of personal data.

2.1.3 Purchase information systems

97. Purchase information systems concern data on suppliers.

98. Concerning the prior formalities specific to purchase information systems, the CNIL has

exempted from notification files for the management of supplier data concerning individuals

(exemption No. 4), to the extent that these processings do no present apparent risk for privacy

and liberties.

99. However, these systems may also cover data on electronic purchase (purchase extranets

and electronic purchase platforms).

100. Extranets are eligible for exemption No. 4 when implemented within the limit of the

functional criteria stated in the exemption.

101. On the other hand, e-commerce activities for suppliers do not fall within the scope of the

exemption. These activities must be subject to a specific notification or incorporated into a

standard notification corresponding to the purchase information system.

16

Simplified standard No. 48, deliberation 2005-112 dated 7-6-2005.


2.1.4 Archival information systems

102. In most private or public organizations, the archival of personal data is not a distinct,

separate system, and backup, storage and archives very often are mixed together.

Archival information systems are cross-cutting information systems which relate to all the

other information systems.

103. The CNIL has issued specific recommendations for the archival of certain data:

- Deliberation 88-52 dated 10 May 1988 adopting a recommendation on the

compatibility between the Act 78-17 of 6 January 1978 and the Act of 79-18 dated 3

January 1979 on archives;

- Deliberation 2005-213 dated 11 October 2005 concerning the modalities for the

electronic archiving of personal data in the private sector.

2.2 TRANSBORDER FLOWS OF PERSONAL DATA

104. Because of their nature, personal data cannot be transferred in conditions that would not

respect the privacy or fundamental rights and freedoms of data subjects. On the other hand,

nowadays the development of communications makes it necessary for most businesses to

transfer data about individuals.

2.2.1 The notion of transborder flows

105. The notion of transborder flow refers to the export and import of personal data. Despite

its importance and its role as a catalyst for universal rights, both in legal and ethical terms,

there is no definition of that concept in the EC Directive or the French Data Protection Act.

106. According to the CNIL, a transfer of personal data to a non-EU country consists in

“communicating, copying or moving personal data via a network, or communicating, copying

or moving these data from one media to another, whatever the type of media, to the extent that

these data are subject to be processed in the recipient country”.

Flows can thus be both physical (actual moving of data) and virtual (access to data and related

processings).

107. That definition must be reviewed in light of the notion of “processing”, which is “any

operation or set of operations in relation to data, especially the obtaining, recording,

organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by

transmission, dissemination or otherwise making available, alignment or combination,

blocking, deletion or destruction”.

2.2.2 The protection of data subjects

108. There are a number of situations in which international transfers of data occur.

109. For example there are transborder transfers of data when a French company

communicates with partners, subsidiaries or parent companies located outside the European

Union or performs activities outside the European Union. Similarly, when a multinational

corporate group centralizes its order management, accounts receivable or human resources

databases or when a company uses the services of a foreign call center or computer

maintenance specialist, this implies the transfer of personal data beyond the borders of the

European Union.


110. The French Data Protection Act has established specific rules to regulate such

transborder transfers, in particular where the non-EU recipient countries do not have a

sufficient level of protection of the privacy and fundamental rights and freedoms of

individuals.

111. Transfers of personal data to countries not belonging to the European Union are indeed

subject to special requirements under the EC Directive.

2.2.3 The principle of prohibition of transborder data transfers outside the

European Union, except in case of sufficient protection

112. Personal data may not be transferred to a country that is not a Member State of the

European Community if this State does not provide a sufficient level of protection of

individuals‟ privacy, liberties and fundamental rights with regard to the actual or possible

processing of their personal data (DPA, Art. 68(1)).

113. Transfers may not be made when the non-EU State is considered by the European

Commission as not providing a sufficient level of protection. In such case, the CNIL may

prohibit the intended transfer to that State (DPA, Art. 70).

114. The sufficient nature of the protection provided by the State is assessed taking account in

particular of the provisions in force in this State, the security measures that this State applies,

the specific characteristics of the processing, such as its purposes and duration, as well as the

nature, origin and destination of the processed data (DPA, Art. 68 (2)).

115. The European Commission determines if a country not belonging to the European

Community provides an adequate protection in accordance with requirements laid down in the

EC Directive.

116. Transfers of data to non-EU Member States short-listed by the European Commission for

their sufficient level of protection of personal data are not subject to a specific procedure. The

CNIL only has to be informed of their existence (Decree of 20 October 2005, Art. 101).

117. A table summarizing the data protection laws and regulations adopted worldwide and the

level of guarantees offered by each country under the European criteria is available online on

the CNIL‟s website17

(updated as of 2 June 2008).

2.2.4 Countries considered as providing an adequate level of protection

The European Commission has established a list of countries providing adequate protection.

Such list includes:

- the twenty-five Member States of the European Union;

- the member countries of the European Economic Area: Iceland, Liechtenstein,

Norway;

- other countries recognized as providing adequate protection: Argentina, Canada,

Guernsey, Isle of Man, Switzerland, and US companies having adhered to the Safe

Harbor.

118. Concerning more particularly the United States of America, a Safe Harbor agreement

was negotiated in 200018

.

17

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/panorama-legislation.pdf 18

Decision No. 2000/520/EC of 26 July 2000.

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/panorama-legislation.pdf


119. Transfers of personal data to countries providing an adequate level of protection do not

have to be authorized by the CNIL. The existence of such transfers should nonetheless be

notified to the French data protection agency when the prior formalities required for the data

processing are made.

2.2.5 Countries considered as not providing a sufficient level of protection

120. Transfers of personal data to non-EU countries not providing sufficient protection are

possible only in the situations strictly listed in Section 69 of the French DPA.

121. If none of these limited situations applies, the transfer cannot be made without the

authorization of the CNIL.

122. Such authorization is granted subject to the adoption by the company of a transborder

data flow agreement or binding corporate rules offering adequate safeguards for the transfer.

123. For corporate groups, binding corporate rules (“BCR”), also known as internal rules,

codes of good conduct or charter, are an alternative to transborder data flow agreements. The

European Commission has published three model contracts 19

.

124. The advantage of BCRs is that they are adopted unilaterally by the group headquarters

and avoid entering into an agreement for each data transfer made within the group.

2.2.6 The exception to the principle of prohibition

125. Pursuant to Article 69 of the DPA, personal data may be exceptionally transferred to a

State not providing a sufficient level of protection if the data subject has expressly consented

to their transfer or if the transfer is necessary for:

- the protection of the data subject‟s life;

- the protection of the public interest;

- the meeting of obligations ensuring the establishment, exercise or defense of legal

claims;

- the consultation, in accordance with legal conditions, of a public register;

- the performance of a contract between the data controller and the data subject, or of

pre-contractual measures taken in response to the data subject‟s request;

- the conclusion or performance of a contract, either concluded or to be concluded in the

interest of the data subject between the data controller and a third party.

126. An exception to the principle of prohibition may also be decided by a decision of the

CNIL or by a decree taken upon the prior opinion of the “Conseil d‟Etat” for certain public

processings and where the processing guarantees a sufficient level of protection of

individuals‟ privacy as well as their liberties and fundamental rights.

127. Such guarantees may in particular result from contractual clauses or binding corporate

rules.

19

Decisions No. 2001/497/EC, No. 2004/5271/EC and No. 2002/16/EC.


2.2.7 Standard contractual clauses

128. Concerning the transfer of personal data to non-EU countries, the European Commission

has drafted two sets of standard contractual clauses for transfer of data from a controller to

another controller in 200120

and 200421

:

129. It has also drafted one set of standard contractual clauses for transfer of data from a

controller to a processor, in French and in English22

.

130. In addition, the Article 29 Data Protection Working Party, known s “G29”, adopted in

January 2007 a standard form to submit draft Binding Corporate Rules (“BCR”) to European

supervisory authorities23

.

* *

*

20

Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of personal data to third

countries, under Directive 95/46/EC, OJEC (L) 181/19 of 4 July 2001 available

in French at

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_resp__traitement_VA.pdf

in English at

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_resp__traitement_VF.pdf. 21

Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of

an alternative set of standard contractual clauses for the transfer of personal data to third countries, OJEC (C)

2004 5271 available:

in French at http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT__ICC_resp__traitement_VF.pdf

in English at

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT__ICC_resp__traitement_VA.pdf 22

Commission Decision of 27 December 2001 on standard contractual clauses for the transfer of personal data to

processors established in third countries, under Directive 95/46/EC, OJEC (L) 6/52 of 10 January 2002 available

in French at http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_ss_traitant_VF.pdf

n English at http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_ss_traitant_VA.pdf 23

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/Form-bcrWP133EN.doc (English

version).

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_resp__traitement_VA.pdf

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_resp__traitement_VF.pdf

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT__ICC_resp__traitement_VF.pdf

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT__ICC_resp__traitement_VA.pdf

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_ss_traitant_VF.pdf

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/CCT_ss_traitant_VA.pdf

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/Form-bcrWP133EN.doc


3. TECHNO SURVEILLANCE

3.1 INTERCEPTION OF TELECOMMUNICATIONS

131. The term “interceptions of telecommunications” means the collection, use and recording

of contents exchanged via electronic communication tools. The term “electronic

communications” means “the transmission, emission or reception of signs, signals, text,

images or sound by electromagnetic means” (French Posts and Electronic Communications

Code, Art. L 32 1°).

132. Interceptions of telecommunications encompasses:

- the protection of private correspondence: it is guaranteed by law and is the

implementation in the field of electronic communications of the more general

principle of the protection of privacy (Act 91-646 of 10 July 1991, Art. 1);

- the interception of electronic communications for security purposes: wiretapping is

regulated by the Act of 10 July 1991;

- the interception of electronic communications for legal purposes: it is subject to

Articles 100 to 100-7 of the French Code of Criminal Procedure for the investigation

of felonies and misdemeanors (if the penalty incurred is equal to or in excess of two

years‟ imprisonment), organized crimes and the research of certain individuals;

- the administrative interceptions of connection data: their purpose is limited to the

prevention of acts of terrorism (French Penal Code, Art. 421-1 and Art. 421-2);

- the judicial interceptions of connection data: the storage of such data and their

communication to the judicial authority is limited to the research, discovery and

prosecution of penal offences (French Posts and Electronic Communications Code,

Art. L34-1 II).

- the private interceptions: unregulated wiretapping is prohibited, unless otherwise

authorized by the individuals concerned or within the framework of cyber surveillance

operations at the workplace;

- the regulation of devices for the interception of electronic communications: the

interceptions of private telecommunications are prohibited, unless otherwise

authorized by the calling party and the called party.

133. Two administrative authorities play a key role in that domain: the National Commission

for the Control of Security Interceptions (“Commission nationale de contrôle des

interceptions” or “CNCIS”) and the Data Protection Authority (“Commission nationale de

l‟informatique et des libertés” or “CNIL”).

MODULE No. 2 – Technologies


134. All operations (manufacture, import, detention, exhibition, offer, rental, sale, installation)

on equipment designed to intercept telecommunications are prohibited (French Penal Code,

Art. 226-3). Similarly, equipments allowing to intercept, record or transmit words uttered in

confidential or private circumstances, without the consent of their speaker, or the picture of a

person who is within a private place, without the consent of the person concerned are

prohibited (French Penal Code, Art. 226-1).

135. Operators implementing the equipments mentioned above must apply for an

authorization in accordance with a list established by the Prime Minister (French Penal Code,

Art. R 226-1).

3.2 GEO-LOCATION

136. Location data is “any data processed in an electronic communications network,

indicating the geographic position of the terminal equipment of a user of a publicly available

electronic communications service”. 24

137. Geo-location services are based on the GPS system and mobile telephony of the GSM-

type.

138. These services give the position of the fleet covered by the piloting or surveillance. The

terminal installed on the vehicle transmits the position, the communications of any nature, the

condition of the vehicle, the conditions of use and the social data (optimization of the working

condition and tracking of overtime).

3.2.1 Legal framework of geo-location

139. The legal framework of geo-location is made of Directive 2002/58/EC of 12 July 2002

(Art. 9) and a recommendation issued by the CNIL on 16 March 2006 concerning the geo-

location of employee vehicles.

140. The specific prior formalities to that technology concern the simplified standard No. 51

(geo-location of employee vehicles in public and private sectors).

141. Processings using that technology are mainly designed for the geo-location of

employees, drivers or children.

3.2.2 Tracking employees

142. The CNIL has established rules for the use of geo-location within a company in a

recommendation dated 16 March 200625

.

143. It may be used for employees who have a large degree of autonomy in their organization

(sales representatives, pharmaceutical sales representatives, door-to-door sales representatives

etc.) and who cannot be tracked permanently.

144. Data is collected on the travels, the average speed and mileage. In no event the data

should enable to establish the existence of offences.

24

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the

processing of personal data and the protection of privacy in the electronic communications sector (Directive on

privacy and electronic communications), Art. 2. 25

Deliberation 2006-066 of 16 March 2006 adopting a recommendation on the implementation of devices

designed to geo-locate motor vehicles used by the employees of a private or public organization.


145. The CNIL considers that the only purposes admitted in that context are:

- the surety or security of the employees or the goods or vehicles they are responsible

for (lone workers, transfer of funds and values, etc.);

- a better allocation of resources when services are to be performed in dispersed

locations (emergency interventions, taxi drivers, breakdown lorries etc.);

- the monitoring and invoicing of a service for the transport of individuals or goods, or

of a service directly linked to the use of the vehicle (school bus service, road shoulder

maintenance, snow clearing, road network patrols, etc.);

- the monitoring of working time when such monitoring cannot be made by other means

(Deliberation 2006-066 of 16 March 2006).

146. They must correspond only to the usages notified. It is possible to use the simplified

standard No. 51.

3.2.3 Tracking drivers

147. A new insurance service, entitled “Pay as you drive”, is coming on steam worldwide

thanks to geo-location technologies. The objective is to tailor the insurance services offered to

drivers according to their travels (length, itinerary) and behaviors (law-abiding, risky,

dangerous).

148. Such services have already been deployed in the USA, Israel, Dubai, Abu Dhabi, the

UK, Italy and Ireland, apparently to the general satisfaction of the contracting parties.

149. However, an offer requiring young drivers to install in their vehicle a GPS-GSM device

has been refused by the CNIL. Its objective was to collect information on the case number,

speed, places, dates, hours and length of driving, the total number of kilometers traveled and

the type of road, in order to “identify the location of the vehicle every two minutes, the speed,

the type of road on which the vehicle drives, the time of the driving and the length of the

driving (Deliberation 2005-278 of 17 November 2005, MAAF Insurances SA).

