0A4F4F9BD490A749D5437F821CF06DF1
Data Protection Act (2018)
https://www.legifrance.gouv.fr/affichLoiPreparation.do;jsessionid=AD5660270AD9F70B94275AC823321680.tplgfr22s_3?idDocument=JORFDOLE000036195293&type=contenu&id=2&typeLoi=proj&legislature=15
http://leaux.net/URLS/ConvertAPI Text Files/42EB1484EE9BB171EBCF153C90F2C8C3.en.txt
Examining the file media/Synopses/42EB1484EE9BB171EBCF153C90F2C8C3.html:
This file was generated: 2020-07-14 08:32:30
Indicators in focus are typically shown highlighted in yellow; |
Peer Indicators (that share the same Vulnerability association) are shown highlighted in pink; |
"Outside" Indicators (those that do NOT share the same Vulnerability association) are shown highlighted in green; |
Trigger Words/Phrases are shown highlighted in gray. |
Link to Orphaned Trigger Words (Appendix (Indicator List, Indicator Peers, Trigger Words, Type/Vulnerability/Indicator Overlay)
Applicable Type / Vulnerability / Indicator Overlay for this Input
Political / criminal
Searching for indicator criminal:
(return to top)
p.(None): "1 ° A call to order;
p.(None): "2 ° An injunction to bring the processing into conformity with the obligations resulting from this law or from regulation (EU) 2016/679 or to comply with the
p.(None): requests by the data subject to exercise their rights, which may be combined, except in cases where the processing is carried out by
p.(None): the State, of a penalty which the amount cannot exceed 100,000 € per day;
p.(None): "3 ° With the exception of processing which concerns state security or defense, the temporary or final limitation of processing, its prohibition or withdrawal
p.(None): an authorization granted pursuant to Regulation (EU) 2016/679 or this Law;
p.(None): "4 ° The withdrawal of a certification or the injunction, to the body concerned, to refuse or withdraw the certification granted;
p.(None): “5 ° The suspension of data flows addressed to a recipient located in a third country or to an international organization;
p.(None): "6 ° The withdrawal of the decision approving a binding business rule;
p.(None): "7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, being a
p.(None): company, 2% of the total global annual revenue for the previous fiscal year, whichever is greater. In the cases mentioned in
p.(None): paragraphs 5 and 6 of Article 83 of Regulation (EU) 2016/679, these ceilings are raised to 20 million euros and 4% of turnover respectively. The
p.(None): Restricted training takes into account, in determining the amount of the fine, the criteria specified in Article 83 of Regulation (EU) 2016/679.
p.(None): "When the restricted panel has pronounced a financial penalty which has become final before the criminal judge has finally ruled on the same facts or
p.(None): related facts, the latter may order that the administrative fine be deducted from the criminal fine which he pronounces.
p.(None): “The financial penalties are recovered like the debts of the State foreign to the tax and the field.
p.(None): "The draft measure is if necessary submitted to the other authorities concerned according to the procedures defined in Article 60 of Regulation (EU) 2016/679.
p.(None): "III. - When the controller or the processor does not comply with the obligations arising from Regulation (EU) 2016/679 or from this law, the
p.(None): President of the National Commission for Information Technology and Freedoms may also issue a formal notice to him within the time limit which he fixes:
p.(None): "1 ° To comply with requests made by the data subject with a view to exercising his rights;
p.(None): “2 ° To bring the processing operations into compliance with the applicable provisions;
p.(None): "3 ° With the exception of processing which concerns state security or defense and those mentioned in article 27, to communicate to the data subject
p.(None): a personal data breach;
p.(None): "4 ° To rectify or delete personal data, or to limit processing.
p.(None): "In the case provided for in 4 °, the president may, under the same conditions, give notice to the data controller or the processor to notify the
p.(None): recipients of the data the actions it has taken.
p.(None): "The deadline for compliance can be set at twenty-four hours in the event of an extreme emergency.
p.(None): “The president shall, if necessary, declare the procedure for formal notice closed.
p.(None): "The president may ask the office to make the formal notice public. In this case, the decision to close the formal notice procedure is made
p.(None): the subject of the same advertisement. "
p.(None): III. - Article 46 of the same law is replaced by the following provisions:
...
p.(None): public.
p.(None): "For processing whose purposes are mentioned in 2 °, the cryptographic operation and, where appropriate, the interconnection of two files by the use of the
p.(None): specific non-significant code which results from it, cannot be ensured by the same person or by the data controller.
p.(None): "With the exception of the processing operations mentioned in the second paragraph of article 55, this article does not apply to the processing of personal data
p.(None): health personnel who are governed by the provisions of Chapter IX. "
p.(None): II. - Article 27 of the same law is amended as follows:
p.(None): 1 ° In 2 ° of I:
p.(None): a) The reference: "2 °" is deleted;
p.(None): b) After the word: "State", are inserted the words: ", acting in the exercise of its prerogatives of public power,";
p.(None): c) After the words: "which bear", the words: "on genetic data or" are inserted;
p.(None): 2 ° 1 ° of I as well as II, III and IV are repealed.
p.(None): III. - Articles 24 and 25 of the same law are repealed.
p.(None): Chapter III
p.(None): Obligations incumbent on data controllers and processors
p.(None): Article 10
p.(None): Article 35 of the same law is supplemented by the following paragraph: "However, within the scope of Regulation (EU) 2016/679, the subcontractor respects the
p.(None): conditions provided for in Chapter IV of these regulations. "
p.(None): Chapter IV
p.(None): Provisions relating to certain specific categories of processing
p.(None): Article 11
p.(None): Article 9 of the same law is amended as follows:
p.(None): 1 ° In the first paragraph, the words: “offenses, convictions and security measures may only be implemented by:” are replaced by the words: “
p.(None): criminal convictions, offenses or related security measures may only be carried out under the supervision of the public authority or by: ";
p.(None): 2 ° The 1 ° is supplemented by the following words:
p.(None): “As well as legal persons under private law collaborating in the public service of justice, and belonging to categories whose list is fixed by decree in
p.(None): Council of State taken after advice from the National Commission for Data Protection, to the extent strictly necessary for their mission; "
p.(None): 3 ° 3 ° is replaced by the following provisions:
p.(None): "3 ° Natural or legal persons, in order to enable them to prepare and where appropriate, to exercise and monitor legal action as
p.(None): victim, third party, or on behalf of the latter and to have the decision rendered enforced, for a period commensurate with this purpose; communication to
p.(None): a third party is then only possible under the same conditions and to the extent strictly necessary for the pursuit of these same purposes; "
p.(None): 4 ° After the 4 °, a 5 ° is inserted as follows:
p.(None): "5 ° The reusers of public information appearing in the judgments and decisions mentioned in articles L. 10 of the code of administrative justice and L.
p.(None): 111-13 of the code of judicial organization, provided that the processing carried out has neither the purpose nor the purpose and allows the re-identification of
p.(None): persons concerned. "
p.(None): Article 12
p.(None): Article 36 of the same law is amended as follows:
...
p.(None): to order the suspension or the cessation of the transfer of data in question, if necessary under penalty, and then attaches its conclusions to a request
p.(None): for a preliminary ruling to the Court of Justice of the European Union in order to assess the validity of the adequacy decision of the European Commission
p.(None): taken on the basis of Article 45 of Regulation (EU) 2016/679 and of all acts taken by the European Commission authorizing or approving
p.(None): appropriate guarantees in the context of data transfers taken on the basis of article 46 of the same regulation. When the data transfer in
p.(None): cause does not constitute a processing operation carried out by a court in the exercise of its jurisdictional function, the National Commission for
p.(None): IT and civil liberties can apply to the Council of State under the same conditions to obtain the suspension of data transfer based on a decision
p.(None): of adequacy of the European Commission taken on the basis of Article 36 of Directive (EU) 2016/680 pending the Court's assessment of
p.(None): justice of the European Union of the validity of this adequacy decision. "
p.(None): TITLE III
p.(None): PROVISIONS PROVIDING FOR DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016
p.(None): RELATING TO THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA BY
p.(None): COMPETENT AUTHORITIES FOR THE PREVENTION AND DETECTION OF CRIMINAL OFFENSES, INVESTIGATIONS AND PROCEEDINGS
p.(None): THE MATERIAL OR EXECUTION OF CRIMINAL PENALTIES, AND THE FREE MOVEMENT OF SUCH DATA
p.(None): Article 18
p.(None): I. - In the penultimate paragraph of article 32 of the same law, the words: "or having as its object the execution of criminal convictions or security measures" are
p.(None): replaced by the words: ", without prejudice to the application of the provisions of Chapter XIII".
p.(None): II. - The last paragraph of article 32 is deleted.
p.(None): III. - In article 41 of the same law, after the words: "public security" are inserted the words: ", subject to the application of the provisions of chapter XIII,
p.(None): "
p.(None): IV. - In article 42 of the same law, the words: "prevent, investigate or find infringements, or of" are deleted.
p.(None): Article 19
p.(None): Chapter XIII of the same law becomes Chapter XIV and, after article 70, the following provisions are inserted:
p.(None): "Chapter XIII
p.(None): “Provisions applicable to processing operations covered by Directive (EU) 2016/680 of April 27, 2016
p.(None): "Section 1
p.(None): " General provisions
p.(None): "Art. 70-1. - The provisions of this chapter apply, where applicable by way of derogation from the other provisions of this law, to the processing of
p.(None): personal data used:
p.(None): "1 ° For the purposes of prevention and detection of criminal offenses, of investigation and prosecution in the matter or of the execution of criminal sanctions, including the
p.(None): protection against threats to public security and the prevention of such threats;
p.(None): "2 ° By any public authority competent for any of the purposes set out in 1 °, or any other body or entity to which has been entrusted, for these same purposes,
p.(None): the exercise of public authority and the powers of a public authority, hereinafter referred to as the competent authority.
p.(None): "These treatments are only lawful if and insofar as they are necessary for the execution of a mission carried out, for the purposes set out in 1 °, by a
p.(None): competent authority within the meaning of 2 °, and where the provisions of articles 70-3 and 70-4 are respected.
p.(None): "For the application of this chapter, when the concepts used are not defined in chapter 1 of this law, the definitions of article 4 of
p.(None): Regulation (EU) 2016/679 are applicable.
