Collection of personal data
In France, the collect of personal data and the processing of these date through electronic tools is strictly regulated by a law enacted on January 6, 1978 (and adapted many times since).
An independent governmental authority, the Commission nationale Informatique et libertés (“CNIL”) is responsible for the enforcement of this law.
As a result:
- any company or organization planning to process personal data of French origin shall submit its program to the CNIL in order to get its approval (contractors are also within the scope of the law);
- not submitting such program is a criminal offense punished by a five-year jail sentence and up to a 300,000 euros fine;
- the content of the mission given to the outside contractors in charge of the program shall be agreed on in a written contract enforcing certain rules related to privacy, confidentiality and liability;
- the employees whose date is processed shall be informed of this electronic treatment.
As to the transfer of French personal data electronically processed, the European Union and several other countries in the world are considered as safe as France.
To transfer data in other foreign countries, procedures have to be followed, involving the CNIL, in order to guarantee that the same level of protection of privacy and of confidentiality is to be enforced even if this information is not processed in France.
It is mandatory to set the rules in an agreement containing certain provisions set by the European Commission.
To conclude: as this area is strictly regulated, it is necessary to present the program to the CNIL and to request its approval. It does not mean that the CNIL will refuse the program, but only that the CNIL will control that the information collected is to be used in accordance with Law, and does not breach privacy and confidentiality rules.