3.2.4 Tracking children

150. Applications for the tracking of children are based on the GPS-GSM technology. With

this service, parents can know where the child is via the location of his or her mobile phone

thanks to the Internet, Wap or i-mode technologies.

151. As parents are only the beneficiaries of the service, the data controller of such data

processing is the organization that supplies the service for the identification and positioning of

the cell phone.

152. That type of processing is subject to the general notification regime. The CNIL considers

that the child (aged thirteen or more) must be able to express his or her consent for that type

of service.


3.3 VIDEO SURVEILLANCE

153. According to the CNIL, images of individuals captured by video surveillance cameras

are personal data allowing, at least indirectly by combination with other criteria, to identify

individuals26

.

154. The purpose of such processings is to ensure the surveillance and security of access. Data

shall be stored for a period not exceeding one month (Act 95-73 of 21 January 1995, Art. 10).

These processings are subject to the standard notification procedure.

3.3.1 Legal framework

155. Video surveillance (also known as “CCTV”) is governed by two main texts: the Data

Protection Act and the Act on Orientation and Planning on Security, referred to as “Pasqua

Act” (Act 95-73 of 21 January 1995).

156. The relation between these two texts is stated in Article 10 I of the Act of 21 January

1995 as follows:

- “Visual video surveillance recordings […] shall be submitted to the provisions below,

except for those used in automatic processings or contained in files structured

according to criteria allowing to identify, directly or indirectly, individuals, and

governed by the Act 78-17 of 6 January 1978 on Data Processing, Data Files and

Individual Liberties.”

157. Moreover, pursuant to Article 5 of a 1996 Decree: “in the event where the information

attached to the application for authorization or additional information shows that the visual

video surveillance recordings will be used to create a personal data file, the prefectorial

authority shall answer to the applicant that his application shall be sent to CNIL. It informs

the CNIL thereof”27

.

158. The purpose of that regulation is that cameras be “individual-liberties-friendly”28

.

3.3.2 Public security video surveillance

159. The legal scope of public security video surveillance is made of the Act on Orientation

and Planning on Security (“Pasqua Act”, cited above) and its application decree29

; the order

on technical standards for video surveillance systems30

; and the ministerial circular of 26

October 2006.

160. Any installation of a video surveillance system shall be authorized, except in the field of

national defense.

161. The authorization is delivered by the representative of the State in the “départements” or

by the prefect of police of Paris. It is preceded by an opinion given by a departmental

commission, chaired by judges.

26

Deliberation 94-056 of 21 June 1994 adopting a recommendation on video surveillance devices used in public

places and places open to the public. 27

Decree 96-926 of 17 October 1996 on video surveillance. 28

Circular NORINTD0600096C of 26 October 2006 pursuant to Articles 10 and 10-1 of the amended Act on

Orientation and Planning on Security No.95-73 of 21 January 1995 p. 3. 29

Decree 96-926 of 17 October 1996. 30

Order of 26 September 2006.


162. The video surveillance system must conform to certain technical standards (Act 95-73 of

21 January 1995, Art. 10 III(4)).

163. The authorization identifies the individuals in charge, the modalities to view recordings,

the recipients of the data and the data storage period.

164. Except in case of investigation for flagrante delicto, preliminary inquiry or preliminary

information investigation, the recordings shall be destroyed within the deadline stated in he

authorization. Such deadline cannot exceed one month (Act 95-73 of 21 January 1995,

Art. 10 IV).

165. The public shall be informed in a clear and permanent manner of the existence of the

video surveillance system and of the authority or individual in charge (Act 95-73 of 21

January 1995, Art. 10 II(5)).

166. For example, the information on the existence of a video surveillance system filming the

public highway must be provided via a sign with a pictogram representing a camera (Decree

96-926 of 17 October 1996, Art. 13-1 I).

167. For systems installed in facilities and establishments open to the public, such information

must be provided in a clear and permanent manner via signs or small posters, which must

specify the name or title of the data controller as well as a telephone number. These data must

be sufficient to enable data subjects to access their images (Decree 96-926 of 17 October

1996, Art. 13-1 II).

3.3.3 Private security video surveillance

168. Private security video surveillance includes video surveillance at the workplace by

private organizations, public organizations or organizations which manage a public service, as

well as video surveillance of dwelling houses. Only cameras installed in private places and

used exclusively for personal purposes are excluded from the legal regime (DPA, Art 2).

169. The legal framework of private security video surveillance is made of:

- the guiding principles of the French Data Protection Act, to the extent that video

surveillance activities are not expressly referred to therein, unlike biometric

technologies for example;

- Deliberation 94-056 of 21 June 1994 adopting a recommendation on video

surveillance devices implemented in public places and places open to the public.

170. The data concerned includes filming with or without recording, and the connection with

personal data files.

171. The processing of images (collection, recording, visualization, on a real time or

prerecorded basis, and storage) is subject to the standard notification procedure.


3.4 THE TECHNO PROTECTION OF PRIVACY

172. Technology systems oriented towards the protection of privacy include anonymization

techniques, encryption tools, antitagging tools and Platform for Privacy Preferences.

3.4.1 Anonymization techniques

173. The purpose of anonymization techniques is to anonymize personal data.

174. This may be required because of the necessity to store data beyond the period having

justified their collection and processing, or the necessity to analyze sensitive information.

175. Anonymization is a multifaceted notion, which varies according to its level (absolute or

relative), its usages (restricted to some, prohibited for others) or the means to be implemented

to ensure its reversibility.

176. There are three categories of anonymization techniques resulting in three types of

information:

- anonymous information: technologies that suppress all links between the information

and the data subject.

- masked information: technologies that allow a relative anonymization while enabling

to retrieve personal data according to the technology selected (encryption, hashing and

blurring).

- aggregated information: techniques with the aim of gathering groups or populations so

that it may not be possible to assign data to one individual.

177. Processes for the anonymization of sensitive data must be authorized by the CNIL. Such

authorization is subject to the compliance with the principles of legal purpose, legitimacy and

proportionality and required that data be anonymized within a short period of time (DAP,

Art. 8 III).

3.4.2 Encryption tools

178. Encryption tools are in line with the security and confidentiality rules for personal data

imposed under Article 34 of the DPA.

179. The CNIL indeed recommends, as far as possible, to encrypt certain types of personal

data.

180. For example, encryption is compulsory when medical data are transferred via the

Internet, or when medical databases are entrusted to a hosting provider.

3.4.3 Antitagging tools

181. The purpose of antitagging tools is to prohibit electronic tagging - e.g. cookie or RFID

chip (see §4.1.2) - or obtain to the consent of individuals before introducing any such

electronic tagging.


3.4.4 Platforms for Privacy Preferences

182. The purpose of Platform for Privacy Preferences is to collect the preferences of data

subjects and to comply with them. To this end, an Internet user should first determine the

legal regime of the categories of his or her personal data in a questionnaire.

183. P3P version 1.0 is a protocol designed to inform Web users of the data-collection

practices of Web sites. It provides a way for a Web site to encode its data-collection and data-

use practices in a machine-readable XML format known as a P3P policy.

184. The P3P specification defines:

- a standard schema for data a Web site may wish to collect, known as the “P3P base

data schema”;

- a standard set of uses, recipients, data categories, and other privacy disclosures;

- an XML format for expressing a privacy policy;

- a means of associating privacy policies with Web pages or sites, and cookies;

- a mechanism for transporting P3P policies over HTTP;

185. The goal of P3P version 1.0 is twofold:

- allow Web sites to present their data-collection practices in a standardized, machine-

readable, easy-to-locate manner.

- enable Web users to understand what data will be collected by sites they visit, how

that data will be used, and what data/uses they may “opt-out” of or “opt-in” to31

.

3.5 WEB 2.0

186. Web 2.0 gathers several technologies and services designed to create and develop

communities and agile services based on the concept “The Network Is The Computer”.

187. With Web 2.0, the issues of digital identity, right to anonymity, and protection of private

life and digital privacy are more acute32

.

188. Technical platforms that host different communities, such as blogs or auctions, must be

subject to a notification where their technical means are located in the French territory.

189. Exchanges on such platforms are usually made with a pseudonym (User ID, alias).

Platforms organize an “anonymous personalization” where:

- it is possible to communicate with a pseudonym;

- the community members can rate each other and give their feedback;

- the real identity of community members is disclosed when transactions are completed

(brokerage in computerized auction) or with judicial authorization.

31

The Platform for Privacy Preferences 1.0 (P3P1.0) Specification, Recommendation of World Wide Web

Consortium (W3C) dated 16 April 2002. 32

Eric Barbry, “Web 2.0: nothing changes…but everything is different”, Communications & Stratégies 1 quarter

2007 n° 65 p. 91.


4. IDENTIFICATION AND SURVEILLANCE TECHNOLOGIES

4.1 APPLICATIONS AND FUNCTIONNALITIES OF IDENTIFICATION TECHNOLOGIES

4.1.1 Biometrics

190. The term of “biometrics” designates all computerized technologies enabling the

automatic recognition of an individual based on physical, biological or even behavioral

features. A badge with a digital photograph without possible processing does not fall within

the scope of biometrics. Biometric data are broken down into three categories:

- specimens derived from the human body (DNA, body odor);

- digital representations or size (fingerprint or outline of the hand);

- attitudes (handwritten signature, typing on a keyboard).

191. There is no law specially regulating biometrics. As far as data protection is concerned,

biometrics is legally regulated when used to control the identity of individuals.

192. Whatever the sector (public or private), that type of processing may be implemented only

after the authorization of the CNIL. The CNIL has established three types of single

authorizations related to biometrics and to:

- the fingerprint for access control to the work place33

;

- the hand geometry for access control, working time management and food catering at

the work place34

;

- the hand geometry for access to school cafeteria35

.

193. Considering the risks entailed, the CNIL considers that biometric data may be used only

if there are an imperative security requirement and particular circumstances limiting the risks.

194. Except specific cases, the CNIL rejects any use of biometrics simply for management or

comfort purposes. It favors technical solutions based on traceless or traceable biometrics, the

storage of identifiers on limited media under the exclusive control of the data subjects, and the

absence of trace after usage.

195. For example, it has issued a favorable opinion for:

- the implementation of a biometric control to access areas restricted for security

purposes in the Orly and Roissy airports (Deliberation 2004-017);

- a draft order from the Minister of Justice for the creation of a computer application to

check the identity of prisoners based on the recognition of hand morphology

(Deliberation 2003-027);

- the implementation by the chamber of commerce and industry of Nice-Côte d‟Azur of

an automatic processing of personal data with the purpose of managing a loyalty card

implying the use of a biometric device recognizing fingerprint (Deliberation 2005-

115).

33

Delib. 2006-102 of April 27, 2006. 34

Delib. 2006-101 of April 27, 2006. 35

Delib. 2006-103 of April 27, 2006.


4.1.2 RFID

196. RFID (Radio Frequency Identification) is a technology allowing a contactless

identification: a smart tag interacts with a reader via radiofrequencies.

197. In the long run, the objective of RFID is to replace bar codes on products and enables the

emergence of new tracking and reactivity services.

198. The RFID technology maximizes the possibilities to track objects and individuals.

199. RFID contains an electronic chip, a memory incorporated into the chip and an antenna.

200. Passive RFID tags have no power source. The electric power is induced by the reader at

the time of the reading operation. In contrast, active RFID tags have a battery, and thus a

power autonomy. The different between passive and active tags is the read ranges between

RFID and readers.

201. With the digital age, the Internet of “computers” I developing into an Internet of objects.

All objects, subject to an identification standard, may interact and react according to a

detected context or an initiated actor. The impact is increased by the integration of the RFID

process into an information system, such as the production IS, the customer IS or the logistics

IS. Similarly, the integration of RFID readers into mobiles transforms it into “a universal

remote control”36

.

202. There is no law or regulation specific for RFID, as for biometrics for example.

The direct or indirect use of smart tags is subject to the general regime of prior formalities

(notification or authorization) according to the status of the data controllers or the nature of

the data and processings realized.

203. All the rights of individuals (information, access, authorization, objection, modification,

rectification and oblivion) apply to RFID technologies. The widespread use of RFID implies

the necessity to establish a right to “deactivation” in order to avoid an all-or-nothing system

regarding RFID services.

4.2 ISSUES UNDER THE FRENCH DPA

204. A recognition system is based on the alternative or cumulative modes below:

- a physical element: photograph or physical particularly such as scar, tattoo, etc.

- a device: card, USB key, letter, etc.;

- information: secret formula, first name of the mother, country and date of the last three

travels etc.

205. Biometrics is a disruptive technology because of the unicity of the mean (an element of

the human body), the universality of the technique and the efficiency of the recognition.

206. Biometric technologies have a high “invasive” potential in terms of privacy protection.

36

Serge Miranda, L‟ère des objets « vivants » au service de l‟homme, L’Expansion 719-5-2007 p. 147.


207. According to the National consultative committee for sciences of life and health, because

of the paradox created between the protection of privacy and the invasions of privacy, there is

a kind of agreed confiscation of liberty. Surreptitiously, our society, in the name of the

security paradigm, is getting used to these biometric tags and everyone finally accepts, even

with indifference, to be put on files, observed, located, traced, often without being aware

thereof37

.

208. The dangers linked to the creation of huge biometric databases are the most important

issues.

4.3 APPLICABLE LAWS AND REGULATIONS

209. The legal framework of identification and surveillance technologies primarily depends

on:

- the places (public or private zones);

- the terms of use (surveillance or research);

- the field of activities (private, professional, economic, social, philosophical, etc.).

210. Identification and surveillance technologies must be subject to a notification or an

authorization, according to their nature.

211. The implementation of such technologies at the workplace is subject to:

- information of staff representative bodies on the introduction of new technologies;

- information of staff representative bodies on devices used to control and monitor

employees;

- information of the data subjects.

212. This is necessary because in most cases the introduction of a new technology extends the

scope of the controls that may be made by the employer.

4.4 PRECAUTIONS TO BE TAKEN

213. Using surveillance technologies implies the compliance with the principles of legality,

purpose, legitimacy, proportionality, adaptability and transparency.

214. The general principle in a democracy is the absence of surveillance. Surveillance can

only happen exceptionally, it must be motivated by a specific situation and realized in a

predefined legal framework.

215. Surveillance can be made only for security and protection purposes. This is in particular

the case for:

- the fight against terrorism by video surveillance in public places;

- the supervision of telecommunications networks via cyber surveillance;

- the protection of the access to sensitive zones via biometrics.

216. The security requirement is a condition that is necessary, but not sufficient. The data

controller of the processing must also legitimate the usages made under his rights and

obligations, and the places and individuals covered by the surveillance.

37

CCNE Biométrie, données identifiantes et droits de l‟homme: Avis n°98 p.16.