p.(None): "Art. 70-2. - The processing of data mentioned in I of article 8 is possible only in case of absolute necessity, subject to guarantees
p.(None): appropriate for the rights and freedoms of the data subject, and either if it is provided for by a legislative or regulatory act, or if it aims to protect the interests
p.(None): of a natural person, or if it relates to data manifestly made public by the data subject.
p.(None): "Art. 70-3. - If the processing is carried out on behalf of the State for at least one of the purposes provided for in 1 ° of article 70-1, it must be provided by a
...
p.(None): obligations and rights of the controller, and which provides that the processor only acts on the instructions of the controller. The content of this
p.(None): contract or legal act is specified by decree in Council of State taken after opinion of the National Commission of data processing and freedoms.
p.(None): "Section 2
p.(None): "Obligations incumbent on the competent authorities and the controllers
p.(None): "Art. 70-11. - The competent authorities take all reasonable measures to ensure that personal data which is inaccurate,
p.(None): incomplete or out of date are erased or rectified without delay or are not transmitted or made available. To this end, each authority
p.(None): competent checks, as far as possible, the quality of personal data before their transmission or making available.
p.(None): "As far as possible, when transmitting personal data, are added necessary information allowing the authority
p.(None): competent recipient to judge the accuracy, completeness, and reliability of the personal data, and their level of updating.
p.(None): "If it turns out that inaccurate personal data has been transmitted or that personal data has been transmitted in a
p.(None): illicit, the recipient is informed without delay. In this case, personal data is rectified or erased or their processing is limited
p.(None): in accordance with article 70-20.
p.(None): "Art. 70-12. - The data controller establishes as far as possible and where appropriate a clear distinction between the personal data of
p.(None): different categories of data subjects, such as:
p.(None): "1 ° Persons for whom there are serious grounds to believe that they have committed or are about to commit a criminal offense;
p.(None): "2 ° Persons convicted of a criminal offense;
p.(None): "3 ° Victims of a criminal offense or persons in respect of whom certain facts suggest that they could be victims of an offense
p.(None): criminal;
p.(None): "4 ° Third parties to a criminal offense, such as persons who may be called to testify in investigations relating to criminal offenses or
p.(None): subsequent criminal proceedings, persons who can provide information on criminal offenses, or contacts or associates of one of the
p.(None): persons referred to in 1 ° and 2 °.
p.(None): "Art. 70-13. - I. - In order to demonstrate that the processing is carried out in accordance with this chapter, the controller and the processor
p.(None): implement the measures provided for in paragraphs 1 and 2 of Article 24 and in paragraphs 1 and 2 of Article 25 of Regulation (EU) 2016/679 and those appropriate to
p.(None): to guarantee a level of security adapted to the risk, in particular with regard to the processing relating to particular categories of personal data
p.(None): staff referred to in Article 8.
p.(None): "II. - With regard to automated processing, the controller or the processor implements, following a risk assessment,
p.(None): measures to:
p.(None): "1 ° Prevent any unauthorized person from accessing the facilities used for processing (control of access to the facilities);
p.(None): "2 ° Prevent that data carriers can be read, copied, modified or deleted in an unauthorized manner (control of data carriers);
p.(None): "3 ° Prevent unauthorized introduction of personal data into the file, as well as unauthorized inspection, modification or erasure
p.(None): personal data recorded (storage control);
p.(None): "4 ° Prevent that automated processing systems may be used by unauthorized persons using transmission facilities
p.(None): data (user control);
p.(None): "5 ° Guarantee that persons authorized to use an automated processing system can only access personal data on
p.(None): which carry their authorization (control of access to data);
...
p.(None): unauthorized reading, copying, modification or deletion (transport control);
p.(None): “9 ° Guarantee that the installed systems can be restored in the event of an interruption (restoration);
p.(None): "10 ° Guarantee that the functions of the system operate, that operating errors are reported (reliability) and that personal data
p.(None): stored cannot be corrupted by a system malfunction (integrity).
p.(None): "Art. 70-14. - The controller and the processor keep a register of processing activities under the conditions set out in paragraphs 1 to 4
p.(None): of Article 30 of Regulation (EU) 2016/679. This register also contains the general description of the measures intended to guarantee a level of security adapted to the
p.(None): risk, in particular with regard to the processing of specific categories of personal data referred to in Article 8, the indication of
p.(None): the legal basis of the processing operation, including transfers, for which the personal data are intended and, where appropriate, the use
p.(None): profiling.
p.(None): "Art. 70-15. - The data controller or its processor establishes for each automated processing a log of collection, modification operations,
p.(None): consultation, communication, including transfers, interconnection and erasure, relating to such data.
p.(None): "The logs of the consultation and communication operations make it possible to establish the reason, the date and the time. They also allow, to the extent
p.(None): as possible, to identify the persons who consult or communicate the data and their recipients.
p.(None): "This log is only used for purposes of verifying the lawfulness of the processing, self-checking, guaranteeing the integrity and security of data and to
p.(None): for the purposes of criminal proceedings.
p.(None): "This newspaper is made available to the National Commission for Data Protection at its request.
p.(None): "Art. 70-16. - Articles 31, 33 and 34 of Regulation (EU) 2016/679 are applicable to the processing of personal data covered by this
p.(None): chapter.
p.(None): "If the personal data breach relates to personal data which has been transmitted by the controller of a
p.(None): or to that other Member State, the controller also reports the violation to the controller of the other member state in the
p.(None): as fast as we can.
p.(None): "Communication of a personal data breach to the data subject may be delayed, limited or not delivered, therefore and
p.(None): as long as a measure of this nature constitutes a necessary and proportionate measure in a democratic society, with due regard
p.(None): fundamental rights and legitimate interests of the natural person concerned, when its implementation is likely to endanger security
p.(None): public security, national security or the rights or freedoms of others or to obstruct the proper conduct of investigations and procedures intended to prevent, detect
p.(None): or prosecute criminal offenses or to execute criminal sanctions.
p.(None): "Art. 70-17. - I. - Except for the jurisdictions acting in the exercise of their jurisdictional function, the controller designates a delegate to the
p.(None): Data protection.
p.(None): “A single data protection officer may be appointed for several competent authorities, taking into account their organizational structure and their
p.(None): cut.
p.(None): "The provisions of paragraphs 5 and 7 of article 37, paragraphs 1 and 2 of article 38 and paragraph 1 of article 39 of Regulation (EU) 2016/679, in
p.(None): what they relate to the controller, are applicable to the processing of personal data covered by this chapter.
p.(None): "Section 3
p.(None): "Rights of the data subject
p.(None): "Art. 70-18. - I. - The controller makes the following information available to the data subject:
p.(None): “1 ° The identity and contact details of the controller, and if applicable, those of his representative;
p.(None): “2 ° If necessary, the contact details of the data protection officer;
p.(None): “3 ° The purposes pursued by the processing for which the data is intended;
p.(None): "4 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "5 ° The existence of the right to request the controller to access personal data, their rectification or their erasure, and the
p.(None): limitation of the processing of personal data relating to a data subject.
...
p.(None): "II. - When the interested party requests it, the controller must justify that he has carried out the operations required under I.
p.(None): "III. - Instead of erasing, the controller limits the processing when:
p.(None): "1 ° Either the accuracy of the personal data is disputed by the data subject and it cannot be determined whether the data is accurate or not
p.(None): ;
p.(None): “2 ° Either personal data must be kept for probative purposes.
p.(None): "When the processing is limited under 1 °, the controller informs the data subject before lifting the limitation of processing.
p.(None): "IV. - The data controller informs the data subject of any refusal to rectify or erase personal data or to limit the
p.(None): processing, as well as reasons for refusal.
p.(None): "V. - The controller communicates the rectification of inaccurate personal data to the competent authority from which they come.
p.(None): "VI. - When personal data have been rectified or erased or the processing has been limited under I, II and III, the person responsible for
p.(None): processing notifies the recipients so that they rectify or erase the data or limit the processing of the data under their responsibility.
p.(None): "Art. 70-21. - I. - The rights of the natural person concerned may be subject to restrictions in accordance with the procedures provided for in II of this article therefore
p.(None): and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard to the rights
p.(None): fundamental and legitimate interests of the person for:
p.(None): "1 ° Avoid hindering investigations, research or official or judicial procedures:
p.(None): “2 ° Avoid harming the prevention or detection of criminal offenses, the investigations or prosecutions in the matter or the execution of criminal sanctions;
p.(None): “3 ° Protect public security;
p.(None): “4 ° Protect national security;
p.(None): "5 ° Protect the rights and freedoms of others.
p.(None): "These restrictions are provided for in the treatment initiation act.
p.(None): "II. - When the conditions provided for in I are fulfilled, the controller may:
p.(None): "1 ° Delay or limit the supply to the data subject of the information mentioned in II of article 70-18, or not provide this information;
p.(None): "2 ° Limit, in whole or in part, the right of access of the data subject provided for in article 70-19;
p.(None): "3 ° Not informing the person of his refusal to rectify or erase personal data or to limit the processing, as well as the reasons for
p.(None): this decision in accordance with IV of article 70-20.
p.(None): "III. - In the cases referred to in 2 ° of II, the controller informs the data subject, as soon as possible, of any refusal or any limitation
p.(None): of access, as well as the reasons for refusal or limitation. This information may not be provided when its communication risks compromising one
p.(None): of the objectives set out in I. The controller records the factual or legal grounds on which the decision is based, and makes this information available to the
p.(None): provision of the National Commission for Data Protection.
p.(None): "IV. - In case of restriction of the rights of the data subject intervened in application of II or III, the controller informs the person
p.(None): concerned with the possibility of exercising his rights through the National Commission for Data Protection and to file an appeal
p.(None): jurisdictional.
p.(None): "Art. 70-22. - In case of restriction of the rights of the data subject intervened in application of II or III of article 70-21, the data subject may
p.(None): refer to the National Commission for Data Protection.
p.(None): "The provisions of the second and third paragraphs of article 41 then apply.
p.(None): "When the commission informs the person concerned that the necessary verifications have been made, it also informs him of his right to form a
p.(None): jurisdictional appeal.
p.(None): "Art. 70-23. - No payment is required to take the measures and provide the information referred to in articles 70-18 to 70-20, unless requested
p.(None): manifestly unfounded or abusive.
p.(None): “In this case, the controller may also refuse to comply with the request.
p.(None): "In the event of a dispute, the burden of proving the manifestly unfounded or abusive nature of the requests lies with the data controller
p.(None): from which they are addressed.
p.(None): "Art 70-24. - The provisions of this sub-section do not apply when the personal data appear either in a decision
p.(None): or in a judicial file which is the subject of processing during criminal proceedings. In these cases, access to this data can only be done
p.(None): under the conditions provided for by the Code of Criminal Procedure.
p.(None): "Section 4
p.(None): “Transfers of personal data to non-member states
p.(None): "To the European Union or to recipients established in non-member states
p.(None): " of the European Union
p.(None): "Art. 70-25. - The person responsible for processing personal data cannot transfer data or authorize the transfer of data already
p.(None): transmitted to a State outside the European Union only when the following conditions are met:
p.(None): "1 ° The transfer of this data is necessary for one of the purposes set out in 1 ° of article 70-1;
p.(None): "2 ° Personal data is transferred to a person responsible in that third State or to an international organization which is an authority
p.(None): competent responsible in this State for purposes falling under 1 ° of article 70-1 in France;
p.(None): "3 ° If the personal data come from another State, the State which transmitted these data has previously authorized this transfer in accordance with
p.(None): national law.
p.(None): "However, if prior authorization cannot be obtained in good time, this personal data may be retransmitted without authorization
p.(None): prior notice from the State which transmitted the data when this retransmission is necessary to prevent a serious and immediate threat to security
p.(None): of another State or for the protection of the essential interests of France. The authority from which this personal data originated is informed without
p.(None): delay.
p.(None): "4 ° At least one of the following three conditions is met:
...
p.(None): 4 ° In I of article 30, the word: "declarations," and the references to article 25 are deleted;
p.(None): 5 ° In I of article 31, the words: "23 to" are replaced by the words: "26 and" and the words: "or the date of the declaration of this treatment" are deleted;
p.(None): 6 ° In the last paragraph of article 39, the words: "or in the declaration" are deleted;
p.(None): 7 ° In Article 67, the following are deleted:
p.(None): a) In the first paragraph, the words: "22, 1 ° and 3 ° of I of article 25, the articles";
p.(None): b) The fourth paragraph;
p.(None): c) In the fifth paragraph, the words: "In the event of a breach of his duties, the correspondent is relieved of his duties upon request, or after
p.(None): consultation, of the National Commission for Information Technology and Liberties ”;
p.(None): 8 ° In article 70, the first and third paragraphs are deleted and in the second paragraph, the words: "entry of a declaration filed in application of articles
p.(None): 23 or 24 and showing that personal data will be transferred to this State, the National Commission for Data Protection
p.(None): issues the receipt and "are replaced by the words:" consulted in accordance with Article 36 of Regulation (EU) 2016/679 and in the event of data transfer to
p.(None): personal towards this State, the Commission ”;
p.(None): 9 ° The second sentence of article 71 is deleted.
p.(None): Article 22
p.(None): For processing operations that were subject to formalities prior to the entry into force of this law, the list mentioned in article 31 of law n ° 78-17
p.(None): mentioned above, adopted on this date, is made available to the public, in an open and easily reusable format for a period of ten years.
p.(None): Article 23
p.(None): I. - Article 230-8 of the Code of Criminal Procedure is amended as follows:
p.(None): 1 ° The first paragraph is replaced by the following provisions:
p.(None): "The processing of personal data is carried out under the supervision of the territorially competent public prosecutor who, from either
p.(None): request from the person concerned, request that they be deleted, supplemented or rectified, in particular in the event of a judicial complaint, or that they
p.(None): are mentioned. Rectification for judicial requalification is de jure. The public prosecutor decides within two months
p.(None): on the action to be taken on requests addressed to it. The data subject can make this request without delay following a
p.(None): decision which has become final, of acquittal, acquittal, conviction with exemption from sentence or exemption from mentioning in the criminal record, or dismissal, or
p.(None): classification decision without follow-up. In other cases, the person can make his request, under penalty of inadmissibility, when no more figures
p.(None): mention in the bulletin n ° 2 of his criminal record. In the event of an acquittal or acquittal decision, the personal data concerning the persons put
p.(None): in question are erased, unless the public prosecutor prescribes their maintenance, in which case it is the subject of a mention. When the public prosecutor
p.(None): République prescribes the maintenance of personal data relating to a person who has bene fi ted from an acquittal or acquittal, he notifies the
p.(None): concerned person. The decisions of dismissal or classification without continuation, are the subject of a mention, unless the public prosecutor orders
p.(None): erasure of personal data. When a decision is mentioned, the data relating to the person concerned cannot be the subject
p.(None): a consultation in the context of the administrative inquiries provided for in Articles L. 114-1, L. 234-1 to L. 234-3 of the Internal Security Code and in Article 17-
p.(None): 1 of the law n ° 95-73 of January 21, 1995 of orientation and programming relating to security. The decisions of the public prosecutor provided for in this
p.(None): paragraph ordering the maintenance or erasure of personal data or ordering that they be the subject of a mention are taken for reasons related to the
p.(None): purpose of the file with regard to the nature or circumstances of the commission of the offense or the personality of the person concerned. ";
p.(None): 2 ° In the third paragraph, the words: “in matters of erasure or rectification of personal data” are deleted.
p.(None): II. - The first paragraph of article 804 of the same code is worded as follows:
p.(None): "This code is applicable, in its drafting resulting from law n ° xxx of the xxx of adaptation to the law of the European Union of law n ° 78-17 of January 6, 1978
p.(None): relating to computers, files and freedoms, in New Caledonia, French Polynesia and the Wallis and Futuna Islands, subject to
...
Political / political affiliation
Searching for indicator party:
(return to top)
p.(None): take note of the minutes drawn up following the hearing.
p.(None): "After having deliberated on it, the restricted panel submits its draft decision to the other authorities concerned in accordance with the procedure defined in article
p.(None): 60 of Regulation (EU) 2016/679. As such, it decides on the taking into account of the relevant and reasoned objections raised by the authorities concerned and
p.(None): seizes, if it decides to reject one of the objections, the European Data Protection Board in accordance with Article 65 of the regulation.
p.(None): "The conditions for the application of this article are defined by a decree in Council of State, after opinion of the National Commission for Information Technology and
p.(None): freedoms.
p.(None): "Art. 49-4. - When the committee acts as the authority concerned, within the meaning of Regulation (EU) 2016/679, the chairman of the committee is seized of the projects
p.(None): corrective measures submitted to the commission by another lead authority.
p.(None): "When these measures have an equivalent object to those defined in I and III of article 45, the president decides, if necessary, to raise a relevant objection
p.(None): and motivated according to the terms provided for in article 60 of these regulations.
p.(None): "When these measures are of equivalent purpose to those defined in II of article 45 and in article 46, the president seizes the restricted formation. The President of the
p.(None): restricted party or the member of the restricted party it designates may, if applicable, raise a relevant and reasoned objection using the same
p.(None): modalities. "
p.(None): Article 6
p.(None): I. - The title of chapter VII of the same law is deleted and replaced by the following title:
p.(None): "Measures and sanctions taken by the restricted formation of the National Commission for Data Protection and Liberties"
p.(None): II. - Article 45 of the same law is replaced by the following provisions:
p.(None): "Art. 45. - I. - The president of the National Commission for Information Technology and Liberties may warn a data controller or a processor that
p.(None): the processing operations envisaged are likely to violate the provisions of regulation (EU) 2016/679 or of this law.
p.(None): "II. - When the controller or the processor does not comply with the obligations resulting from Regulation (EU) 2016/679 or this law, the
p.(None): president of the National Commission for Information Technology and Freedoms may refer to the restricted formation of the commission for pronouncement, after procedure
p.(None): contradictory, from one or more of the following measures:
p.(None): "1 ° A call to order;
p.(None): "2 ° An injunction to bring the processing into conformity with the obligations resulting from this law or from regulation (EU) 2016/679 or to comply with the
p.(None): requests by the data subject to exercise their rights, which may be combined, except in cases where the processing is carried out by
p.(None): the State, of a penalty which the amount cannot exceed 100,000 € per day;
p.(None): "3 ° With the exception of processing which concerns state security or defense, the temporary or final limitation of processing, its prohibition or withdrawal
...
p.(None): c) After the words: "which bear", the words: "on genetic data or" are inserted;
p.(None): 2 ° 1 ° of I as well as II, III and IV are repealed.
p.(None): III. - Articles 24 and 25 of the same law are repealed.
p.(None): Chapter III
p.(None): Obligations incumbent on data controllers and processors
p.(None): Article 10
p.(None): Article 35 of the same law is supplemented by the following paragraph: "However, within the scope of Regulation (EU) 2016/679, the subcontractor respects the
p.(None): conditions provided for in Chapter IV of these regulations. "
p.(None): Chapter IV
p.(None): Provisions relating to certain specific categories of processing
p.(None): Article 11
p.(None): Article 9 of the same law is amended as follows:
p.(None): 1 ° In the first paragraph, the words: “offenses, convictions and security measures may only be implemented by:” are replaced by the words: “
p.(None): criminal convictions, offenses or related security measures may only be carried out under the supervision of the public authority or by: ";
p.(None): 2 ° The 1 ° is supplemented by the following words:
p.(None): “As well as legal persons under private law collaborating in the public service of justice, and belonging to categories whose list is fixed by decree in
p.(None): Council of State taken after advice from the National Commission for Data Protection, to the extent strictly necessary for their mission; "
p.(None): 3 ° 3 ° is replaced by the following provisions:
p.(None): "3 ° Natural or legal persons, in order to enable them to prepare and where appropriate, to exercise and monitor legal action as
p.(None): victim, third party, or on behalf of the latter and to have the decision rendered enforced, for a period commensurate with this purpose; communication to
p.(None): a third party is then only possible under the same conditions and to the extent strictly necessary for the pursuit of these same purposes; "
p.(None): 4 ° After the 4 °, a 5 ° is inserted as follows:
p.(None): "5 ° The reusers of public information appearing in the judgments and decisions mentioned in articles L. 10 of the code of administrative justice and L.