217. According to an inviolable principle enshrined in the French Labor Code an employer

cannot place on individual and collective liberties a restriction that would not be justified by

the nature of the tasks to be performed or proportional to the purpose pursued.

218. Such principle protects employees against systematic or unjustified controls. The

compliance with the proportionality principle imposes that the data controller strikes a

balance between the different security requirements and the rights of individuals. The purpose

of such proportionality principle is to relativize the rights of the controller under the

legitimacy of his processing.

219. Such balance of interests is described by the Data Protection Act as follows:

- “the pursuit of the data controller‟s or the data recipient‟s legitimate interest, provided

this is not incompatible with the interests or the fundamental rights and liberties of the

data subject.” (DPA, Art. 7(5°)).

220. That paragraph allows to depart from the general obligation to obtain consent prior to

implementing an automatic processing of personal data (DPA, Art. 7).

221. The techno surveillance used must be adapted to the situation in case of:

- modification of the context;

- evolution in the above criteria. All the criteria must remain relevant throughout the

period during which of techno surveillance is used.

222. Lastly, the French Labor Code states that “no information concerning an employee or a

job applicant personally may be collected through a device he or she has not been informed of

in advance”. Therefore, it seems that, to be enforced against employees, the means of control

likely to be implemented must be notified to them for example in an information memo or a

computer resources acceptable use policy.

* *

*


5. JUDICIAL FRAMEWORK

223. The French data protection authority, the Commission nationale de l’informatique et des

libertés (“CNIL”), is an independent administrative authority without judicial personality.

224. The decisions of the CNIL are subject to the judicial review of the Conseil d’Etat

(French administrative Supreme Court)with an ultra vires action (recours pour excès de

pouvoir) or an action based on grounds of both facts and law (recours de pleine recours

jurisdiction).

225. Since the amendment of the Data Protection Act in 2004, the CNIL has many powers

including:

- the power to perform a posteriori inspections;

- the power to impose administrative and financial sanctions.

226. Its “jurisdictional” activity grows very rapidly both in terms of the number of actions

initiated and the amount of the sanctions applied.

5.1 COMPLAINTS

227. The CNIL receive claims, petitions and complaints (DPA, Art. 11, 2°-c). The booming of

the Internet with the general public has increased the awareness of individuals on the use

made of their personal data.

5.1.1 Referring a matter to the CNIL

228. A matter can be referred to the CNIL in many forms. The CNIL invites individuals to

contact it by simple letter; some standard letters are available online on its website

(www.cnil.fr).

5.1.2 Effects

229. The CNIL has a large power of assessment regarding whether or not to act upon a claim

referred to it, irrespective of the decision taken thereafter by the judicial authorities. It decides

whether measures should be taken further to a complaint and is only obliged to refer to the

Public Prosecutor the offences it has knowledge of. For example, it may decide to:

- establish a dialogue with the data controller;

- carry out documentary and on-the-spot inspections;

- issue an injunction against controllers;

- apply sanctions and penalties;

- refer the matter to the Public Prosecutor;

- close the file without further action.

230. In any case, the CNIL must inform the complainants of the decisions taken regarding

their complaints (DPA 1978, Art. 11, 2°-c).

MODULE No. 3 – Disputes and Sector-Specific Law

http://www.cnil.fr/


5.2 INSPECTIONS CARRIED OUT BY THE CNIL

231. The inspections carried out by the CNIL since 1978 have been reinforced and regulated

since the 2004 reform.

5.2.1 The inspectors

232. The inspectors may be the members of the CNIL and duly empowered agents from the

operational services of the CNIL.

233. The accreditation of the CNIL agents “shall not grant exemption from application of the

provisions defining the procedures authorizing access to secrets protected by law”

(DPA 1978, Art. 19). Inspectors may be assisted by experts.

234. Only a doctor may ask for communication of personal medical data contained in

processings:

- that is necessary for the purposes of preventive medicine, medical research, medical

diagnosis, the administration of care and treatment, or for the management of a

healthcare service,

- carried out by a member of the medical professions (DPA 1978, Art. 44, III).

5.2.2 Modalities of the inspections

235. Inspections may only be made between 6a.m.and 9p.m..

236. Inspectors have access to the places, premises, surroundings, equipment or buildings

used for the processing of personal data for professional purposes.

237. Article 44, I of the DPA expressly excludes “the parts of the premises used for private

purposes”.

5.2.3 The inspection procedure

238. Where the CNIL decides to conduct an inspection, it shall first inform the Public

Prosecutor in the territorial jurisdiction where the inspection is to take place.

239. No rule obliges the inspectors to inform the data controller beforehand. The controller

may be assisted by a counsel, a lawyer or a private expert.

240. As part of their mission, the inspectors may:

- ask for the communication of all the documents necessary for the performance of their

mission, whatever their medium, and take a copy of them;

- collect, on the spot or upon summons, all useful information or;

- have access to electronic data processing programs and data, and ask for their

transcription, by any appropriate process, into directly utilisable documents for the

purposes of the verification (DPA 1978, Art. 44, III).

241. A report on the verifications and visits carried out shall be established in the presence of

all parties.

242. After an inspection, the CNIL may decide to:

- inform the Public Prosecutor (DPA 1978, Art. 11, 2°-e);

- initiate a procedure to apply sanctions;

- close the file without further action.


5.2.4 Objecting to an inspection

243. The person in charge of the premises may object to the inspection, provided this is not

considered as the offense of resisting or hindering the exercise of the duties entrusted to the

CNIL members and officers (délit d’entrave). Such objection may be disregarded, at the

request of chairman of the CNIL, if authorized by the President of the High Court (tribunal de

grande instance), or by a judge mandated by him, in the jurisdiction of which the premises are

located.

244. The judge shall decide by a reasoned ruling in conformity with the provisions provided

for in Articles 493 et seq. of the Code of Civil Procedure. In such case, the visit shall take

place under the authority and supervision of the authorizing judge. He may go to the premises

during the visit. He may halt or suspend the visit at any time (DPA 1978, Art. 44, II).

245. Persons (data controller included) interrogated in the context of verifications or

inspections carried out by the CNIL can raise an objection on the grounds that they are bound

by a duty of confidentiality (DPA 1978, Art. 21).

5.3 THE SANCTIONS

246. The possibility for the CNIL to directly apply sanctions has been extensively reinforced

by the reform that took place in 2004. Today, the CNIL can impose a wide range of sanctions,

such as issue a warning, block data, notify the Prime Minister and impose financial penalties.

247. The CNIL may exercise its powers in relation to the processing when the operations are

carried out, in whole or in part, on the national territory.

248. The person concerned are the data controllers established:

- in France (DPA 1978, Art. 5);

- in another Member State of the European Union (DPA 1978, Art. 48);

- in a non-EU country.

249. Only the State benefits from a special exemption (DPA 1978, Art. 45, I-1).

5.3.1 The warning

250. The CNIL may issue a warning (avertissement) to a data controller who does not comply

with the obligations resulting from the Data Protection Act. (DPA 1978, Art. 45, I(1)). In

addition, the organizations who took measures to suppress the noncompliance initially noted

by the CNIL may also receive a warning.

251. The warning is the first step to invite data controllers to abide by their obligations. A

such, the warning has no direct coercive effect.

252. In any case, the warning does not mean that the data controller will not be prosecuted in

the future.

253. Over the 2002-2006 period, the majority of the CNIL decisions issuing a warning

concerned:

- a breach of the data protection obligations;

- breaches with a possible penal nature.


254. This approach does not generally make any reference to the notion of “fault”. Moreover,

there is no real scale of breach e.g. small breach, repeated small breach, average breach,

serious breach.

255. However, it seems that the CNIL now tends to define more precisely the conducts that

can lead to warning, allowing to better foresee its decisions; the following trends can be noted

in some of its deliberations issued in relation to a warning:

- serious, repeated or excessive acts (Delib. 2005-043 of March 9,2005);

- negligence or failure to take relevant precautions (Delib. 04-051 of June 3, 2004);

- absence of vigilance and diligence (Delib. 2005-085 of May 10, 2005).

256. Similarly, to date, the CNIL does not systematically take into account the notion of

damage, and in particular the seriousness of the data subjects‟ right infringement and the

possible related damages.

257. The CNIL may make public its warnings (DPA 1978, Art. 46(2)). That publicity may be

made by all means of communication available to the CNIL, such as:

- a press conference;

- a notification on its website;

- a notice in its monthly newsletter;

- a special paragraph in the annual activity report.

258. The communication to the public of the warning is distinct from the publicity by way of

publication or newspapers, which is reserved for others sanctions.

259. The CNIL decides whether or not to publicize the warning depending on the

circumstances of the case. Contrary to the publicity by way of publication or newspapers, the

decision to make a warning public does not require the prior establishment of bad faith on the

part of the data controller.

260. In practice, the majority of the warnings that have been publicized states that the data

controller had an abnormal conduct. This is for example includes:

- the cure period;

- the failure or slowness to answer the question asked by the CNIL;

- the seriousness of the breach.

261. In practice, the warning is not secret. The CNIL does not publicize simple warnings but

that does not mean that they remain secret.

262. The CNIL may issue:

- a warning, which may be made public;

- a related injunction, in order to put an end to the breach referred to in the warning

(Delib. 2006-208 of September 21, 2006).

263. Where the data controller has not complied with the injunction, the CNIL may decide:

- that sanctions should be issued;

- to issue a warning, which may be made public.


5.3.2 The injunction

264. The 2004 reform gave the CNIL stronger powers to better regulate the situation. From

1978 to 2004, an impressive number of organizations broke the law.

265. In conjunction with or independently from the warning, the CNIL may also order a data

controller to cease the breach within a time period that it determines.

266. If the injunction (mise en demeure) is not complied with, the CNIL may impose special

penalties on the data controller (DPA 1978, Art. 45).

267. The injunction is subject to a dated and numbered deliberation. The CNIL notifies the

injunction via registered letter return receipt requested.

268. The cure period is fixed by the CNIL according to:

- the seriousness of the breach;

- the urgency;

- the period necessary for the data controller to cure the breach.

269. The deliberation to issue an injunction is taken by the restricted committee of the CNIL.

270. The demands stated in injunctions may be broken down into four categories:

- the compliance with law;

- the implementation of good practices in order to prevent repeated offenses;

- the education and awareness raising of data subjects;

- the development of an audit and monitoring policy.

271. The data controller must prove that he has cured the breach within the time period stated

by letter or memorandum containing:

- the requests made by the CNIL;

- the answers given by him;

- any related supporting documents.

272. At the end of the time limit stated in the injunction, the CNIL may, after having studied

the situation:

- issue a warning, which may be made public;

- impose a financial penalty;

- issue an injunction to stop the processing;

- withdraw the authorization for each processing previously authorized;

- close the file without applying any sanction.


5.3.3 Financial penalties

273. All data controller may be imposed financial penalties (sanctions pécuniaires) except in

cases where the processing is carried out by the State (DPA 1978, Art. 45, I-1).

274. The amount of the financial penalty is fixed by the CNIL in proportion to the gravity of

the breaches committed and the profits obtained from the breach by the controller.

275. For example, when applying penalties, the CNIL has taken the elements below into

consideration:

- non-compliance with an injunction (Delib. 2006-173 of June 28, 2006);

- answer not appropriate to the requests made by the CNIL (Delib. 2006-174 of June 28,

2006);

- failure to provide documents requested by the CNIL (Delib. 2006-245 of November

23, 2006);

- no guarantee “allowing the CNIL to consider that the breaches established may not be

repeated again in the future” (Delib. 2006-245 of November 23, 2006);

- lack of cooperation and transparency (Delib. 2006-281 of December 14, 2006).

276. Financial penalties have a double threshold (DPA 1978, Art. 47)

(i) in case of a first breach, the penalty may not exceed €150,000;

(ii) in the event of a second breach within five years, the penalty may not exceed:

- €300,000;

- or, in case of a legal entity, 5% of gross turnover for the latest financial year, within a

maximum of €300,000.

277. The five year period is computed from “the date on which the preceding financial

penalty becomes definitive”(DPA 1978, Art. 47(2)).

278. The financial penalties are collected “as State debts, other than taxes and income from

State assets” (DPA 1978, Art. 47, al. 4).

279. Whenever the CNIL issues a financial penalty that is final before the criminal court has

definitely judged the same or related facts, the criminal court may order the deduction of the

financial penalty from the fine that it imposes (DPA 1978, Art. 47(3)).

5.3.4 The injunction to stop the processing

280. For processing subject to a notification, an authorization regime or an exemption from

the prior formalities, the CNIL may, if the injunction is not complied with, issue an injunction

to stop the processing (injunction de cessation) (DPA 1978, Art. 45, I-2°).

281. For example, the CNIL has issued an injunction to stop processing in the following

cases:

- research of debtors by a investigation firm (Delib. 2007-186 of June 28, 2007);

- direct marketing (Delib. 2006-279 of December 14, 2006; Delib. 2006-290 of

December 14, 2006);

- list of bad payers in the real estate sector (Delib. 2007-111 of May 30, 2007).


282. The deletion of the data is expressly provided for in the 2004 reform. Previously, the

CNIL had the possibility to “order security measures that may go as far as the destruction of

the information media” (DPA 1978, former Art. 21, 3°).

283. That option has never been used by the CNIL. During the parliamentary debates, this

was suppressed, because:

- such action was serious and irreversible;

- such action was introduced in Article 226-22-2 of the Penal Code.

284. In such sanction is imposed, the officials of the CNIL “are authorized to verify the

deletion of such information” (Penal Code, Art. 226-22-2).

5.3.5 The withdrawal of the authorization

285. If an injunction is not complied with within the relevant time period, the CNIL may

withdraw the authorization (retrait de l’autorisation) for each processing previously

authorized.

286. The processing must be stopped as soon as the withdrawal is ordered as it no longer has

any legal basis.

5.3.6 The sanction procedure

287. Three procedures can be followed to impose sanctions:

- the ordinary procedure (DPA 1978, Art. 45, I);

- the emergency procedure (DPA 1978, Art. 45, II);

- the summary procedure for serious and immediate violation of fundamental liberties (DPA 1978, Art. 45, III).

288. The procedure before the CNIL is the same for each of the four categories of sanctions

below:

- the warning (DPA 1978, Art. 45, I);

- the financial penalty (DPA 1978, Art. 45, I-1°);

- the injunction to stop the processing (DPA 1978, Art. 45, I-2°);

- the withdrawal of the authorization (DPA 1978, Art. 45, I-2°).

289. Fair proceedings are held and both sides are heard at every step of the procedure from its

opening to the issuance of sanctions.

290. The procedure is divided into four steps:

- the inquiry;

- the report;

- the decision;

- the appeal.

291. The duration of the first step (the inquiry) may vary. It includes different phases such as

the building up the file and at least:

- an analysis of the situation;

- evidence that a breach has been committed.


292. The second step (the report) is mandatory. It includes the designation of a committee

spokesman (rapporteur) in charge of drafting a report. The rapporteur is designated by the

president appointed by the chairman of the CNIL from among the members not belonging to

the restricted committee. The report will serve as the basis on which sanctions may be issued.

The report is notified to the data controller.

293. The data controller may consult and copy the documents of the file after having sent a

letter to the CNIL.

294. The data controller may present remarks on the report. Those remarks are contained in a

memorandum, which must be submitted to the CNIL within one month from the receipt of the

report (Decr. 2005-1309 of October 20, 2005, Art. 75).

295. The third step (the decision) concerns the sanctions strictly speaking. Sanctions are

imposed by the restricted committee (DPA 1978, Art. 17). The data controller may be assisted

or represented at every step of the procedure.

296. The government commissioner (commissaire du gouvernement) attends the debates but

does not participate in the vote. When it comes to penalties, he may not require a second

deliberation.

297. Under Article 46 of the Data Protection Act, the committee spokesman may present oral

remarks to the CNIL. Pursuant to the principles of fair proceedings and equality of arms, the

data controller should be able to:

- hear the oral observations of the rapporteur;

- reply and presents in remark, in the same form and in the same conditions.

298. The rapporteur does not participate in the deliberations (DPA 1978, Art. 46(1)).

299. The CNIL may hear any person who may usefully contribute to its inquiry (DPA 1978,

Art. 46(1)).

300. The hearing takes place as follows:

- the remarks of the rapporteur;

- the remarks of the government commissioner;

- the oral arguments of the data controller.

301. The decision is made by a majority. It shall be reasoned (DPA 1978, Art. 46(3)).

302. In case of bad faith on the part of the data controller, the CNIL may order the publication

of any other penalties imposed in such publications, newspapers or other media as it

designates. Publication is at the expense of the persons sanctioned (DPA 1978, Art. 46(2)).

Publication is not available in case of warnings.

303. An appeal against the penalty on grounds of both facts and law may be made before the

Conseil d’Etat.


5.3.7 The emergency procedure before the CNIL

304. The emergency procedure (procedure d’urgence) requires that two conditions be met

(DPA 1978, Art. 45, II):

- an emergency;

- the proof that the processing or the use of processed data leads to a violation of the

fundamental rights and liberties referred to in Article 1 of the Data Protection Act, i.e.

human identity, human rights, privacy, or individual or public liberties.

305. Measures can be taken on only during fair proceedings where both sides are heard.

306. The emergency measures may:

- interrupt the implementation of the processing;

- block certain data.

307. The processing may be interrupted for a maximum period of three months (DPA 1978,

Art. 45, II-1°).

308. Interruption may not be decided for processing carried out for the State concerning:

- State security, defense or public safety (DPA 1978, Art. 45, II-1° referring to

Article 26, I-1°);

- the investigation, or proof of criminal offences, the prosecution of offenders or the

execution of criminal sentences or security measures (DPA 1978, Art. 45, II-1°

referring to Article 26, I-2°);

- the management of prohibited data authorized by a decree subject to a prior opinion of

the Conseil d’Etat (DPA 1978, Art. 45, II-1° referring to Article 26, II itself making

reference to Article 8 concerning racial and ethnic origins, the political, philosophical,

religious opinions or trade union affiliation of persons, or which concern health or

sexual life);

- use or consultation of the national register for the identification of individuals

(DPA 1978, Art. 45, II-1° referring to Article 27, I-1°);

- biometric data (DPA 1978, Art. 45, II-1° referring to Article 27, I-2°);

- taxes (DPA 1978, Art. 45, II-1° referring to Article 27, II-2°);

- statistics (DPA 1978, Art. 45, II-1° referring to Article 27, II-2°).

309. The processing may be blocked for a maximum period of three months (DPA 1978,

Art. 45, II-2°).

310. Blocking may not be decided for processing carried out for the State which involve:

- State security, defense or public safety (DPA 1978, Art. 45, II-1° referring to

Article 26, I-1°);

- the prevention, investigation, or proof of criminal offences, the prosecution of

offenders or the execution of criminal sentences or security measures (DPA 1978,

Art. 45, II-1° referring to Article 26, I-2°);

- the management of prohibited data authorized by a decree subject to a prior opinion of

the Conseil d’Etat (DPA 1978, Art. 45, II 1° referring to Article 26, II itself making

reference to Article 8).


311. For processings excluded from the interruption and blocking measures taken under an

emergency procedure, a special procedure is organized as follows:

- notification of the Prime Minister on the violation of the fundamental rights and

liberties;

- reply from the Prime Minister within fifteen days of receiving the notification

indicating the steps that have been taken.

5.3.8 The summary procedure

312. The summary procedure (known as référé liberté) may be applied in case of serious and

immediate violation of the rights and liberties mentioned in Article 1 of the Data Protection

Act (violation of human identity, human rights, privacy, or individual or public liberties) at

the initiative of the chairman of the CNIL.

313. The emergency procedure will fall either within the jurisdiction of the judicial courts if

the data controller acts for private interests, or within the jurisdiction of the administrative

courts if the controller acts on behalf of the State, a public establishment or a local authority

or in the course of the performance of a public service mission (Alex Türk Rapport, Senate

Doc. No. 218 of March 19, 2003 p. 139).

314. It concerns all processing operations, whether public or private.


6. SECTOR-SPECIFIC DATA PROTECTION RULES

6.1 PUBLIC SECTOR

315. Public sector includes:

- the general presentation of the activities of the State;

- national defense;

- justice;

- police, “gendarmerie”(constabulary) and customs;

- state education;

- the activities of public establishments and those of private organizations entrusted

with a public service;

- local authorities.

6.1.1 The State

316. Further to the 2004 reform, processing carried out for the State are subject to:

- a special authorization regime (DPA 1978, Art. 26 and 27);

- the general regime for authorizations and notifications (DPA 1978, Art 25).

317. The main categories of processing carried out for the State may be classified as follows:

- processing linked to State sovereignty: State security, defense or public safety;

- processing related to the prevention, investigation, or proof of criminal offences, the

prosecution of offenders or the execution of criminal sentences or security measures;

- processing related to state education;

- processing for staff management;

- e-government;

- processing for public statistics purposes.

318. Staff management

319. This category of processing may be subject to:

- an exemption from notification for the management of remunerations (Delib. 2004-

096 of December 9, 2004 (State, local authorities, public establishments and private

legal entities in charge of a public service);

- a simplified standard for the staff management function (Delib. 2005-002 of January

13, 2005).

320. e-government

321. e-government gathers all of the dematerialized administrative activities.

322. Special regimes concern:

- the processing of on-line e-government services using the registration number of

individuals (“NIR”) in the national register for identification or any other identifier of

individuals (authorization);

- the dematerialization of public procurements (exemption from notification).

323. e-government activities with identity managed by NIR or another identifier must be

subject to a prior authorization.


324. The demateralization of public procurements

325. Processings implemented by public organizations under the dematerialization of public

procurements are exempted from notification on the basis of deliberation 2005-003 of January

13, 2005. The exemption covers all activities lined to the dematerialization of public

procurements.

326. “The only functions of the processing must be:

- the publication, the transmission and the provision via electronic means of documents

relating to public invitations to bid realized by publics organizations governed by the

Public Procurement Contracts Code;

- the receipt by such organizations of bids and answers related to the conclusion of a

public procurement contract;

- the establishment, by the public organizations governed by the Public Procurement

Contracts Code, of a register that may include: the notice that the invitation to bid has

been put online, the tender regulations, the consultation dossier of companies and any

modifications made thereto, the list of the persons who have downloaded the

documents, all information exchanged with those persons, the references of the

applications and bids received;

- the secure management of applications, bids, notifications and letters required to

award a public procurement contract.

Any use of personal data for direct marketing shall be prohibited” (Delib. 2005-003 of

January 13, 2005, Art. 2).

327. Automatic processings that imply the transmission of personal data to non-EU countries

are not eligible to the exemption, including when such transmission is made for

subcontracting purposes (Delib. 2005-003 of January 13, 2005, Art. 9).

328. Public statistics

329. Public statistics are mainly governed by the Act related to obligations, co-ordination and

confidentiality as regards statistics (Act 51-711 of June 7, 1951 related to obligations, co-

ordination and confidentiality as regards statistics).

330. The guiding principles are:

- an authorization regime;

- a secrecy period that may not exceed a hundred year;

- a segmentation of uses;

- an obligation to answer, any failure leading to a fine per each offense;

- a general prohibition to use the results for tax audit or sanction purposes.

331. In that domain, the CNIL, has adopted three simplified standards for:

- statistical processing of personal data related to individuals and their status as

individual entrepreneurs or family support carried out by public services and

organizations governed by Act 51-711 of June 7, 1951, as amended (Delib. 81-017 of

February 24, 1981; NS no 18);


- automatic statistical processing of personal data extracted from surveys related to

individuals carried out by the State and public administrative establishments

(Delib. 81-028 of March 24, 1981; NS no 19);

- automatic statistical processing made, on the basis of management documents or files

containing personal data on individuals, by services producing statistical information

within the meaning of Decree 84-628 of July 17, 1984 (Delib. 84-038 of November

13, 1984; NS no 26).

332. Decree 84-628 has been cancelled and superseded by Decree 2005-333 of April 7, 2005,

related to the National Council for Statistical Information and the Committee of IT secrecy.

333. State education and teaching

334. The processings of that sector are organized as follows:

- management of pupils in nursery schools and elementary schools;

- schools and secondary education establishments;

- management of Crous (students‟representative body);

- geo-location of children.

335. Processing related to the management of pupils in nursery schools and elementary

schools are governed by simplified standard No. 33 “Nursery Schools and Elementary

Schools” and simplified standard No. 27 “Pupils and Local Services”.

336. Processing related to schools and secondary education establishments are governed by

simplified standard No. 29 3Schools and Secondary Education Establishments3.

337. Processings related to the social action and statistical data on the activities of the social

services of Crous implement data on possible social difficulties. Those processing operations

are subject to the authorization regime (L 1978, art. 25, 7°). The CNIL has adopted a single

authorization No. AU-002 for them.

6.1.2 National defense

338. The activities involved in the sector of national defense, State security and public safety

are subject to a specific legal regime with regard to:

- the prior formalities;

- the rights of data subjects;

- the CNIL‟s right to supervise.

339. Processing linked to State sovereignty do not fall within the scope of Directive 95/46/EC

of October 24, 1995 (Dir. 95/46, 13th

recital).

340. Processing linked to State sovereignty are subject to an authorization regime based on:

- an order;

- a decree subject to a prior opinion of the “Conseil d‟Etat” when sensitive date are

used.

341. Requests for opinions related to those processings may not have to “include all the

elements” defined in Article 30, such as the identity of the controller, the purpose, the data

used, etc.


342. The following processings are eligible to that derogation:

“1. Decree for the application to files managed by the direction de la surveillance du territoire

of the provisions of Article 31 (3rd

paragraph) of the Act No. 78-17 of January 6, 1978;

2. Decree for the application of the provisions of Article 31 of the Act No. 78-17 of January 6,

1978, to personal data files implemented by the direction générale de la sécurité extérieure;


1978, to files of the direction de la protection et de la sécurité de la défense;


1978, to the personal data file implemented by the direction du renseignement militaire;

5. Order relating to the automatic processing of personal data implemented by the direction de

la protection et de la sécurité de la défense;

6. Order relating to the automatic processing of personal data “fichier de la DGSE”

implemented by the direction générale de la sécurité extérieure;

7. Order relating to the automatic processing of personal data “fichier du personnel de la

DGSE” implemented by the direction générale de la sécurité extérieure;

8. Order relating to the automatic processing of personal data of foreigners implemented by

the direction du renseignement militaire.” (Decr. 2007-914 of May 15, 200, adopted for the

application of Article 30 I) of the DPA 1978, Art. 1).

343. For the processings listed above, Decree of May 15, 2007, expressly provides that the

request for opinion of the CNIL should at least contain the following information:

- “the identity and address of the data controller;

- the purposes of the processing, if applicable, the title of the processing;

- the service(s) responsible for carrying out the processing;

- the service where the indirect right of access stated in Article 41 of aforementioned

Act of January 6, 1978, is exercised as well as the measures adopted to facilitate the

exercise of that right;

- the categories of persons who, due to their functions or for the needs of their

department, have a direct access to the registered data;

- the authorized recipients or categories of recipients to whom the data may be

disclosed;

- if necessary, the combinations, the alignments or any other form of relation with other

processing” (Decr. 2005-1309 of October 20, 2005, as amended by Decree 2007-451

of March 25, 2007).

344. Processings linked to State sovereignty which are subject to an authorization regime

under an order or a decree subject to a prior opinion of the “Conseil d‟Etat” may be exempted

from the publication of the regulatory document authorizing them (DPA 1978, Art. 26, III).

The same applies to the aforementioned processings (Decr. 2007-914 of May, 15, 2007,

Art. 2).

345. Processing related to national defense, State security, or public safety are subject to an

indirect access, except otherwise stated in the authorization.

346. Processing related to State security are exempted from the supervision of the CNIL. Such

exemption must be stated in a decree subject to a prior opinion of the “Conseil d‟Etat”

(DPA 1978, Art. 44, IV).

347. The same applies to the automatic processing of personal data of foreigners carried out

by the direction du renseignement militaire (Decr. 2007-914 of May 15, 2007, Art. 3).


6.1.3 Justice

348. Courts, within the limit of their legal missions, have the possibility to collect and

process:

- sensitive data (data revealing racial or ethnic origin, political opinions, religious or

philosophical beliefs, trade-union membership and concerning health or sex life);

- personal data on offences, convictions and security measures.

349. The authorization regime applies to the following processing:

- the investigation, proof of criminal offences and the prosecution of offenders;

- the management of criminal sentences or security measures.

350. Court decisions involving the assessment of an individual‟s behavior based on an

automatic processing of personal data intended to assess some aspects of his personality are

prohibited.

351. Processing whose purpose is the prevention, investigation, or proof of criminal offences

are subject to an indirect access where the authorization express provides for such indirect

access (DPA 1978, Art. 42).

352. Such processings are organized as follows:

- the national automated criminal record;

- processing by the representatives of the law;

- processing of notaries;

- processing of bailiffs;

- electronic supervision.

353. The national automated criminal record

354. The national automated criminal record is run under the authority of the Minister of

Justice (Code of Criminal Procedure, Art. 768).