p.(None): 111-13 of the code of judicial organization, provided that the processing carried out has neither the purpose nor the purpose and allows the re-identification of
p.(None): persons concerned. "
p.(None): Article 12
p.(None): Article 36 of the same law is amended as follows:
p.(None): 1 ° In the first paragraph, the words: “historical, statistical or scienti fi c” are replaced by the words: “archival in the public interest, for the purpose of
p.(None): scientific or historical research, or for statistical purposes ”;
p.(None): 2 ° The second and fifth paragraphs are repealed;
p.(None): 3 ° The article is supplemented by the following paragraph:
p.(None): "When the processing of personal data is carried out by public archive services for archival purposes in the public interest
p.(None): in accordance with article L. 211-2 of the heritage code, the rights referred to in articles 15, 16, 18, 19, 20 and 21 of regulation (EU) 2016/679 do not apply
p.(None): insofar as these rights make impossible or seriously hinder the achievement of speci fi c purposes and where such derogations are necessary
p.(None): to achieve these ends. The appropriate conditions and guarantees provided for in Article 89 of Regulation (EU) 2016/679 are determined by the Code of
p.(None): heritage and other laws and regulations applicable to public archives. They are also ensured by compliance with standards
p.(None): conform to the state of the art in electronic archiving. "
p.(None): Article 13
...
p.(None): "The derogations governed by the first paragraph of this article end one year after the creation of the processing if it continues to be implemented.
p.(None): "Art. 56. - Notwithstanding the rules relating to professional secrecy, members of the health professions may transmit to the data controller
p.(None): data authorized pursuant to Article 54 the personal data they hold.
p.(None): "When these data allow the identi fi cation of persons, their transmission must be carried out under conditions likely to guarantee their
p.(None): confidentiality. The National Commission for Information Technology and Liberties can adopt recommendations or standards on the technical procedures to
p.(None): enforce.
p.(None): “When the result of the data processing is made public, the direct or indirect identification of the persons concerned must be impossible.
p.(None): "The persons called upon to implement data processing as well as those who have access to the data to which it relates are subject to the
p.(None): professional secrecy under the penalties provided for in article 226-13 of the penal code.
p.(None): "Art. 57. - Everyone has the right to object to personal data concerning him or her being lifted professional secrecy
p.(None): made necessary by processing the nature of those referred to in Article 53.
p.(None): "In the event that the research requires the collection of identi fi cant biological samples, the informed and express consent of the persons concerned must
p.(None): be obtained prior to the implementation of data processing.
p.(None): "Information concerning deceased persons, including those which appear on the certificates of cause of death, may be processed
p.(None): data, unless the interested party has, in his lifetime, expressed his refusal in writing.
p.(None): "Art. 58. - The persons from whom personal data are collected or about whom such data are transmitted are
p.(None): individually informed in accordance with the provisions of Regulation (EU) 2016/679.
p.(None): "However, this information may not be provided if the person concerned has intended to make use of the right granted to him by article L. 1111-2 of
p.(None): health code to be left in the dark about a diagnosis or prognosis.
p.(None): "Art. 59. - The recipients of the information and exercise the rights of the data subject are the holders of parental authority,
p.(None): for minors, or the person charged with a mission of representation within the framework of a guardianship, a family empowerment or a protection mandate
p.(None): future, for protected adults whose condition does not allow them to make an informed personal decision alone.
p.(None): "By way of derogation from the first paragraph of this article, for the processing of personal data carried out in the context of the research mentioned
p.(None): in 2 ° and 3 ° of article L. 1121-1 of the public health code or of studies or evaluations in the health field, having a public interest purpose and
p.(None): including minors, information can be obtained from only one of the holders of parental authority, if it is impossible to inform
p.(None): the other holder, or if he cannot be consulted within a timeframe compatible with the methodological requirements specific to carrying out the research, study
...
p.(None): “1 ° The purposes of the processing and its legal basis;
p.(None): “2 ° The categories of personal data concerned;
p.(None): "3 ° The recipients or categories of recipients to whom the personal data have been communicated, in particular the recipients who are
p.(None): established in non-member states of the European Union or international organizations;
p.(None): "4 ° When possible, the envisaged period of retention of personal data or, when this is not possible, the criteria used
p.(None): to determine this duration;
p.(None): "5 ° The existence of the right to ask the data controller for the rectification or erasure of personal data, or the limitation of
p.(None): processing of this data;
p.(None): "6 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "7 ° Communication of personal data being processed, as well as any available information as to their source.
p.(None): "Art. 70-20. - I. - The data subject has the right to obtain from the controller:
p.(None): “1 ° That personal data concerning him that are inaccurate be rectified as soon as possible;
p.(None): “2 ° That incomplete personal data concerning it be completed, including by providing a complementary declaration for this purpose;
p.(None): "3 ° That personal data concerning him be erased as soon as possible when the processing is carried out in violation of the provisions
p.(None): of this law or when this data must be erased in order to comply with a legal obligation to which the controller is subject.
p.(None): "II. - When the interested party requests it, the controller must justify that he has carried out the operations required under I.
p.(None): "III. - Instead of erasing, the controller limits the processing when:
p.(None): "1 ° Either the accuracy of the personal data is disputed by the data subject and it cannot be determined whether the data is accurate or not
p.(None): ;
p.(None): “2 ° Either personal data must be kept for probative purposes.
p.(None): "When the processing is limited under 1 °, the controller informs the data subject before lifting the limitation of processing.
p.(None): "IV. - The data controller informs the data subject of any refusal to rectify or erase personal data or to limit the
p.(None): processing, as well as reasons for refusal.
p.(None): "V. - The controller communicates the rectification of inaccurate personal data to the competent authority from which they come.
p.(None): "VI. - When personal data have been rectified or erased or the processing has been limited under I, II and III, the person responsible for
p.(None): processing notifies the recipients so that they rectify or erase the data or limit the processing of the data under their responsibility.
p.(None): "Art. 70-21. - I. - The rights of the natural person concerned may be subject to restrictions in accordance with the procedures provided for in II of this article therefore
p.(None): and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard to the rights
p.(None): fundamental and legitimate interests of the person for:
p.(None): "1 ° Avoid hindering investigations, research or official or judicial procedures:
...
Searching for indicator political:
(return to top)
p.(None): supports it designates at the expense of sanctioned persons.
p.(None): "Without prejudice to the information obligations incumbent on them pursuant to Article 34 of Regulation (EU) 2016/679, the restricted panel may order
p.(None): that the person in charge or the subcontractor concerned informs each of the persons concerned, at his own expense, of the violation of the provisions of the
p.(None): this law or the aforementioned regulation as well as, if applicable, the measure pronounced. "
p.(None): V. - Article 48 of the same law is replaced by the following provisions:
p.(None): "Art. 48. - When a certification body or a body responsible for compliance with a code of conduct has failed to fulfill its obligations or has failed to comply with the
p.(None): provisions of Regulation (EU) 2016/679 or of this law, the president of the National Commission for Data Protection may, where appropriate
p.(None): after formal notice, refer to the restricted panel of the Commission which may pronounce, under the same conditions as those provided for in articles 45 to 47,
p.(None): withdrawal of the license issued to them. "
p.(None): Chapter II
p.(None): Provisions relating to certain categories of data
p.(None): Article 7
p.(None): Article 8 of the same law is amended as follows:
p.(None): 1 ° I is worded as follows:
p.(None): "I. - It is prohibited to process personal data, which reveals alleged racial or ethnic origin, political opinions,
p.(None): religious or philosophical beliefs or union membership or to process genetic data, biometric data for the purpose of identifying a
p.(None): uniquely natural person, data concerning health or data concerning a person's sexual life or sexual orientation
p.(None): physical. ";
p.(None): 2 ° In 7 ° of II, the words: “and under the conditions provided for in article 25 of this law” are deleted;
p.(None): 3 ° 8 ° of II is replaced by the following provisions: "8 ° Treatments containing data relating to health justified in the public interest and
p.(None): in accordance with the provisions of Chapter IX. ";
p.(None): 4 ° After 8 ° of II, a 9 ° is inserted as follows:
p.(None): "9 ° The processing implemented by employers or administrations which relate to biometric data necessary for access control to
p.(None): workplaces as well as the devices and applications used in the context of missions entrusted to employees or agents. ";
p.(None): 5 ° In III, the first sentence is replaced by the following sentence:
p.(None): "The personal data mentioned in I, which are called upon to be subject to short notice, are also not subject to the prohibition provided for in I
p.(None): an anonymization process previously recognized in accordance with the provisions of this law by the National Commission for Data Protection.
p.(None): "
p.(None): And the second sentence is deleted;
p.(None): 6 ° The IV is replaced by the following provisions:
p.(None): "IV. - Likewise, processing operations, automated or not, that are justified by the public interest and authorized under the conditions are not subject to the prohibition provided for in I
...