355. It concerns:

- individuals born in France, after a check of their identity through the national

identification register for natural persons has been made; such identification number

may in no case be used as the basis for an identity check (Code of Criminal Procedure,

Art. 768);

- legal entities;

- individuals born abroad (Code of Criminal Procedure, Art. 771);

- individuals whose birth certificates have not been found or whose identity is doubtful

(Code of Criminal Procedure, Art. 771).

356. Processing by the representatives of the law

357. Processing by the representatives of the law are subject:

- for processing of personal data relating to offences, convictions and security measures,

to the notification regime, by derogation from the authorization regime applicable to

that type of processing ;

- for processing implementing other personal data, to the general regime (authorization

or notification) according to the nature of the data, information systems or

technologies used.


358. Processing by notaries

359. Notarial activities and the drafting of documents by notaries (notaires) are subject to the

authorization regime given:

- the nature of the data (sensitive, offences, convictions and security measures);

- the “combination of files of one or several legal entities who manage a public service

and whose purposes relate to different public interests” (DPA 1978, Art. 25 I 5), e.g.

the processing Télé@ctes” (IT system between mortgage notaries and registries).

360. They are regulated by the single authorization No. AU-006.

361. Processing by baillifs

362. Processing by baillifs (huissiers de justice) are subject:

- for processing of personal data relating to offences, convictions and security measures,

to the notification regime, by derogation from the authorization regime applicable to

that type of processing;

- for processing implementing other personal data, to the general regime (authorization

or notification) according to the nature of the data, information systems or

technologies used.

363. As part of their service or enforcement operations, bailiffs may hold personal data on the

privacy of individuals.

364. The collection and use of these data must comply with the fundamental principles of

fairness, accuracy, proportionally, purpose and dignity.

365. Electronic supervision

366. The placement under electronic supervision concerns:

- an alternative to the enforcement of a custodial sentence;

- a supervision to evaluate or prevent the commission of a new offense.

367. The penalty enforcement judge may provide that the penalty will be enforced via the

placement under electronic supervision such as set out in Article 132-26-1 of the Penal Code,

either in case of sentence to one or more custodial sentences for a total period that may not

exceed one year, or when the convicted person still has to serve one or more custodial

sentences for a total period that may not exceed one year, or when the convicted person has

been admitted to release on parole, subject to have been placed under electronic supervision

on a probationary basis for a period that may not exceed one year.

368. The purpose of processing of personal data on individuals placed under electronic

supervision is to :

- remotely control their location and monitor them;

- research and arrest them in case they breach their obligations” (Order of January 15,

2007, Art. 1).


6.1.4 Police, gendarmerie and customs

369. The authorization regime applies to the following processings:

- the investigation, the proof of criminal offences or the prosecution of offenders;

- the execution of criminal sentences or security measures.

370. The rights of data subjects: processings whose purpose is the prevention, investigation,

or proof of criminal offences are subject to an indirect access right, when the authorization

expressly provides for such derogation (DPA 1978, Art. 42).

371. Most police files are justified by the following reasons:

- security reasons requiring an “electronic” answer to the main categories of criminality;

- refusal to crease a mega database inventorying all fraudulent behaviors (offenses of

any nature, possession of arms, generic technology, etc.).

372. Each file must meet the seven criteria below:

- legality (legal authorization);

- purpose (scope: fight against criminality);

- legitimacy;

- proportionality;

- limitation of uses and destructions;

- regulation and traceability of uses;

- deletion of offences after a legal period.

373. Lastly, the purpose of that segmentation is to organize the separation between judicial

police offences and administrative police offences.

374. The main specific processings in that sector are organized as follows:

- the criminal offences processing system (Stic);

- the judicial system of documentation and ‟exploitation known as “Judex”;

- the Ariane project;

- the file on repeated offences;

- the file on wanted individuals;

- the file of Renseignements Généraux (security branch of the police force);

- the stolen vehicle file;

- the file on fingerprints and palm print (Faed);

- the automated genetic fingerprint file (Fnaeg);

- the computer file of terrorism (FIT);

- the national judicial file on the authors of sexual or violent offences (Fijais);

- the Schengen Information System;

- interceptions of telecommunications ;

- the file on the fight against illegal immigration;

- the PNR Agreement with the USA;

- the issuance of a biometric visa.


6.1.5 Private organizations entrusted with a public service mission

375. The regime of that sector is based on the following guidelines:

- an authorization regime concerning the processing subject to Article 27;

- a general regime according to the type of processing carried out or the technology

used.

376. The obligations depend on the information systems carried out, e.g. a human resources

information system, or on the technologies used, e.g. video surveillance or geo-location.

6.1.6 Local authorities

377. Local authorities manage a vast number of processings, which may be divided into three

categories:

- information systems;

- implementation technologies;

- specific processings detailed in that chapter.

378. The data collected must be used for the purposes corresponding to the missions of the

local authorities.

379. Towns must:

- only hold data that is relevant in relation to the purposes;

- separate the data between services and avoid the creation of a unique database;

- limit the use to the missions concerned.

380. Except special cases, under the Data Protection Act, the mayor is responsible for the

computer files carried out by the town.

381. Processing related to local authorities may be organized as follows:

- registers of birth, marriage and death;

- electoral files;

- administration of populations;

- town planning;

- taxation;

- e-government;

- schooling;

- culture.

382. Registers of birth, marriage and death

383. Towns are obliged to establish a register of birth, marriage and death (registre d’état

civil); as a result, citizens may not object to its establishment. That processing may be subject

to a simplified notification.

384. In such case, the processing for the establishment of registers of birth, marriage and

death should be subject to a standard notification. For most common processings, there is also

a simplified standard No. 43 entitled “Registers of Birth, Marriage and Death”.

385. The online service designed to request extracts from the register of birth, marriage and

death is subject to a single regulatory instrument (RU-002; Order of February 6, 2006).


386. The regulatory instrument RU-001 allows local authorities to manage requests for

validation of certificates for the accommodation of foreigners (Delib. 2005-052 of March 30,

2005).

387. Electoral files

388. The electoral roll includes:

- the last name, first name, domicile or residence of all voters (Electoral Code,

Art. L 18);

- the date and place of birth of each voter (Electoral Code, Art. L 19).

389. “Any voter, any candidate and any party or political group may access and make a copy

of the Electoral Code” (Electoral Code, Art. L 28).

390. The CNIL considers that the mayor:

- may use that list to send letters to citizens, such as the town bulletin;

- must ensure transparency on the origin of the information used;

- must enable the recipients to suppress, if they so wish, their contact details from the

file created to that end.

391. There are two simplified standards (No. 24 and 38) on the electoral file.

392. Administration of populations

393. The main processings related to the administration of populations concern:

- the management of populations;

- the information of populations;

- the communication of information on the populations administered.

394. It may be subject to the simplified standard No. 32 (Delib. 87-119 of December 1, 1987,

on the automatic processing of personal data implemented by towns whose population does

not exceed 2,000 habitants for the management of their; NS No. 32).

395. There is also a simplified standard No. 31 dealing with the information of populations.

396. Town planning

397. The simplified standard No. 44 “Land Registry” regulates the management of land

registry and town planning.

398. Concerning the communication of information, the principles are the following:

- the public has no direct access to the consultation software;

- the communication supposes that the requesting party signs a personal commitment

document on “the limits of use and risks incurred” in case of non-compliance;

- privacy data (date and place of birth of the owner, reason for exemption, elements

related to financing etc.) may not be disclosed;

- the address of the domicile of the owner may be given only on legitimate grounds

(Guide for local authorities, Cnil, 2004).


399. Taxation

400. Processings related to taxation are regulated by simplified standards No. 45 “Direct

Taxes”, No. 49 “Vacant housing” and No. 10 “Taxes”.

401. Online government services

402. Processing related to e-government and online services benefit from an exemption No. 5

“Control of Legality”.

403. Schooling

404. The management of children of school age by towns may be subject to the simplified

standard No. 33.

405. The management of services to pupils may be subject to the simplified standard No. 27.

406. Culture

407. The cultural sector includes:

- libraries;

- conservatoires;

- local theaters;

- the organization of events.

408. The management of loans to users may be subject to the simplified standard No. 9.

409. Processings related to the activities of conservatoires must be subject to a standard

notification or to the simplified standard “Management of clients”.

410. Concerning local theaters, the rules applicable are similar to those applying to

conservatoires. The management of the ticket office is subject to a special presentation.

6.2 BANK – INSURANCE SECTOR

6.2.1 Bank

411. The banking industry is carefully monitored by the CNIL, as demonstrated by the many

controls carried out and sanctions issued by the data protection authority. Over a long period,

the banking sector is the sector that has been most often subject to penalties from the CNIL

(warnings and sanctions included).

412. Companies working in the banking sector are excluded from simplified standard No. 48

“Management of Clients”.

413. Prior formalities related to customer information systems are organized as follows:

- the management and keeping of accounts (general notification or simplified

notification under standard No. 12);

- the management of credits to individuals (general notification or simplified

notification under standard No. 13);

- the assessment of risk and scoring technique (authorization or single

authorization AU 005).


414. Considering the difficulties faced in that sector by non-professional individuals to

exercise their right of access, the CNIL has drafted a specific guide (“Le droit d‟accès dans le

secteur bancaire”, Cnil December 2004, available on the CNIL website, section

“Approfondir”, “dossier Banque-Finance”).

415. Processings in that sector can be divided into the main categories below:

- the management of the customer information system;

- the assessment of the risks and the scoring techniques;

- the Central Check Register (FCC);

- the National Register of Irregular Checks (FNCI);

- the Register on (CB) Credit Card Withdrawals;

- the National Register of Household Credit Repayment Incidents (FICP);

- the Aeras convention;

- the fight against money laundering;

- the list of insiders;

- the management of financial instruments;

- the Swift network;

- the bank insurance.

416. Assessment of risks and scoring techniques

417. The CNIL has adopted a single authorization AU-005 (Delib. 2006-019 of February 2,

2006) for the assessment of risks and scoring techniques.

418. The scoring techniques are, legally speaking, automated decisions governed by Art. 10 of

the Data Protection Act.

419. Central Check Register

420. The Central Check Register (FCC) is a mean to crack down on bad checks. More than a

record on default, the purpose of that system is to organize a dissuasion system and prevent

the issuance of bad checks or, at least, to limit the reiteration of such economic defaults

(Monetary and Financial Code, Art. L 131-85 and R 131-26).

421. The Bank of France is in charge of centralizing all of this information.

422. National Register of Irregular Checks (FNCI)

423. The purpose of that register is to enable each beneficiary of a check to verify the validity

of said check (Monetary and Financial Code, Art. L 131-86).

424. Data relates to all information on the regularity of the check (loss, theft, closed account,

etc.), except for the name of the account holder.

425. Processing operations are carried out by the Bank of France (Monetary and Financial

Code, Art. L 131-86).


426. Register on CB Credit Card Withdrawals

427. The Register on CB Credit Card Withdrawals is based on a contractual agreement

between the Bank of France the Groupement des Cartes Bancaires, which has been subject to

a decision of the general council of the Bank of France (Decision of July 16, 1987, adopted by

the general council of the Bank of France, Art. 1).

428. The Bank of France is in charge of centralizing all of this information.

429. National register of Household Credit Repayment Incidents (FICP)

430. The National Register of Household Credit Repayment Incidents lists information on

instances of deliberate non-payment of loans granted to natural persons for non-professional

purposes. The register is administered by the Bank of France (Consumer Code. Art. L 333-4).

431. The credit institutions referred to in Act 84-46 of January 24, 1984, relating to the

activities and supervision of credit institutions, are required to report all such instances of

non-payment to the Bank of France. The cost of making such reports shall not be charged to

the individuals concerned (Consumer Code, Art. L 333-4).

432. The Bank of France is the only one authorized to centralize the information referred to in

paragraph above. Only professional bodies and central bodies representing institutions

referred to in the second paragraph are authorized to keep registers relating to instances of

non-payment. The Bank of France is released from professional secrecy in regard to the

transmission of personal information contained in the register to credit institutions and the

aforementioned financial services. The Bank of France and the credit institutions are

prohibited from providing copies of information contained in the register to anyone, in any

form whatsoever, including the person concerned when he exercises his right of access

pursuant to Article 39 of Act No. 78-17 of January 6, 1978, under pain of the penalties

provided for in Articles 226-22 and 226-21 of the Penal Code (Consumer Code, Art. L 333-

4)..

433. Aeras Convention

434. The Aeras (“Assurer et Emprunter avec un Risque Aggravé de Santé”) convention

improve access to insurance and credit for individuals who present an aggravated health risk

or disability. Its legal framework is found in Article L 1141-2 of the Public Health Code.

435. In addition to the obligations stated in the Data Protection Act in regard to health data ,

the Aeras convention establishes special obligations to organize:

- the confidentiality of the access to the health information and questionnaires, when the

data are collected in the agency;

- the obligation to let the data subject act alone.


436. The fight against money laundering

437. That type of processing is subject to the authorization regime, to the extent that a

profiling results in excluding “persons from the benefit of a right, a service or a contract”.

(DPA 1978, Art. 25, 9-4°).

438. The CNIL has established a general framework (a single authorization) to combat money

laundering and terrorist financing.

439. In the event where the banking institution is not eligible to said single authorization, a

request for special authorization must be submitted.

440. The authorization determines a special framework based on these limitations

(Delib. 2005-297 of December 1, 2005 adopting a single authorization for certain processing

of personal data carried out in financial organizations to combat money laundering and

terrorist financing; AU-003).

441. The fight against fraud and inconsistencies

442. The purpose of that type of processing is to search elements revealing abnormal

behaviors on the basis of different sources of information, such as:

- successive elements provided by customers or prospects;

- public records (register of commerce);

- inconsistencies in the information provided.

443. To the extent that the analysis may result in an exclusion of a right or a contract, that

type of processing is subject to the authorization regime (DPA 1978, Art. 25, I-4°).

444. That type of processing falls within the category of profiles. A manual evaluation is

required before rejecting any loan or carrying out any financial operation.

445. Swift network

446. The Swift (Society for Worldwide Interbank Financial Telecommunication) network is a

Belgian company subject to the supervision of the Banking, Finance and Insurance

Commission of Belgium.

447. The CNIL, in cooperation with the Art. 29 Working party, has launched investigations in

order to determine if a monitoring contrary to the Data Protection Act was realized after the

9/11/2001 attacks.

448. According to the CNIL, such monitoring:

- covers not only financial transfers to the USA, but also all transactions worldwide,

including within the European Union;

- has been realized without prior consultation with the European and national public

authorities;

- is made outside the legal framework of intergovernmental cooperation.


449. Bank insurance

450. Banking and insurance activities tend to be close in several areas, such as:

- the investment activities;

- the coupling of financial products with insurance products, in particular for life

insurance contracts.

451. Those two activities are subject to different legal status and are respectively governed by

the Monetary and Financial Code and the Insurance Code.

452. Generally, the brakes for the exchange of personal data result from:

- the protection of the banking sector;

- the general data protection principle of the sectorization of personal data.

6.2.2 Insurance

453. The insurance and risk information system includes the management of:

- insurance policies;

- risks;

- loss.

454. The management of insurance policies

455. Personal data is generally limited to the contact persons of insurance organizations

(internal services of the organization, relations with brokers, insurers and reinsurers).

456. Despite the secondary role played by personal data in these processings, a notification

should nonetheless be filed.

457. The management of risks

458. In most cases, processing for risk management related to infrastructures and resources do

not directly involved personal data.

459. A notification to the CNIL must be made for processing involving personal data such as:

- the contact person in charge of claims (internal and external relations);

- the list of key individuals;

- private data for individuals on stand-by or alert duty in case a risk occurs (address and

home number of the person or of a next of kin, of a second or holiday home, etc.);

- the personal data of the crisis unit members.

460. The management of claims

461. The management of claims may be divided into to main categories:

- the technical insurance management, which supervised by the insurance and risk

department;

- the management of the claim, which is generally supervised by the litigation

department.


462. Those processings must be linked to:

- the notification of the insurance and risk IT system, if no offences, convictions or

security measures is recorded;

- the authorization corresponding to the management of disputes.

6.3 THE DIRECT MARKETING SECTOR

463. The concept of direct marketing includes the following subsectors:

- the sector of distance sale;

- the activities of direct marketing related to the services of other economic activities.

464. The main specific processing in that sector are organized as follows:

- direct canvassing;

- behavioral databases;

- the use of the credit card number;

- the assignment of personal data files;

- the right against spamming.

6.3.1 Direct canvassing

465. Direct canvassing may be made via different vectors, whether manual or electronic: call

centers, e-mails, SMS, EMS, MMS, etc.

466. Each of these forms, considering their more or less intrusive effects into privacy, are

subject to specific rules. Legally speaking, “constitutes direct canvassing the sending of any

message intended to promote, directly or indirectly, goods, services or image of an individual

selling goods or supplying services” (Posts and Electronic Communications Code, Art. L 34-

5(3)).

467. “It is prohibited to directly canvass, using automatic calling machines, fax machines or

emails, which use, in any form, the contact details of an individual who has not given prior

consent to receive direct canvassing by said means” (Posts and Electronic Communications

Code, Art. 34-5(1)).

468. Consent is defined as “any specific and informed manifestation of free will by which a

person agrees to personal data relating to himself being used for direct canvassing”. (Posts

and Electronic Communications Code, Art. L 34-5(2)).

469. Said manifestation should be specific (opt-in), e.g. via:

- a box to be ticked in a form;

- notices in bold or in block letters in the terms of sale or terms of service.

470. According to the CNIL, “the consent to be canvassed must be „informed‟. For example,

the fact of accepting terms of sale does not mean that you have given your consent to be

canvassed” (Guide Cnil, “Halte aux publicités”, January 2005 p. 8).


471. “In compliance with the provisions of the Data Protection Act No. 78-17 of January 6,

1978, direct canvassing via email is authorized if the contact details data of the recipient were

supplied directly by the latter during a sale or the provision of goods if the direct canvassing

concerns similar products or services supplied by the same natural person or legal entity, and

if the recipient is explicitly and unambiguously offered the option of refusing the use of his

personal data, at no cost except those involved in transmitting the refusal and in a simple

manner, and every time a canvassing email is sent to said recipient” (opt-out) (Posts and

Electronic Communications Code, Art. L 34-5(4)).

472. In addition to the general right to object, “it is forbidden to send messages for direct

prospecting via automatic calling machines, fax machines, and emails without listing the valid

contact details to which the recipient may usefully address a request for said communications

to cease without any costs other than the costs incurred by the transmission of the request”.

Posts and Electronic Communications Code, Art. L 34-5(5)).

473. There are special list where individuals can register to express their objection to direct

marketing:

- the list of unlisted number;

- the list of objection to canvassing for telephone directories;

- the list of objection to reverse phone directory for fixed and mobile telephones.

6.3.2 Behavioral databases

474. The creation and use of behavioral databases on the consumer habits of households for

direct marketing purposes have been subject to a recommendation from the CNIL (Delib. 97-

012 of February 18, 1997).

475. Generally, the collection is made on the basis of anonymous questionnaires, in order to :

- obtain data on behavioral habits (more than a hundred questions);

- optionally collect the contact details of individuals in exchange of advantages such as

premiums, gifts or discounts vouchers.

476. While that practice is legal, the CNIL has made the following recommendation on the

presentation of the questionnaires sent:

- it must be unambiguous on the purpose of the data collection and, in particular, it

should be avoided to use any term or name that may create a likelihood of confusion

in the mind of the public, such as the terms “Institute” or “survey” and that may make

people inaccurately think that it has a statistical, or even an official purpose, or that

may have the purpose of dissimulating the actual business nature of the operation,;

- it must be unambiguous on the purpose of the databases which are built from the

answers given by consumers, so that such consumers are clearly aware that their

answers will be used in direct marking databases;

- it must be made in such manner that the individuals concerned, when they are incited

to answer them in exchange for various offers (gifts, gift tokens or discount coupons)

are clearly informed of the conditions in which they will be able to benefit from those

offers; the foregoing should particularly be the case when the offers are reserved

exclusively for those individuals who did not object to the assignment of their data to

external companies (Delib. 97-012 of February 18, 1997).


6.3.3 The use of the credit card number

477. The recommendation on the storage and use of the credit card number expressly refers to

the distance sale sector (Delib. 03-034 of June 19, 2003).

478. However, the principles apply to data controllers of other sectors when they carry out

similar actions.

479. To the extent that the credit card number is related to an ongoing transaction, all other

uses imply:

- to obtain consents to integrate information in the database;

- to give information on the subsequent and independent uses of the transaction, on

which the initial delivery of the credit card number is based;

- to provide clear information on the right to objection.

6.3.4 The assignment of files

480. In practice, the term “assignment of files” includes many assignment contracts, e.g.

invoices, leasing, provision of addresses, exploitation of databases...

481. Those activities imply:

- a legal collection when data are recorded;

- special information on the realization of that type of information ;

- the possibility to simply exercise a right to object.

6.3.5 E-mailing charter

482. The code of good conduct on the use of electronic contact details for marketing purposes

(available on Fevad website, http://www.fevad.com) has been established by the French

Union of Direct Marketing (UFMD) whose members include:

- Fédération des entreprises de vente à distance (Fevad);

- Union des annonceurs (UDA);

- Association des agences conseils en communication (AACC);

- Mobile marketing association (MMA);

- Union nationale des organismes faisant appel à la générosité du public (Unogep);

- Syndicat des producteurs de cadeaux d‟affaires et d‟objets publicitaires (Syprocaf);

- Bureau de vérification de la publicité (BVP);

- Cercle du marketing direct (CMD);

- Institut européen du marketing direct (IEMD);

- La Poste.

483. The code has been recognized by the CNIL as compliant with the Data Protection Act.

484. The code of good conduct contains:

- principles enshrined in the Data Protection Act;

- modalities to apply those principles;

- examples.

http://www.fevad.com/


485. There are additional obligations concerning:

- the consent;

- the subject of the message;

- the addresses of the members of a legal entity;

- the contact details of minors;

- information on the code.

6.3.6 Fight against spamming

486. Spamming is an electronic mailing process of unsolicited messages distributed from

electronic address files:

- collected automatically on Internet services (web, forum, chat, etc.) ;

- composed artificially via automatic rules, e.g. family name-first name, followed by the

address of the company sated in directories;

- obtained from personal files, personal or professional directories obtained in an unfair

manner.

487. The use of robot researching e-mail addresses on the Internet, combined with the sending

of e-mails on the fly, without building a file, has been considered as unfair to the extent that

such use of electronic addresses hindered the exercise of the right to object (Cass. crim.,

March 14, 2006 No. 05-83.423).

488. The CNIL has applied a policy to combat spamming and help Internet users who are

victims of spamming since 2002.

489. The spam box located at [email protected] was designed to provide Internet users with a tool

to transfer unsolicited messages to the CNIL so that it may:

- size up the phenomenon (importance and nature of the messages);

- take actions under its supervision powers;

- notify to the Public Prosecutor serious spamming operations.

* * *

mailto:[email protected]


490. Regulatory authorities worldwide:

491. Governments across the world, whether in Europe (France, Belgium, Switzerland,

Luxembourg, Romania…), North America, Canada… have rapidly implemented their own

personal data protection system.

492. While some countries have both adopted personal data laws and set up authorities to

ensure that protection, others only have data protection laws or only data protection

authorities without specific laws, and others have none.

493. Most countries have decided to entrust “independent bodies” with the mandate of

ensuring the respect of rights and principles set out in their legislation on the protection of

personal data in order to tackle the following question:

494. How to ensure the respect of the private sphere with the development of the new

technologies?

- the authorities in Europe (EU, EEA and Switzerland);

- the authorities outside Europe;

- the cooperation of these authorities to ensure a protection of personal data at the

international level.

MODULE N°4 –Regulation (e-learning available on iTuneU)


7. REGULATORY AUTHORITIES IN EUROPE

7.1 THE EUROPEAN UNION (EU)

7.1.1 The United Kingdom

495. Name of the authority:

- Information Commissioner‟s Office38

(ICO). The Information Commissioner is an

independent official appointed by the Crown. The Commissioner‟s decisions are

subject to the supervision of the Court and the Information Tribunal39

.

496. Legislation :

- Data protection Act 199840

.

497. Missions and powers:

- promote good practice and give information and advice ;

- resolve complaints from people who think their rights have been breached ;

- use legal sanctions against those who ignore or refuse to accept their obligations.

7.1.2 Spain


- Agencia Espanola de proteccion de datos41

or AEDP (Spanish Data Protection

Agency).

499. Legislation:

- Organic Act on Data Protection of December 13, 199942

.


- ensure compliance with the legislation on data protection and ensure its application ;

- consider the complaints from the data subjects ;

- impose administrative sanctions and penalties ;

- issue authorization, draw reports.

501. Composition:

502. The Agency is managed and represented by the Director of the Data Protection Agency.

The Director of the Data Protection Agency shall be assisted by a Consultative Council.

38

http://www.ico.gov.uk/ 39

Information tribunal is a tribunal non-departmental public body in the United Kingdom. It hears appeals from

notices issued by Information Commissioner under two Acts of Parliament - the Data Protection Act 1998 and

the Freedom of Information Act 2000 - and two related Statutory Instruments - the Privacy and Electronic

Communications Regulations 2003 and the Environmental Information Regulations 2004. 40

http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1 41

https://www.agpd.es/portalweb/index-ides-idphp.php 42

https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/Ley_Orgaica_15-99_ingles.pdf

http://www.ico.gov.uk/

http://en.wikipedia.org/wiki/Information_Commissioner

http://en.wikipedia.org/wiki/Act_of_Parliament

http://en.wikipedia.org/wiki/Data_Protection_Act_1998

http://en.wikipedia.org/wiki/Freedom_of_Information_Act_2000

http://en.wikipedia.org/wiki/Statutory_Instrument

http://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Regulations_2003

http://en.wikipedia.org/wiki/Privacy_and_Electronic_Communications_Regulations_2003

http://en.wikipedia.org/wiki/Environmental_Information_Regulations_2004

http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1

https://www.agpd.es/portalweb/index-ides-idphp.php

https://www.agpd.es/portalweb/english_resources/regulations/common/pdfs/Ley_Orgaica_15-99_ingles.pdf


7.1.3 Belgium


- Commission pour la protection de la vie privée43

(CPVP), under the supervision of the

Belgian House of Representatives (Privacy Commission)

504. Legislation:

- Law of 8 December 1992 on Privacy Protection in relation to the Processing of

Personal Data implemented by Royal Decree of 13 March 200144

.


- ensure the protection of privacy during the processing of personal data;

- independent supervisory body.

506. Composition:

507. The Privacy Commission is made of sixteen members:

- a chairman;

- a vice-chairman;

- six other full members;

- eight substitute members.

508. Sectorial committees have been set up within the Commission to monitor that the

personal data processing made in specific sectors do not infringe privacy. Such committees

are composed of Commission members and experts chosen for their knowledge of the sector

concerned. To date, six sectorial committees have been set up.

509. A secretariat divided into 5 sections assists the Commission in fulfilling its missions.

7.1.4 Luxembourg


- Commission nationale pour la protection des données45

(CNDP) (National Data

Protection Commission)

511. Legislation:

- Law of 2 August 2002 on the Protection of Persons with regard to the Processing of

Personal Data46

;

- Law of 30 May 2005 on specific provisions applicable in the electronic

communications sector47

.

43

“Commission pour la protection de la vie privée” (CPVP) in French or “Commissie voor de bescherming van

de persoonlijke levenssfeer” (CBPL) in Dutch http://www.privacycommission.be/fr 44

Loi du 8 décembre 1992 relative à la protection de la vie privée à l‟égard des traitements de données à

caractère personnel mis en œuvre par l‟arrêté royal du 13 mars 2001 portant exécution /Wet tot bescherming van

de persoonlijke levenssfeer ten opzichte van de verwerking van persoonsgegevens. 45

http://www.cnpd.lu/fr/ 46

Loi du 2 août 2002 relative à la protection des personnes à l‟égard du traitement des données à caractère

personnel 47

Loi du 30 mai 2005 relative aux dispositions spécifiques applicables dans le secteur des communications

électroniques

http://www.privacycommission.be/fr

http://www.cnpd.lu/fr/



- promote and inform on the protection of personal data;

- establish an annual report for the members of the government;

- control and check the legality of the processing of personal data, keep a register only

for the processing of data actually involving particular risks;

- ensure the compliance with the protection of privacy in the electronic communications

sector and its implementation regulations;

- take legal actions, issue deliberations, draft reports, conduct investigations, review

complaints, impose administrative sanctions.

513. Composition:

- public authority in the form of a public establishment;

- composed of three full members and three substitute members.

7.1.5 Germany


- Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit48

(Federal Commissioner for Data Protection and Freedom of Information)

515. Legislation:

- Federal Data Protection Act of 27 June 200649

.


- monitor the implementation of personal data laws and regulations;

- keep a register;

- conduct investigations, issue recommendations, follow up and transfer complaints to

competent authorities.