Health / Motherhood/Family
Searching for indicator family:
(return to top)
p.(None): "The persons called upon to implement data processing as well as those who have access to the data to which it relates are subject to the
p.(None): professional secrecy under the penalties provided for in article 226-13 of the penal code.
p.(None): "Art. 57. - Everyone has the right to object to personal data concerning him or her being lifted professional secrecy
p.(None): made necessary by processing the nature of those referred to in Article 53.
p.(None): "In the event that the research requires the collection of identi fi cant biological samples, the informed and express consent of the persons concerned must
p.(None): be obtained prior to the implementation of data processing.
p.(None): "Information concerning deceased persons, including those which appear on the certificates of cause of death, may be processed
p.(None): data, unless the interested party has, in his lifetime, expressed his refusal in writing.
p.(None): "Art. 58. - The persons from whom personal data are collected or about whom such data are transmitted are
p.(None): individually informed in accordance with the provisions of Regulation (EU) 2016/679.
p.(None): "However, this information may not be provided if the person concerned has intended to make use of the right granted to him by article L. 1111-2 of
p.(None): health code to be left in the dark about a diagnosis or prognosis.
p.(None): "Art. 59. - The recipients of the information and exercise the rights of the data subject are the holders of parental authority,
p.(None): for minors, or the person charged with a mission of representation within the framework of a guardianship, a family empowerment or a protection mandate
p.(None): future, for protected adults whose condition does not allow them to make an informed personal decision alone.
p.(None): "By way of derogation from the first paragraph of this article, for the processing of personal data carried out in the context of the research mentioned
p.(None): in 2 ° and 3 ° of article L. 1121-1 of the public health code or of studies or evaluations in the health field, having a public interest purpose and
p.(None): including minors, information can be obtained from only one of the holders of parental authority, if it is impossible to inform
p.(None): the other holder, or if he cannot be consulted within a timeframe compatible with the methodological requirements specific to carrying out the research, study
p.(None): or evaluation with regard to its finalities. This paragraph does not preclude the subsequent exercise by each holder of the exercise of parental authority,
p.(None): of the rights mentioned in the first paragraph.
p.(None): "For these treatments, the minor aged fifteen or more may object to the holders of parental authority having access to the data on
p.(None): concerning collected during research, study or evaluation. The minor then receives the information and exercises his rights alone.
p.(None): “For these same treatments, minors aged fifteen or over may object to holders of parental authority being informed of the
p.(None): data processing if the fact of participating in it leads to revealing information on a preventive action, screening, diagnosis, treatment or
p.(None): intervention for which the minor expressly objected to consulting the holders of parental authority in application of Articles L. 1111-5 and L.
p.(None): 1111-5-1 of the public health code or if the family ties are broken and the minor bene fi ts personally from the reimbursement of benefits in
p.(None): nature of health and maternity insurance and of the additional cover set up by law n ° 99-641 of July 27, 1999 creating a
p.(None): Universal health coverage. He then exercises his rights alone.
p.(None): "Art. 60. - Information relating to the provisions of this chapter must in particular be provided in any establishment or center where
p.(None): prevention, diagnosis and care activities giving rise to the transmission of personal data with a view to the treatment referred to in this
p.(None): chapter.
p.(None): "Section 2
p.(None): "Special provisions for processing for research and study purposes
p.(None): "Or health assessment.
p.(None): "Art. 61. - Automated processing of personal data the purpose of which is or becomes research or studies in the health field
p.(None): as well as the evaluation or analysis of care or prevention practices or activities are subject to the provisions of section 1 of this chapter, under
p.(None): reserve those of this section.
p.(None): "Art. 62. - Reference methodologies are approved and published by the National Commission for Data Protection. They are established in
p.(None): consultation with the National Institute for Health Data mentioned in Article L. 1462-1 of the Public Health Code and public and private organizations
p.(None): representative of the actors concerned.
p.(None): "When the processing conforms to a reference methodology, it can be implemented without the authorization mentioned in article 54, provided that
p.(None): its manager shall send the National Informatics Commission a declaration attesting to this compliance.
...
Social / Access to Social Goods
Searching for indicator access:
(return to top)
p.(None): personal health data ';
p.(None): 5 ° The b of 2 ° is replaced by the following provisions:
p.(None): "(B) It establishes and publishes standard regulations with a view to ensuring the security of personal data processing systems and governing
p.(None): processing of health data falling under Chapter IX. As such, except for processing carried out on behalf of the State, acting in the exercise of
p.(None): its prerogatives of public power, it can prescribe additional technical and organizational measures for data processing
p.(None): biometric, genetic and health in accordance with Article 9.4 of Regulation (EU) 2016/679 and additional guarantees regarding the processing of
p.(None): offense data in accordance with article 10 of the same regulation. ";
p.(None): 6 ° After the f of 2 °, a f bis is inserted as follows:
p.(None): "Fa) It may decide to certify persons, products, data systems or procedures in order to recognize that they comply with the
p.(None): Regulation (EU) 2016/679 and this law. It approves, for the same purposes, certifying bodies, on the basis, where appropriate, of their accreditation by
p.(None): the national accreditation body, mentioned in article 43 (1) b of the regulations, under conditions specified by decree in Council of State taken after opinion of the
p.(None): National Commission for Data Protection. The committee draws up or approves the criteria for the certification and accreditation standards. She can
p.(None): establish additional requirements to accreditation standards. ";
p.(None): 7 ° In g of 2 °, after the word: “certification” are inserted the words: “, by approved or accredited third parties according to the terms mentioned in fa,”;
p.(None): 8 ° At the hour of 2 °, the words: “of access concerning the treatments mentioned in articles 41 and 42” are replaced by the words: “of exercise of the rights provided
p.(None): Articles 41, 42 and 70-22 ”;
p.(None): 9 ° After the h of 2 °, an i is inserted as follows:
p.(None): "I) It may establish a list of treatments likely to create a high risk which must be subject to prior consultation in accordance with article 70-4
p.(None): ";
p.(None): 10 ° In a of 4 °, after the first sentence, a sentence worded as follows is inserted:
p.(None): "It can also be consulted by the President of the National Assembly or by the President of the Senate on any draft law relating to protection
p.(None): personal data or the processing of such data. ";
p.(None): 11 ° After the f of 4 °, a paragraph worded as follows is inserted:
p.(None): "5 ° It may submit observations before any court in the event of a dispute relating to the application of Regulation (EU) 2016/679 and this law";
p.(None): 12 ° At the beginning of the twenty-sixth paragraph, the reference is inserted: “II. - ".
p.(None): Article 2
p.(None): In 7 ° of I of article 13 of the same law, after the word: "digital" are inserted the words: "or questions relating to individual freedoms".
p.(None): Article 3
p.(None): I. - In the first paragraph of article 17 of the same law, after the words: "restricted training", are added the words: "take the measures and" and after the words
p.(None): : “Obligations arising” are added the words: “of Regulation (EU) 2016/679 and”.
p.(None): II. - After the first paragraph of article 17 of the same law, the following paragraph is inserted:
p.(None): "The members deliberate without the presence of the agents of the commission, with the exception of those responsible for holding the meeting."
...
p.(None): office which have for object the exercise of the delegated attributions under article 16. It can attend the sessions of the restricted formation, without being present
p.(None): to deliberate. He is the recipient of all the opinions and decisions of the commission and of the restricted panel ".
p.(None): IV. - The third paragraph of article 18 of the same law is replaced by the following provisions:
p.(None): "Except in the case of measures or sanctions under Chapter VII, it may cause a second deliberation of the commission, which must intervene in the
p.(None): ten days from the initial deliberation ”.
p.(None): Article 4
p.(None): Article 44 of the same law is amended as follows:
p.(None): 1 ° In I, the words: "and which are for professional use" are deleted;
p.(None): 2 ° In the first sentence of II, the words: “of private professional premises” are replaced by the words: “of these places, premises, enclosures, installations or
p.(None): establishments "and in the last sentence of the same II, after the word:" visit "the following sentence is added:
p.(None): "Whose purpose is the effective exercise of the missions provided for in III";
p.(None): 3 ° In III, the first three paragraphs are replaced by two paragraphs worded as follows:
p.(None): "For the exercise of the missions entrusted to the National Commission for Information Technology and Freedoms by regulation (EU) 2016/679 and by this law, the
p.(None): members and agents mentioned in the first paragraph of I may request communication of any document, whatever the medium, and take a copy. They
p.(None): may collect, in particular on the spot or on convocation, any useful information and justi fi cation. They can access, in conditions preserving
p.(None): con fi dentiality with regard to third parties, to computer programs and data, as well as to request transcription by any appropriate processing in
p.(None): documents directly usable for the purposes of control. Secrecy cannot be opposed to them except concerning the information covered by the secret
p.(None): professional applicable to relations between a lawyer and his client, by the secrecy of the sources of journalistic processing or, subject to the provisions
p.(None): of the following paragraph, by medical confidentiality.
p.(None): "Medical secrecy is opposable with regard to the information which figures in a treatment necessary for the purposes of preventive medicine, research
p.(None): medical, medical diagnosis, administration of care or treatment, or management of health service. However the communication of
p.(None): individual medical data included in this category of treatment can be done under the authority and in the presence of a doctor. ";
p.(None): 4 ° After the fourth paragraph of III, a paragraph is inserted as follows:
p.(None): "For the control of online public communication services, the members and agents mentioned in the first paragraph of I can carry out any operation
p.(None): necessary for their mission under a borrowed identity. The use of an assumed identity does not affect the regularity of the findings made
p.(None): in accordance with the previous paragraph. A decree in Council of State taken after opinion of the National Commission of data processing and liberties specifies the conditions
p.(None): in which they proceed in their cases to their findings. ";
p.(None): 5 ° The following paragraph is added:
...
p.(None): provisions of Regulation (EU) 2016/679 or of this law, the president of the National Commission for Data Protection may, where appropriate
p.(None): after formal notice, refer to the restricted panel of the Commission which may pronounce, under the same conditions as those provided for in articles 45 to 47,
p.(None): withdrawal of the license issued to them. "
p.(None): Chapter II
p.(None): Provisions relating to certain categories of data
p.(None): Article 7
p.(None): Article 8 of the same law is amended as follows:
p.(None): 1 ° I is worded as follows:
p.(None): "I. - It is prohibited to process personal data, which reveals alleged racial or ethnic origin, political opinions,
p.(None): religious or philosophical beliefs or union membership or to process genetic data, biometric data for the purpose of identifying a
p.(None): uniquely natural person, data concerning health or data concerning a person's sexual life or sexual orientation
p.(None): physical. ";
p.(None): 2 ° In 7 ° of II, the words: “and under the conditions provided for in article 25 of this law” are deleted;
p.(None): 3 ° 8 ° of II is replaced by the following provisions: "8 ° Treatments containing data relating to health justified in the public interest and
p.(None): in accordance with the provisions of Chapter IX. ";
p.(None): 4 ° After 8 ° of II, a 9 ° is inserted as follows:
p.(None): "9 ° The processing implemented by employers or administrations which relate to biometric data necessary for access control to
p.(None): workplaces as well as the devices and applications used in the context of missions entrusted to employees or agents. ";
p.(None): 5 ° In III, the first sentence is replaced by the following sentence:
p.(None): "The personal data mentioned in I, which are called upon to be subject to short notice, are also not subject to the prohibition provided for in I
p.(None): an anonymization process previously recognized in accordance with the provisions of this law by the National Commission for Data Protection.