7.1.6 Romania


- Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal50

(National Supervisory Authority for Personal Data Processing)

518. Legislation:

- Law of 12 December 2001 for the Protection of Persons concerning the Processing of

Personal Data and Free Circulation of Such Data (amended in 2006)51

.

519. Mission and powers:

- guarantee and protect the natural persons‟ fundamental rights and freedoms, especially

the right to personal, family and private life, concerning the processing of personal

data;

- information and control of the compliance with the personal data protection laws and

regulations;

- issue opinions, recommendations, conduct investigations, realize controls.

48

http://www.bfdi.bund.de/ 49

Bundesdatenschutzgesetz (BDSG) 50

http://www.dataprotection.ro/ 51

LEGE nr. 677 din 21 noiembrie 2001 pentru protectia persoanelor cu privire la prelucrarea datelor cu caracter

personal si libera circulatie a acestor date

http://www.bfdi.bund.de/

http://www.dataprotection.ro/


520. Composition:


7.1.7 Adequacy decisions of the Commission

521. The Council and the European Parliament have given the Commission the power to

determine, on the basis of Article 25(6) of directive 95/46/EC whether a third country ensures

an adequate level of protection by reason of its domestic law or of the international

commitments it has entered into. The adoption of a (comitology) Commission decision based

on Article 25.6 of the Directive involves:

- a proposal from the Commission ;

- an opinion of the group of the national data protection commissioners (article 29

Working party) ; - an opinion of the Article 31 Management committee delivered by a qualified

majority of member states ; - a thirty-day right of scrutiny for the European Parliament, to check if the

Commission has used its executing powers correctly. The European Parliament, if it

considers appropriate, issue a recommendation ; - the adoption of the decision by the College of Commissioners.

522. The effect of such a decision is that personal data can flow from the 25 EU member

states and three EEA member countries (Norway, Liechtenstein and Iceland) to that third

country without any further safeguard being necessary. The Commission has so far

recognized Switzerland, Canada, Argentina, Guernsey, Isle of Man, the US Department of

Commerce's Safe harbor Privacy Principles, and the transfer of Air Passenger Name Record

to the United States' Bureau of Customs and Border Protection as providing adequate

protection.

7.2 THE EUROPEAN ECONOMIC AREA (EEA)

7.2.1 Iceland


- Persónuvernd52

(Data Protection Agency)

524. Legislation:

- Act of 1981 on the Recording of Personal Data;

- Act of 10 May 2000 on the Protection of Privacy as regards the Processing of Personal

Data53

.


- protect data and monitor the compliance with laws and regulations.

526. Adequate level of protection:

- YES.

52

http://www.personuvernd.is/ 53

Lög nr. 77/2000 um persónuvernd og meðferð persónuupplýsinga

http://www.personuvernd.is/


7.2.2 Norway


- Datatilsynet54

(The Data Inspectorate)

528. Legislation:

- Data Register Act of 197855

;

- Act of 14 April 2000 No. 31 relating to the processing of personal data (Personal

Data Act)56

.


- verify that statutes and regulations which apply to the processing of personal data are

complied with;

- issue opinions, decisions and authorizations, conduct investigations, keep a register.


- YES.

7.2.3 Liechtenstein

531. Name of the Authority:

- Datenschutzbeauftragter des Fürstentums Liechtenstein57

(Data Protection Commissioner of the Principality of Liechtenstein)

532. Legislation:

- Data Protection Act of 14 March 200258


- implement processings and regulations on personal data protection.


- YES.

54

http://www.datatilsynet.no/ 55

Lov om personregistre mm av 9 juni 1978 nr 48 56

LOV 2000-04-14 nr 31: Lov om behandling av personopplysninger (personopplysningsloven). 57

http://www.sds.llv.li/ 58

Datenschutzgesetz (DSG) vom 14. März 2002.

http://www.datatilsynet.no/

http://www.sds.llv.li/


7.3 SWITZERLAND

7.3.1 National supervisory authority


- Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB )

59

(Federal Data Protection and Information Commissioner (FDPIC)

536. Legislation:

- Federal Act on Data Protection of 19 June 199260

;

- Federal Act on the Principle of Freedom of Information in Public Administration

(Freedom of Information Act, FIA) of 17 December 200461

.


- supervise federal bodies, private bodies, control the possibility to access data;

- give recommendations, opinions, draw reports, act as mediator.


- YES.

7.3.2 Switzerland official’s entry into the Schengen zone

539. Switzerland became the 25th member of the Schengen free zone on December 12, 2008.

540. Switzerland has abolished the identity checks on the borders for the benefit of the

information system and unique system, i.e the Schengen Information System also called

“SIS”, which is a major tool of the judicial and policy cooperation between the members

states of the Schengen zone.

541. The Schengen Information System, also called “SIS”, is a secure governmental database

system used by several European countries for the purpose of maintaining and distributing

information related to border security and law enforcement. The data collected concern

certain classes of persons and property.

542. In July 2008 the entire SIS system held over 27 million entries. The majority of these –

26 million – related to stolen property, such as weapons, cars, registered bank notes, identity

cards, and certain documents such as stolen passport forms. The system holds nearly a million

data records on individuals. Some 730,000 of these records relate to refusals of entry to the

Schengen countries, 70,000 to wanted persons, and 23,000 to extradition proceedings.

Switzerland itself has entered data for only about 1,200 wanted persons, and 21,000

individuals are not permitted to enter Switzerland. Stolen property accounts for 280,000

records. According to estimates, the SIS data entered by the Swiss authorities has resulted in

3,000 hits abroad, and an equal number of hits in Switzerland as a result of searches instigated

abroad.

59

“Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter” in German or “Préposé fédéral à la protection

des données ” in French http://www.edoeb.admin.ch/index.html?lang=en 60

Bundesgesetz vom 19. Juni 1992 über den Datenschutz (DSG) / Loi fédérale du 19 juin 1992 sur la protection

des données. Bundesgesetz vom 17. Dezember 2004 über das Öffentlichkeitsprinzip der Verwaltung (Öffentlichkeitsgesetz,

BGÖ / Loi fédérale du 17 décembre 2004 sur le principe de la transparence dans l‟administration.

http://en.wikipedia.org/wiki/Governmental_database

http://www.edoeb.admin.ch/index.html?lang=en


7.4 PERSONAL DATA PROTECTION OFFICIALS (DPOS)

7.4.1 Overview

543. Legal basis:

- Directive 95/46/EC, Article 18(2).

544. Member States may provide for the simplification of notification only the data protection

supervisory authority where the controller appoints a personal data protection official.

545. The personal data protection official (DPO) must be independent, i.e.:

- have a freedom of action;

- be trustworthy;

- not be subject to conflict of interests.


- provide advice and recommendation to the responsible for treatement for the

implementation of the treatment of personal data ;

- play and educational role with the employees of the responsible for treatment, which

could be the writing of an effective code of conduct ;

- issue alerts and warnings;

- act as mediator;

- conduct audits.

547. DPOs must know:

- in-depth the data protection laws and regulations;

- adequately technological standards;

- the basics of company management sciences;

- specifically how their company and data processing work.

548. The DPO system has been adopted by various countries, such as France (correspondant à

la protection des données à caractère personnel, or “Cil”), Germany (datenschutzbeauftragte,

or “DSB”), the Netherlands (functionaris gegevensbescherming, or “FG”), Luxembourg

(chargé à la protection des données) and Sweden (personuppgiftsombud, or “PUO”).


7.4.2 The German DPO

549. Legal basis :

- § 4.f of the Federal Data Protection Act (BDSG)

550. Missions :

551. The law required the German DPO to possess the necessary expertise and reliability.

High standards apply especially to his/her expertise :

- he/ she shall be able to apply the data privacy laws of the federation and the federal

states (of Germany) and all other regulations concerning data privacy) ;

- he / she shall understand the organizational structures of the business concerned, and

shall understand current IT applications ;

- it is expected that the DPO shows sensitivity in relating to people, be able to present

himself and have organizational talents ;

- he / she shall be able to resolve conflicts related to his / her person, position and

function in a reasonable way.

552. As a result, the DPO should preferably have a lot of experience with general business

procedures, and should not be limited to one field, like IT specialist or lawyer.

7.4.3 The French DPO

553. Legal basis :

- Article 22-III of the French Law n°2004-801 of August 6th

2004 on Data protection

554. Missions :

555. The officer shall be a person who shall have the qualifications required to perform his

duties. He shall keep a list of the processing carried out, which is immediately accessible to

any person applying for access, and may not be sanctioned by his employer as a result of

performing his duties. He may apply to the “Commission nationale de l‟informatique et des

libertés” when he encounters difficulties in the performance of his duties.

In order to ensure this “independence” and the DPO‟s faculty to exercise effective oversight

of his own employer‟s data protection practices, French law provides that :

- in terms of employment law, the status of DPO has the same level of protection

against affair dismissal as trade union representatives ;

- in case the DPO fails in his duties, he can be dismissed only upon request, or prior

consultation of the CNIL.

556. The 25th

annual Report of the French Data Protection Authority (the CNIL), dated April

2005, stipulates that the DPO cannot exercise managerial functions nor management of

human resources nor administration of the information system nor any function in a

department processing sensitive data (e.g.: marketing).


8. REGULATORY AUTHORITIES OUTSIDE EUROPE

8.1 AMERICA

8.1.1 United States of America (USA)


- Federal Trade Commission (FTC)62

558. Legislation:

- Privacy Act of 1974.


- inform and educate on the importance of personal data and privacy;

- protect consumers.


561. An agreement known as “Safe Harbor” has been signed between the European

Commission and the United States. The Safe Harbor is a set of rules and principles fixed by

the US Department of Commerce.

562. US companies having voluntarily decided to join the Safe Harbor undertake to comply

with the data protection principles established by the European Union. A list of the US

companies having adhered to the safe harbor framework is kept by the US Department of

Commerce.

563. The level of protection of corporations that have self-certified to the safe harbor

framework is considered as adequate.

8.1.2 Canada, Québec


- Commission d‟accès à l‟information (CAI)63

(Information Access Commission)

565. Legislation:

- Act respecting Access to documents held by public bodies and the Protection of

personal information of 22 June 198264

.

- Act respecting the protection of personal information in the private sector of 199465

62

http://www.export.gov/safeharbor/ 63

http://www.cai.gouv.qc.ca/ 64

Loi sur l'accès aux documents des organismes publics et sur la protection des renseignements personnels. 65

Loi sur la protection des renseignements personnels dans le secteur privé.

http://www.export.gov/safeharbor/

http://www.cai.gouv.qc.ca/



567. In 1982 the Quebec National Assembly passed legislation encompassing both access to

information and the protection of personal information in the public sector. It entrusted the

supervision of the two parts of the new law to the “Commission d‟accès à l‟information”

(CAI). In 1994, its mission is extended to the protection of personal information in the private

sector.

- make recommendations on any bill or regulation;

- its prior intervention is mandatory in some personal information exchange projects

between departments or agencies;

- its advice is not binding on the government, but if disregarded, it must be published in

the “Gazette officielle du Québec”.

568. Composition:

569. The CAI is a collegial, complex and plural organization: administrative tribunal,

advisory body and monitoring body all at once. The President and the four other CAI

members are elected for a five-year term by a vote of two thirds of the National Assembly.

570. The Commission is made up of two distinct sections: a jurisdictional section and a supervisory section.

8.1.3 Argentina


- Dirección Nacional de Protección de Datos Personales66

(National Directorate for Personal Data Protection)

572. Legislation:

- Personal Data Protection Act of 2 November 200067


- ensure the security and control the legality of processings;

- impose administrative sanctions, issue authorizations, opinions and deliberations,

draw reports.


- YES68

.

66

http://www.protecciondedatos.com.ar/ 67

LEY 25.326. Protección de los Datos Personales. 68

http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/decision-c2003-1731/decision-argentine_en.pdf

http://www.protecciondedatos.com.ar/

http://ec.europa.eu/justice_home/fsj/privacy/docs/adequacy/decision-c2003-1731/decision-argentine_en.pdf


8.2 AUSTRALIA


- Office of the Federal Privacy Commissioner69

576. Legislation:

- Privacy Act (first for public sector, then extended to private sector in 2000).


- control exclusively public bodies, private bodies in a specific sector (credit,

e-commerce);

- conduct investigations, issue authorizations, give opinions, pronounce withdrawals,

draw reports.


- NO.

8.3 AFRICA

8.3.1 Tunisia


- Instance nationale de protection des données à caractère personnel (“INPDCP”)

(National personal data protection authority)

580. Legislation:

- Organic Law of 27 July 2002 on personal data protection70


- grant authorizations, receive notifications to implement processings of personal data,

or withdraw them in the cases provided for by law;

- receive complaints made within its jurisdiction;

- determine the fundamental guarantees and adequate measures to protect personal data;

- access and monitor personal data subject to processing, collect information

indispensable for the performance of its missions;

- give its opinion on any subject related to data protection laws and regulations;

- elaborate rules do conduct for the processing of personal data;

- participate in the research, training and study related to the protection of personal data

and generally any activity related to its domain;

- has legal personality and financial autonomy;

- conduct investigations in the premises and places where processing are performance,

except in dwelling houses;

- perform its missions with the assistance of accredited agents of the minister in charge

of communication technologies conduct research and specific appraisals, or judicial

experts or any other individuals it deem useful;

- inform the public prosecutor territorially competent of any offences it is aware of

within the framework of its activities. Professional secrecy cannot be opposed to it.

69

http://www.privacy.gov.au/ 70

Loi organique du 27 juillet 2002 portant sur la protection des données à caractère personnel

http://www.privacy.gov.au/


582. Composition (15 members):

- a president chosen among the competent personalities in that domain;

- a member chosen among the members of the Chamber of Deputies;

- a member chosen among the members of the Chamber of Counselors;

- a representative of the Prime Minister;

- two judges of the third rank;

- two judges of the administrative tribunal;

- a representative of the Minister of the Interior;

- a representative of the Minister of National Defense;

- a representative of the Minister in charge of Communication Technologies;

- a researcher of the Minister in charge of Scientific Research;

- a doctor of the Minister in charge of Public Health;

- a member from the High Committee for Human Rights and Fundamental Freedoms;

- a member chosen among the experts in communication technologies.

8.3.2 Mauritius

583. Legislation:

- Data Protection Act of 27 December 2004 (public and private sectors).

8.3.3 Burkina Faso


- Commission de l‟informatique et des libertés (CIL)

(Data Processing and Liberties Commission)

585. Legislation:

- Personal Data Protection Act of 20 April 200471


- inform and advise data subjects and data controllers on their rights and obligations;

- answer requests for opinions made by public bodies and courts;

- control the creation and implementation of processings;

- monitor changes in information and communication technologies and made public its

evaluation of the consequences of such changes on the protection of liberties and

privacy;

- submit to public authorities any proposals to modify laws and regulations that it thinks

relevant to improve the protection of individuals with regard to the processing of their

data;

- draw reports, issue decisions, give opinions, realize controls.

587. Composition (9 members appointed by decree taken by the Council of Ministers):

- two representatives of the high courts, i.e. the “Conseil d‟Etat” and the “Cour de

cassation” (judges);

- two representatives of the legislative power (deputies);

- two representatives of national associations working in the field of human rights;

- two representatives of national associations of IT specialists (computer experts);

- one individual appointed by the President of Burkina Faso.

71

Loi du 20 avril 2004 sur la protection des donnés à caractère personnel.


8.3.4 Senegal

588. Legislation:

- Personal Data Protection Act of 15 January 2008 (public and private sectors)72

589. It provides for the creation of a commission for the protection of personal data, the

formalities to implement personal data and the obligations to be respected. The Senegalese

DPA also contains provisions on the combination of files containing personal data.

8.4 ASIA

8.4.1 China


- Bureau of Legal Affairs, related to the Ministry of Justice

591. Legislation:

- China is planning legislation for the protection of personal data. The outline of the law

provides for the prior authorization of the data subject before disclosure of data to a

third person.


- NO.

8.4.2 Hong Kong


- Privacy Commissioner for Personal Data (PCPD)73

594. Legislation:

- Data protection is not regulated by governmental laws. There are only ambiguous

directives (e.g.: Personal Data (Privacy) Ordinance) concerning the accessibility and

use of data by third parties and transborder transfers of data.


- NO.

8.4.3 South Korea


- Korea Information Security Agency74

597. Legislation:

- Protection of Personal Information maintained by Public Agencies Act of 29 January

1999;

- Promotion of Information, and Communication Network Utilization and Information

Protection Act of 31 December 2001.


- NO.

72

Loi du 15 janvier 2008 sur la protection des données à caractère personnel.

73 http://www.pcpd.org.hk/

74 http://www.kisa.or.kr/english

http://www.pcpd.org.hk/

http://www.kisa.or.kr/english


9. INTERNATIONAL COOPERATION

599. The international cooperation for the personal data protection is based on :

- the International Conference of Privacy and Data Protection Commissioners

- the Article 29 Working Party set up by the Directive 95/46/EC of 24 October 1995.

9.1 THE INTERNATIONAL CONFERENCE OF PRIVACY AND DATA PROTECTION

COMMISSIONERS

9.1.1 Accreditation

600. Data protection authorities that wish to participate in the International Conference of

Privacy and Data Protection Commissioners (“the Conference”) must be accredited.

601. Accredited data protection authorities are, by virtue of their broad functions and depth of

experience, the premier experts on the principles and practice of data protection and privacy

in their jurisdiction. They have the clear mandate to promote and protect data protection and

privacy across a wide sphere of activity and all the necessary legal powers to carry out their

tasks.

602. Criteria and rules for credentials committee (“the committee”) :

- a credentials committee considers applications from data protection authorities that

wish to be accredited to participate in the Conference ;

- the committee is composed of three members. The committee may not contain more

than 1 member from the same country at any time ;

- to fill vacancies occurring between Conferences the committee may co-opt a member

or members (not exceeding 2) from accredited authorities ;

- any authority that wishes to be accredited must write to the committee explaining its

case in terms of the accreditation principles. Applications should be made at least 3

months before the annual Conference ;

- the committee will offer a recommendation to the Conference in respect of each

application received and will propose a resolution to recognize the credentials of each

approved authority within a national or sub national category ;

- the committee may adopt whatever procedure it deems appropriate ;

- the normal term for committee members is 2 years. Co-opted members serve only

until the following Conference. No member may serve consecutively for more than 4

years ;

- members will bear their own costs ;

- the committee may, at the request of any accredited authority, review the position of

any previously accredited authority and offer a recommendation as to whether that

accreditation should be continued.

603. Accreditation criteria:

- the data protection authority must be a public body established on an appropriate legal

basis;

- the data protection authority must be guaranteed an appropriate degree of autonomy

and independence to perform its functions;

- the law under which the authority operates must be compatible with the principal

international instruments dealing with data protection and privacy;

- the authority must have an appropriate range of functions with the legal powers

necessary to perform those functions.


9.1.2 The Conference

604. The aim of the International Data Protection and Privacy Commissioners‟ Conference is

to:

- develop cooperation between regulatory authorities;

- improve technical expertise;

- promote a positive image of the protection of personal data;

- promote “a universal right to data protection and privacy”.

605. This Conference, held annually, brings together 78 data protection authorities and

privacy commissioners from every continent. It is open to all those active in the economic

world, the public sector and civil society and constitutes the only major opportunity dedicated

to personal data protection and privacy75

.

606. The 30th

International Data Protection Conference was held in Strasbourg (France) on

15-17 October 2008.

607. On that occasion, the data protection authorities of 60 countries called on website

operators to adapt their privacy policies to the needs of children and users of social networks.

608. The Conference also highlighted the importance of increased cooperation between the

data protection community and the business sector.

609. The 30th

Conference took in particular the following resolutions:

- Resolution on the privacy of minors on the Internet;

- Resolution on the protection of privacy on social networks;

- Resolution on the working group in charge of establishing the realization and details

of an international data protection award.

9.2 THE ARTICLE 29 DATA PROTECTION WORKING PARTY

610. The Data Protection Working Party - commonly referred to as “Art. 29 Working Party”,

“WP” or “G29” - has been established by Article 29 of Directive 95/46/EC of 24 October

1995 on the protection of individuals with regard to the processing of personal data and on the

free movement of such data. It is composed of a representative of the supervisory authorities

of each Member State.76

611. The mission of the Working Party is to contribute to the elaboration of European

standards by giving recommendations intended to achieve a uniform application of the

Directive within the European Union, by giving opinions on the level of protection in non-EU

countries and by advising the Commission on any other proposed measures affecting such

rights and freedoms of individuals with regard to the processing of personal data.

612. It meets several times a year in plenary session for one or two days and adopts

recommendations (video surveillance, electronic surveillance of employees…).

75

http://www.privacyconference2008.org/ 76

Art. 29 Working Party website:

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_en.htm

http://www.privacyconference2008.org/

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_en.htm


9.2.1 The tasks of the Art. 29 Working Party

613. The tasks of the Article 29 Working Party are to:

- examine any question covering the application of the national measures adopted under

the Directive 95/46/EC in order to contribute to the uniform application of such

measures;

- give the Commission an opinion on the level of protection in the Community and in

third countries;

- advise the Commission on any proposed amendment of the Directive, on any

additional or specific measures to safeguard the rights and freedoms of natural persons

with regard to the processing of personal data and on any other proposed Community

measures affecting such rights and freedoms;

- give an opinion on codes of conduct drawn up at Community level (Dir. 95/46,

Art. 30).

614. If the Working Party finds that divergences likely to affect the equivalence of protection

for persons with regard to the processing of personal data in the Community are arising

between the laws or practices of Member States, it shall inform the Commission accordingly

(Dir. 95/46, Art. 30(2)).

615. Furthermore, the Working Party may, on its own initiative, make recommendations on

all matters relating to the protection of persons with regard to the processing of personal data

in the Community (Dir. 95/46, Art. 30(3)).

616. The Working Party draws up an annual report on the situation regarding the protection of

natural persons with regard to the processing of personal data in the Community and in third

countries. This report is transmitted to the Commission, the European Parliament and the

Council and is made public (Dir. 95/46, Art. 30).

617. The Working Party elects its chairman. The chairman‟s term of office is two years. His

appointment is renewable. The Working Party adopts its own rules of procedure. It considers

items placed on its agenda by its chairman, either on his own initiative or at the request of a

representative of the supervisory authorities or at the Commission‟s request (Dir. 95/46,

Art. 29). The Working Party‟s secretariat is provided by the Commission.

9.2.2 Types of issues examined by the Art. 29 Working Party

618. The Article 29 Working Party has dealt with many data protection issues, such as:

- Air passengers‟ data / PNR (“Passenger Name Record”): it reviewed the objective of

curbing illegal immigration by improving checks on EU-bound flights as set out in

Council Directive 2004/82/EC by taking account of the data protection principles

enshrined in Directive 95/46/EC.

- Electronic communications, Internet and news technologies: it studied the filtering of

online communications against viruses and spam under the data protection legislation.

It also gave its opinion on the retention of data generated or processed in connection

with the provision of publicly available electronic communications services under

Article 8 of the European Convention on Human Rights.

- Accounting, internal accounting controls, financial matters: it provided guidance on

how internal whistleblowing schemes could be implemented in compliance with the

EU data protection rules enshrined in Directive 95/46/EC.


9.2.3 Cooperation between data protection authorities within the EU

619. Pursuant to the French Data Protection Act, the French data protection agency (CNIL)

may, at the request of an authority that exercises similar powers in another Member State of

the European Community:

- undertake verifications;

- pronounce sanctions, except in the case of processing for State security and criminal

offences.

620. These powers are the same as those exercised when the CNIL acts on its own initiative.

621. The CNIL is authorized to disclose the information that it obtains or that it holds to the

other data protection authorities in other EU Member States at their request. (French DPA,

Art. 49).

* *

*


APPENDIX 1:

KEY TEXTS

1. French texts

The French legal framework is made up of the following texts:

the Act No. 78-17 of 6 January 1978 on Data Processing, Data Files and Individual

Liberties, which has been significantly amended by the Law of 6 August 2004;

the Decree of 20 October, 2005, such as amended by the Decree of 25 March 2007

Many other texts refer to data protection, e.g. the Penal Code, the Civil Code, the Public

Health Code, the Posts and Electronic Communications Code, the Labor Code etc.

2. Community texts

The Community legal framework is made up of the following texts:

Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to

the processing of personal data and on the free movement of such data;

Directive 2000/31/EC of 8 June 2000 on certain legal aspects of information society

services, in particular electronic commerce;

Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and

the protection of privacy in the electronic communications sector;

Charter of Fundamental Rights of the European Union (Art. 8).

3. International texts

The international legal framework is made up of the following texts:

Statements of the United Nations General Assembly, in particular the guidelines for

the regulation of computerized personal data files;

OECD texts (recommendations and declarations) on the protection of privacy and

transborder flows of personal data and the declaration on transborder data flows;

Convention for the protection of individuals with regard to automatic processing of

personal data of 28 January 1981 of the Council of Europe (convention 108);

Recommendations and resolutions of the Council of Europe.

4. The CNIL

Right from the start, the French data protection authority (“Commission nationale de

l‟informatique et des libertés” or “CNIL”) has developed a specific doctrine, according to:

the nature of the techniques used;

potential risks to liberty.

Many recommendations have been issued by the CNIL in the form of “Deliberations”.


APPENDIX 2:

TABLE OF PENALTIES APPLICABLE IN FRANCE

FOR OFFENCES RELATED TO PERSONAL DATA

Themes Articles Penalty

Collection

Illegal collection 226-181

5 years‟ imprisonment

€ 300,000 fine

Prior Formalities

Absence of prior formalities 226-161


€ 300,000 fine

Absence of authorization 226-16-1-A1

Non-compliance with the simplified

standards 226-16-1-A

1

Non-compliance with the exclusion

standard 226-16-1-A

1

Diversion of purpose 226-211

Personal Data

Illegal use of the registration numbers of

natural persons in the national register for

the identification of individuals (i.e. social

security number)

226-16-11


€ 300,000 fine Non-compliance with provisions applicable

to the processing of prohibited data and

data on offences, convictions or security

measures

226-191

Illegal manual processing operations 226-231

Rights of Data Subjects

Non-compliance with the right to object 226-18-11


€ 300,000 fine

Indirect canvassing by electronic mail 226-18-1

1 and

R. 10-12

Non-compliance with the right to oblivion 226-201

Disclosure of personal data 226-221

Hindrance of the CNIL action 513

1 year imprisonment

€ 15,000 fine

Failure to provide information to data

subjects on the existence of the right of

access and rectification

Decree

No. 81-1142

of 23 Dec.

19814

Petty offence of the fifth

class: € 1,500 max

Liability of Legal Entities

226-241


€ 300,000 fine

Security

Non-compliance with security rules 226-171


€ 300,000 fine

Health

Illegal processing of medical data 226-19-11


€ 300,000 fine

1 Penal Code.

2 Posts and Electronic Communications Code.

3 Data Protection Law.

4 Decree No. 81-1142 of 23 December 1981, OJ of 26 December 1981.


APPENDIX 3:

BIBLIOGRAPHY

Books:

- Alain Bensoussan, "Informatique et libertés", Editions Francis Lefebvre, 2008,


- CNIL‟s 28th

activity report:

http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL-

28erapport-2007.pdf

- CNIL‟s guide on the French data protection officer: "Le guide du correspondant

informatique et libertés", Cnil 2006:

http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL_Guide_co

rrespondants.pdf

- CNIL‟s guide on the transfer of data outside the EU: "Le Guide pratique

transfert d'informations hors Union européenne", Cnil 2008:

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/Guide

-tranfertdedonnees.pdf

Websites:

- Law firm Alain Bensoussan, thematic database on data protection

(“Informatique et libertés”). The database contains a version of the French Data

Protection Act commented article per article as well as case law since 1981:


- CNIL: http://www.cnil.fr/

- Article 29 Data Protection Working Party:

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_fr.htm

- European Community portal:

http://ec.europa.eu/justice_home/fsj/privacy/index_fr.htm

- Council of Europe:

http://www.coe.int/T/F/Affaires_juridiques/Coopération_juridique/Protection_d

es_data/

- Europol JSB:

http://europoljsb.consilium.europa.eu/home/default.asp?lang=FR

- Eurojust: http://europa.eu/agencies/pol_agencies/eurojust/index_fr.htm


http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL-28erapport-2007.pdf

http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL-28erapport-2007.pdf

http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL_Guide_correspondants.pdf

http://www.cnil.fr/fileadmin/documents/La_CNIL/publications/CNIL_Guide_correspondants.pdf

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/Guide-tranfertdedonnees.pdf

http://www.cnil.fr/fileadmin/documents/approfondir/dossier/international/Guide-tranfertdedonnees.pdf


http://www.cnil.fr/

http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2008_fr.htm

http://ec.europa.eu/justice_home/fsj/privacy/index_fr.htm

http://www.coe.int/T/F/Affaires_juridiques/Coopération_juridique/Protection_des_données/

http://www.coe.int/T/F/Affaires_juridiques/Coopération_juridique/Protection_des_données/

http://europoljsb.consilium.europa.eu/home/default.asp?lang=FR

http://europa.eu/agencies/pol_agencies/eurojust/index_fr.htm