p.(None): "
p.(None): And the second sentence is deleted;
p.(None): 6 ° The IV is replaced by the following provisions:
p.(None): "IV. - Likewise, processing operations, automated or not, that are justified by the public interest and authorized under the conditions are not subject to the prohibition provided for in I
p.(None): provided for in II of Article 26. "
p.(None): TITLE II
p.(None): LEVELS OF OPERATION PERMITTED BY REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 ON
p.(None): THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND FREE
p.(None): CIRCULATION OF THIS DATA, AND REPEALING DIRECTIVE 95/46 / EC
p.(None): Chapter I
p.(None): Territorial scope of the provisions
p.(None): supplementing Regulation (EU) 2016/679
p.(None): Article 8
p.(None): After article 5 of the same law, an article 5-1 is inserted as follows:
p.(None): "Art. 5-1 - National rules, taken on the basis of the provisions of Regulation (EU) 2016/679 referring to national law the task of adapting or
p.(None): complete the rights and obligations provided for by these regulations, apply when the person concerned resides in France, including when the person responsible
...
p.(None): of a public service mission appearing on a list fixed by decree of the ministers responsible for health and social security, taken after opinion of the
p.(None): National Commission for Information Technology and Liberties, the sole purpose of which is to respond to and manage a health alert in the event of an emergency
p.(None): the consequences, within the meaning of section 1 of chapter III of title I of book IV of the public health code, are subject only to the provisions of section 3 of the
p.(None): Chapter IV of Regulation (EU) 2016/79.
p.(None): "The processing operations mentioned in the first paragraph which use the registration number of persons in the national directory of identification of persons
p.(None): physical are implemented under the conditions provided for in article 22.
p.(None): "The derogations governed by the first paragraph of this article end one year after the creation of the processing if it continues to be implemented.
p.(None): "Art. 56. - Notwithstanding the rules relating to professional secrecy, members of the health professions may transmit to the data controller
p.(None): data authorized pursuant to Article 54 the personal data they hold.
p.(None): "When these data allow the identi fi cation of persons, their transmission must be carried out under conditions likely to guarantee their
p.(None): confidentiality. The National Commission for Information Technology and Liberties can adopt recommendations or standards on the technical procedures to
p.(None): enforce.
p.(None): “When the result of the data processing is made public, the direct or indirect identification of the persons concerned must be impossible.
p.(None): "The persons called upon to implement data processing as well as those who have access to the data to which it relates are subject to the
p.(None): professional secrecy under the penalties provided for in article 226-13 of the penal code.
p.(None): "Art. 57. - Everyone has the right to object to personal data concerning him or her being lifted professional secrecy
p.(None): made necessary by processing the nature of those referred to in Article 53.
p.(None): "In the event that the research requires the collection of identi fi cant biological samples, the informed and express consent of the persons concerned must
p.(None): be obtained prior to the implementation of data processing.
p.(None): "Information concerning deceased persons, including those which appear on the certificates of cause of death, may be processed
p.(None): data, unless the interested party has, in his lifetime, expressed his refusal in writing.
p.(None): "Art. 58. - The persons from whom personal data are collected or about whom such data are transmitted are
p.(None): individually informed in accordance with the provisions of Regulation (EU) 2016/679.
p.(None): "However, this information may not be provided if the person concerned has intended to make use of the right granted to him by article L. 1111-2 of
p.(None): health code to be left in the dark about a diagnosis or prognosis.
p.(None): "Art. 59. - The recipients of the information and exercise the rights of the data subject are the holders of parental authority,
p.(None): for minors, or the person charged with a mission of representation within the framework of a guardianship, a family empowerment or a protection mandate
p.(None): future, for protected adults whose condition does not allow them to make an informed personal decision alone.
p.(None): "By way of derogation from the first paragraph of this article, for the processing of personal data carried out in the context of the research mentioned
p.(None): in 2 ° and 3 ° of article L. 1121-1 of the public health code or of studies or evaluations in the health field, having a public interest purpose and
p.(None): including minors, information can be obtained from only one of the holders of parental authority, if it is impossible to inform
p.(None): the other holder, or if he cannot be consulted within a timeframe compatible with the methodological requirements specific to carrying out the research, study
p.(None): or evaluation with regard to its finalities. This paragraph does not preclude the subsequent exercise by each holder of the exercise of parental authority,
p.(None): of the rights mentioned in the first paragraph.
p.(None): "For these treatments, the minor aged fifteen or more may object to the holders of parental authority having access to the data on
p.(None): concerning collected during research, study or evaluation. The minor then receives the information and exercises his rights alone.
p.(None): “For these same treatments, minors aged fifteen or over may object to holders of parental authority being informed of the
p.(None): data processing if the fact of participating in it leads to revealing information on a preventive action, screening, diagnosis, treatment or
p.(None): intervention for which the minor expressly objected to consulting the holders of parental authority in application of Articles L. 1111-5 and L.
p.(None): 1111-5-1 of the public health code or if the family ties are broken and the minor bene fi ts personally from the reimbursement of benefits in
p.(None): nature of health and maternity insurance and of the additional cover set up by law n ° 99-641 of July 27, 1999 creating a
p.(None): Universal health coverage. He then exercises his rights alone.
p.(None): "Art. 60. - Information relating to the provisions of this chapter must in particular be provided in any establishment or center where
p.(None): prevention, diagnosis and care activities giving rise to the transmission of personal data with a view to the treatment referred to in this
p.(None): chapter.
p.(None): "Section 2
p.(None): "Special provisions for processing for research and study purposes
p.(None): "Or health assessment.
p.(None): "Art. 61. - Automated processing of personal data the purpose of which is or becomes research or studies in the health field
...
p.(None): Chapter IV
p.(None): Special provisions relating to the rights of data subjects
p.(None): Article 14
p.(None): Article 10 of the same law is amended as follows:
p.(None): 1 ° In the second paragraph:
p.(None): a) The words: "In addition to the cases mentioned in a and c under 2 of article 22 of regulation 2016/679" are introduced at the beginning of the first sentence;
p.(None): b) The words: "define the profile of the person concerned" are replaced by the word: "anticipate";
p.(None): c) The words: "of his personality" are replaced by the words: "personnel relating to the person concerned, with the exception of administrative decisions
p.(None): taken in compliance with Article L. 311-3-1 and Chapter I of Title I of Book IV of the Code of Public and Administrative Relations, provided
p.(None): that the processing does not relate to data mentioned in I of article 8, ";
p.(None): 2 ° The third paragraph is replaced by the following provisions:
p.(None): "For the administrative decisions mentioned in the previous paragraph, the controller ensures control of the algorithmic processing and its
p.(None): developments ”.
p.(None): Article 15
p.(None): After II of article 40 of the same law the following provisions are inserted:
p.(None): "III. - A decree in Council of State, taken after opinion of the National Commission for Data Protection, sets the list of treatments and categories of
p.(None): processing operations authorized to derogate from the right to communication of a data breach governed by Article 34 of, Regulation (EU) 2016/679 when the notification
p.(None): unauthorized disclosure or access to this data is likely to pose a risk to national security, national defense or the
p.(None): public security. The exemption provided for in this paragraph applies only to the processing of personal data necessary for compliance
p.(None): of a legal obligation which requires the processing of this data or necessary for the exercise of a public interest mission vested in the responsible of
p.(None): treatment. "
p.(None): Chapter V
p.(None): Remedies
p.(None): Article 16
p.(None): After article 43 ter of the same law, article 43 quater is inserted as follows:
p.(None): "Art. 43c. - The person concerned may mandate an association or an organization mentioned in IV of article 43b in order to exercise on his behalf
p.(None): the rights referred to in Articles 77 to 79 of Regulation (EU) 2016/679. It can also mandate them to act before the National Commission for Information Technology and
p.(None): freedoms, against this before a judge or against the controller or the processor before a court when a processing is involved
p.(None): falling under Chapter XIII. "
p.(None): Article 17
p.(None): Section 2 of Chapter V of the same law is supplemented by an article 43d as follows:
p.(None): "Art. 43d. - In the event that, when entering a complaint directed against a controller or a processor, the National Commission for
p.(None): IT and liberties believes that the complaints made relating to the protection of the rights and freedoms of a person with regard to the processing of their data are founded
p.(None): personal, or generally to ensure the protection of these rights and freedoms as part of its mission, it may request the Council
...
p.(None): "2 ° Persons convicted of a criminal offense;
p.(None): "3 ° Victims of a criminal offense or persons in respect of whom certain facts suggest that they could be victims of an offense
p.(None): criminal;
p.(None): "4 ° Third parties to a criminal offense, such as persons who may be called to testify in investigations relating to criminal offenses or
p.(None): subsequent criminal proceedings, persons who can provide information on criminal offenses, or contacts or associates of one of the
p.(None): persons referred to in 1 ° and 2 °.
p.(None): "Art. 70-13. - I. - In order to demonstrate that the processing is carried out in accordance with this chapter, the controller and the processor
p.(None): implement the measures provided for in paragraphs 1 and 2 of Article 24 and in paragraphs 1 and 2 of Article 25 of Regulation (EU) 2016/679 and those appropriate to
p.(None): to guarantee a level of security adapted to the risk, in particular with regard to the processing relating to particular categories of personal data
p.(None): staff referred to in Article 8.
p.(None): "II. - With regard to automated processing, the controller or the processor implements, following a risk assessment,
p.(None): measures to:
p.(None): "1 ° Prevent any unauthorized person from accessing the facilities used for processing (control of access to the facilities);
p.(None): "2 ° Prevent that data carriers can be read, copied, modified or deleted in an unauthorized manner (control of data carriers);
p.(None): "3 ° Prevent unauthorized introduction of personal data into the file, as well as unauthorized inspection, modification or erasure
p.(None): personal data recorded (storage control);
p.(None): "4 ° Prevent that automated processing systems may be used by unauthorized persons using transmission facilities
p.(None): data (user control);
p.(None): "5 ° Guarantee that persons authorized to use an automated processing system can only access personal data on
p.(None): which carry their authorization (control of access to data);
p.(None): “6 ° Guarantee that it can be verified and ascertained at which instances of personal data have been or may be transmitted or made available
p.(None): provision by data transmission facilities (transmission control);
p.(None): “7 ° Guarantee that it can be verified and verified a posteriori which personal data have been entered into the processing systems
p.(None): automated, and when and by whom they were introduced (control of the introduction);
p.(None): "8 ° Prevent that, during the transmission of personal data as well as during the transport of data carriers, the data can be
p.(None): unauthorized reading, copying, modification or deletion (transport control);
p.(None): “9 ° Guarantee that the installed systems can be restored in the event of an interruption (restoration);
p.(None): "10 ° Guarantee that the functions of the system operate, that operating errors are reported (reliability) and that personal data
p.(None): stored cannot be corrupted by a system malfunction (integrity).
p.(None): "Art. 70-14. - The controller and the processor keep a register of processing activities under the conditions set out in paragraphs 1 to 4
p.(None): of Article 30 of Regulation (EU) 2016/679. This register also contains the general description of the measures intended to guarantee a level of security adapted to the
p.(None): risk, in particular with regard to the processing of specific categories of personal data referred to in Article 8, the indication of
p.(None): the legal basis of the processing operation, including transfers, for which the personal data are intended and, where appropriate, the use
p.(None): profiling.
p.(None): "Art. 70-15. - The data controller or its processor establishes for each automated processing a log of collection, modification operations,
...
p.(None): or prosecute criminal offenses or to execute criminal sanctions.
p.(None): "Art. 70-17. - I. - Except for the jurisdictions acting in the exercise of their jurisdictional function, the controller designates a delegate to the
p.(None): Data protection.
p.(None): “A single data protection officer may be appointed for several competent authorities, taking into account their organizational structure and their
p.(None): cut.
p.(None): "The provisions of paragraphs 5 and 7 of article 37, paragraphs 1 and 2 of article 38 and paragraph 1 of article 39 of Regulation (EU) 2016/679, in
p.(None): what they relate to the controller, are applicable to the processing of personal data covered by this chapter.
p.(None): "Section 3
p.(None): "Rights of the data subject
p.(None): "Art. 70-18. - I. - The controller makes the following information available to the data subject:
p.(None): “1 ° The identity and contact details of the controller, and if applicable, those of his representative;
p.(None): “2 ° If necessary, the contact details of the data protection officer;
p.(None): “3 ° The purposes pursued by the processing for which the data is intended;
p.(None): "4 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "5 ° The existence of the right to request the controller to access personal data, their rectification or their erasure, and the
p.(None): limitation of the processing of personal data relating to a data subject.
p.(None): "II. - In addition to the information referred to in I, the controller provides the data subject, in special cases, with the information
p.(None): following to enable him to exercise his rights:
p.(None): “1 ° The legal basis for the processing;
p.(None): “2 ° The period of storage of personal data or, when this is not possible, the criteria used to determine this period;
p.(None): "3 ° Where applicable, the categories of recipients of personal data, including in States which are not members of the European Union or in
p.(None): within international organizations;
p.(None): “4 ° If necessary, additional information, in particular when personal data is collected without the knowledge of the person concerned.
p.(None): "Art. 70-19. - The data subject has the right to obtain confirmation from the controller that personal data concerning him
p.(None): are or are not processed and, when they are, access to said data as well as the following information:
p.(None): “1 ° The purposes of the processing and its legal basis;
p.(None): “2 ° The categories of personal data concerned;
p.(None): "3 ° The recipients or categories of recipients to whom the personal data have been communicated, in particular the recipients who are
p.(None): established in non-member states of the European Union or international organizations;
p.(None): "4 ° When possible, the envisaged period of retention of personal data or, when this is not possible, the criteria used
p.(None): to determine this duration;
p.(None): "5 ° The existence of the right to ask the data controller for the rectification or erasure of personal data, or the limitation of
p.(None): processing of this data;
p.(None): "6 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "7 ° Communication of personal data being processed, as well as any available information as to their source.
p.(None): "Art. 70-20. - I. - The data subject has the right to obtain from the controller:
p.(None): “1 ° That personal data concerning him that are inaccurate be rectified as soon as possible;
p.(None): “2 ° That incomplete personal data concerning it be completed, including by providing a complementary declaration for this purpose;
p.(None): "3 ° That personal data concerning him be erased as soon as possible when the processing is carried out in violation of the provisions
p.(None): of this law or when this data must be erased in order to comply with a legal obligation to which the controller is subject.
p.(None): "II. - When the interested party requests it, the controller must justify that he has carried out the operations required under I.
...
p.(None): "VI. - When personal data have been rectified or erased or the processing has been limited under I, II and III, the person responsible for
p.(None): processing notifies the recipients so that they rectify or erase the data or limit the processing of the data under their responsibility.
p.(None): "Art. 70-21. - I. - The rights of the natural person concerned may be subject to restrictions in accordance with the procedures provided for in II of this article therefore
p.(None): and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard to the rights
p.(None): fundamental and legitimate interests of the person for:
p.(None): "1 ° Avoid hindering investigations, research or official or judicial procedures:
p.(None): “2 ° Avoid harming the prevention or detection of criminal offenses, the investigations or prosecutions in the matter or the execution of criminal sanctions;
p.(None): “3 ° Protect public security;
p.(None): “4 ° Protect national security;
p.(None): "5 ° Protect the rights and freedoms of others.
p.(None): "These restrictions are provided for in the treatment initiation act.
p.(None): "II. - When the conditions provided for in I are fulfilled, the controller may:
p.(None): "1 ° Delay or limit the supply to the data subject of the information mentioned in II of article 70-18, or not provide this information;
p.(None): "2 ° Limit, in whole or in part, the right of access of the data subject provided for in article 70-19;
p.(None): "3 ° Not informing the person of his refusal to rectify or erase personal data or to limit the processing, as well as the reasons for
p.(None): this decision in accordance with IV of article 70-20.
p.(None): "III. - In the cases referred to in 2 ° of II, the controller informs the data subject, as soon as possible, of any refusal or any limitation
p.(None): of access, as well as the reasons for refusal or limitation. This information may not be provided when its communication risks compromising one
p.(None): of the objectives set out in I. The controller records the factual or legal grounds on which the decision is based, and makes this information available to the
p.(None): provision of the National Commission for Data Protection.
p.(None): "IV. - In case of restriction of the rights of the data subject intervened in application of II or III, the controller informs the person
p.(None): concerned with the possibility of exercising his rights through the National Commission for Data Protection and to file an appeal
p.(None): jurisdictional.
p.(None): "Art. 70-22. - In case of restriction of the rights of the data subject intervened in application of II or III of article 70-21, the data subject may
p.(None): refer to the National Commission for Data Protection.
p.(None): "The provisions of the second and third paragraphs of article 41 then apply.
p.(None): "When the commission informs the person concerned that the necessary verifications have been made, it also informs him of his right to form a
p.(None): jurisdictional appeal.
p.(None): "Art. 70-23. - No payment is required to take the measures and provide the information referred to in articles 70-18 to 70-20, unless requested
p.(None): manifestly unfounded or abusive.
p.(None): “In this case, the controller may also refuse to comply with the request.
p.(None): "In the event of a dispute, the burden of proving the manifestly unfounded or abusive nature of the requests lies with the data controller
p.(None): from which they are addressed.
p.(None): "Art 70-24. - The provisions of this sub-section do not apply when the personal data appear either in a decision
p.(None): or in a judicial file which is the subject of processing during criminal proceedings. In these cases, access to this data can only be done
p.(None): under the conditions provided for by the Code of Criminal Procedure.
p.(None): "Section 4
p.(None): “Transfers of personal data to non-member states
p.(None): "To the European Union or to recipients established in non-member states
p.(None): " of the European Union
p.(None): "Art. 70-25. - The person responsible for processing personal data cannot transfer data or authorize the transfer of data already
p.(None): transmitted to a State outside the European Union only when the following conditions are met:
p.(None): "1 ° The transfer of this data is necessary for one of the purposes set out in 1 ° of article 70-1;
p.(None): "2 ° Personal data is transferred to a person responsible in that third State or to an international organization which is an authority
p.(None): competent responsible in this State for purposes falling under 1 ° of article 70-1 in France;
p.(None): "3 ° If the personal data come from another State, the State which transmitted these data has previously authorized this transfer in accordance with
p.(None): national law.
p.(None): "However, if prior authorization cannot be obtained in good time, this personal data may be retransmitted without authorization
p.(None): prior notice from the State which transmitted the data when this retransmission is necessary to prevent a serious and immediate threat to security
...
Social / Ethnicity
Searching for indicator ethnic:
(return to top)
p.(None): “Restricted training can make the measures it takes public. It can also order their insertion in publications, newspapers and
p.(None): supports it designates at the expense of sanctioned persons.
p.(None): "Without prejudice to the information obligations incumbent on them pursuant to Article 34 of Regulation (EU) 2016/679, the restricted panel may order
p.(None): that the person in charge or the subcontractor concerned informs each of the persons concerned, at his own expense, of the violation of the provisions of the
p.(None): this law or the aforementioned regulation as well as, if applicable, the measure pronounced. "
p.(None): V. - Article 48 of the same law is replaced by the following provisions:
p.(None): "Art. 48. - When a certification body or a body responsible for compliance with a code of conduct has failed to fulfill its obligations or has failed to comply with the
p.(None): provisions of Regulation (EU) 2016/679 or of this law, the president of the National Commission for Data Protection may, where appropriate
p.(None): after formal notice, refer to the restricted panel of the Commission which may pronounce, under the same conditions as those provided for in articles 45 to 47,
p.(None): withdrawal of the license issued to them. "
p.(None): Chapter II
p.(None): Provisions relating to certain categories of data
p.(None): Article 7
p.(None): Article 8 of the same law is amended as follows:
p.(None): 1 ° I is worded as follows:
p.(None): "I. - It is prohibited to process personal data, which reveals alleged racial or ethnic origin, political opinions,
p.(None): religious or philosophical beliefs or union membership or to process genetic data, biometric data for the purpose of identifying a
p.(None): uniquely natural person, data concerning health or data concerning a person's sexual life or sexual orientation
p.(None): physical. ";
p.(None): 2 ° In 7 ° of II, the words: “and under the conditions provided for in article 25 of this law” are deleted;
p.(None): 3 ° 8 ° of II is replaced by the following provisions: "8 ° Treatments containing data relating to health justified in the public interest and
p.(None): in accordance with the provisions of Chapter IX. ";
p.(None): 4 ° After 8 ° of II, a 9 ° is inserted as follows:
p.(None): "9 ° The processing implemented by employers or administrations which relate to biometric data necessary for access control to
p.(None): workplaces as well as the devices and applications used in the context of missions entrusted to employees or agents. ";
p.(None): 5 ° In III, the first sentence is replaced by the following sentence:
p.(None): "The personal data mentioned in I, which are called upon to be subject to short notice, are also not subject to the prohibition provided for in I
p.(None): an anonymization process previously recognized in accordance with the provisions of this law by the National Commission for Data Protection.
p.(None): "
p.(None): And the second sentence is deleted;
p.(None): 6 ° The IV is replaced by the following provisions:
...
Social / Incarcerated
Searching for indicator restricted:
(return to top)
p.(None): establish additional requirements to accreditation standards. ";
p.(None): 7 ° In g of 2 °, after the word: “certification” are inserted the words: “, by approved or accredited third parties according to the terms mentioned in fa,”;
p.(None): 8 ° At the hour of 2 °, the words: “of access concerning the treatments mentioned in articles 41 and 42” are replaced by the words: “of exercise of the rights provided
p.(None): Articles 41, 42 and 70-22 ”;
p.(None): 9 ° After the h of 2 °, an i is inserted as follows:
p.(None): "I) It may establish a list of treatments likely to create a high risk which must be subject to prior consultation in accordance with article 70-4
p.(None): ";
p.(None): 10 ° In a of 4 °, after the first sentence, a sentence worded as follows is inserted:
p.(None): "It can also be consulted by the President of the National Assembly or by the President of the Senate on any draft law relating to protection
p.(None): personal data or the processing of such data. ";
p.(None): 11 ° After the f of 4 °, a paragraph worded as follows is inserted:
p.(None): "5 ° It may submit observations before any court in the event of a dispute relating to the application of Regulation (EU) 2016/679 and this law";
p.(None): 12 ° At the beginning of the twenty-sixth paragraph, the reference is inserted: “II. - ".
p.(None): Article 2
p.(None): In 7 ° of I of article 13 of the same law, after the word: "digital" are inserted the words: "or questions relating to individual freedoms".
p.(None): Article 3
p.(None): I. - In the first paragraph of article 17 of the same law, after the words: "restricted training", are added the words: "take the measures and" and after the words
p.(None): : “Obligations arising” are added the words: “of Regulation (EU) 2016/679 and”.
p.(None): II. - After the first paragraph of article 17 of the same law, the following paragraph is inserted:
p.(None): "The members deliberate without the presence of the agents of the commission, with the exception of those responsible for holding the meeting."
p.(None): III. - The second paragraph of article 18 of the same law is replaced by the following provisions:
p.(None): "The Government Commissioner attends all the deliberations of the committee meeting in plenary, as well as those of the meetings of his
p.(None): office which have for object the exercise of the delegated attributions under article 16. It can attend the sessions of the restricted formation, without being present
p.(None): to deliberate. He is the recipient of all the opinions and decisions of the commission and of the restricted panel ".
p.(None): IV. - The third paragraph of article 18 of the same law is replaced by the following provisions:
p.(None): "Except in the case of measures or sanctions under Chapter VII, it may cause a second deliberation of the commission, which must intervene in the
p.(None): ten days from the initial deliberation ”.
p.(None): Article 4
p.(None): Article 44 of the same law is amended as follows:
p.(None): 1 ° In I, the words: "and which are for professional use" are deleted;
p.(None): 2 ° In the first sentence of II, the words: “of private professional premises” are replaced by the words: “of these places, premises, enclosures, installations or
p.(None): establishments "and in the last sentence of the same II, after the word:" visit "the following sentence is added:
p.(None): "Whose purpose is the effective exercise of the missions provided for in III";
p.(None): 3 ° In III, the first three paragraphs are replaced by two paragraphs worded as follows:
p.(None): "For the exercise of the missions entrusted to the National Commission for Information Technology and Freedoms by regulation (EU) 2016/679 and by this law, the
p.(None): members and agents mentioned in the first paragraph of I may request communication of any document, whatever the medium, and take a copy. They
p.(None): may collect, in particular on the spot or on convocation, any useful information and justi fi cation. They can access, in conditions preserving
p.(None): con fi dentiality with regard to third parties, to computer programs and data, as well as to request transcription by any appropriate processing in
p.(None): documents directly usable for the purposes of control. Secrecy cannot be opposed to them except concerning the information covered by the secret
...
p.(None): 4 ° After the fourth paragraph of III, a paragraph is inserted as follows:
p.(None): "For the control of online public communication services, the members and agents mentioned in the first paragraph of I can carry out any operation
p.(None): necessary for their mission under a borrowed identity. The use of an assumed identity does not affect the regularity of the findings made
p.(None): in accordance with the previous paragraph. A decree in Council of State taken after opinion of the National Commission of data processing and liberties specifies the conditions
p.(None): in which they proceed in their cases to their findings. ";
p.(None): 5 ° The following paragraph is added:
p.(None): "V. - In the exercise of its supervisory power relating to processing under Regulation (EU) 2016/679 and this law, the National Commission
p.(None): of data processing and freedoms is not competent to control the processing operations carried out, in the exercise of their jurisdictional function, by
p.(None): the courts. "
p.(None): Article 5
p.(None): I. - Article 49 of the same law is replaced by the following provisions:
p.(None): "Art. 49. - Under the conditions provided for in Articles 60 to 67, of Regulation (EU) 2016/679, the National Commission for Data Protection sets out
p.(None): implements procedures of cooperation and mutual assistance with the supervisory authorities of the other Member States of the European Union, and carries out with
p.(None): them joint operations.
p.(None): "The commission, the president, the bureau, the restricted formation and the agents of the commission implement, each as far as they are concerned, the
p.(None): procedures referred to in the previous paragraph. "
p.(None): II. - After article 49, articles 49-1, 49-2, 49-3 and 49-4 are inserted as follows:
p.(None): "Art. 49-1. - I. - The National Data Protection Commission cooperates with the supervisory authorities of the other Member States of the Union
p.(None): European Union pursuant to Article 62 of Regulation (EU) 2016/679, under the conditions provided for in this article. This cooperation is not applicable to
p.(None): processing that does not fall within the scope of European Union law.
p.(None): "II. - Whether it acts as head supervisor or as concerned authority within the meaning of Articles 4 and 56 of Regulation (EU) 2016/679, the
p.(None): National Commission for Data Protection has the power to deal with a complaint or a possible violation of the provisions of the same
p.(None): regulation affecting other Member States as well. The chairman of the committee invites the other supervisory authorities concerned to participate in the
p.(None): joint control operations that he decides to conduct.
p.(None): "III. - When a joint control operation takes place on French territory, members or authorized agents of the commission, acting as
p.(None): that the host control authorities are present alongside the members and agents of the other control authorities participating, where appropriate, in the operation. To the
...
p.(None): the European Union or French law is an obstacle.
p.(None): "The Commission shall inform the requesting authority of the results obtained or, as the case may be, of the progress of the file or of the measures taken to follow up on the
p.(None): request.
p.(None): "The committee may, for the exercise of its tasks, request the assistance of a supervisory authority from another Member State of the European Union.
p.(None): "The commission shall give the reasons for any refusal to satisfy a request when it considers that it is not competent or when it considers that satisfying the
p.(None): request would constitute a violation of European Union law, or French law.
p.(None): "Art. 49-3. - When the commission acts as the lead supervisory authority for cross-border processing within the European Union, it
p.(None): communicate the report of the rapporteur member, as well as all the relevant information from the procedure used to draw up the report, to the other authorities
p.(None): control concerned without delay and before the possible hearing of the data controller or the processor. The authorities concerned are put in
p.(None): able to attend the hearing through the limited training of the controller or processor by any appropriate means of retransmission, or
p.(None): take note of the minutes drawn up following the hearing.
p.(None): "After having deliberated on it, the restricted panel submits its draft decision to the other authorities concerned in accordance with the procedure defined in article
p.(None): 60 of Regulation (EU) 2016/679. As such, it decides on the taking into account of the relevant and reasoned objections raised by the authorities concerned and
p.(None): seizes, if it decides to reject one of the objections, the European Data Protection Board in accordance with Article 65 of the regulation.
p.(None): "The conditions for the application of this article are defined by a decree in Council of State, after opinion of the National Commission for Information Technology and
p.(None): freedoms.
p.(None): "Art. 49-4. - When the committee acts as the authority concerned, within the meaning of Regulation (EU) 2016/679, the chairman of the committee is seized of the projects
p.(None): corrective measures submitted to the commission by another lead authority.
p.(None): "When these measures have an equivalent object to those defined in I and III of article 45, the president decides, if necessary, to raise a relevant objection
p.(None): and motivated according to the terms provided for in article 60 of these regulations.
p.(None): "When these measures are of equivalent purpose to those defined in II of article 45 and in article 46, the president seizes the restricted formation. The President of the
p.(None): restricted party or the member of the restricted party it designates may, if applicable, raise a relevant and reasoned objection using the same
p.(None): modalities. "
p.(None): Article 6
p.(None): I. - The title of chapter VII of the same law is deleted and replaced by the following title:
p.(None): "Measures and sanctions taken by the restricted formation of the National Commission for Data Protection and Liberties"
p.(None): II. - Article 45 of the same law is replaced by the following provisions:
p.(None): "Art. 45. - I. - The president of the National Commission for Information Technology and Liberties may warn a data controller or a processor that
p.(None): the processing operations envisaged are likely to violate the provisions of regulation (EU) 2016/679 or of this law.
p.(None): "II. - When the controller or the processor does not comply with the obligations resulting from Regulation (EU) 2016/679 or this law, the
p.(None): president of the National Commission for Information Technology and Freedoms may refer to the restricted formation of the commission for pronouncement, after procedure
p.(None): contradictory, from one or more of the following measures:
p.(None): "1 ° A call to order;
p.(None): "2 ° An injunction to bring the processing into conformity with the obligations resulting from this law or from regulation (EU) 2016/679 or to comply with the
p.(None): requests by the data subject to exercise their rights, which may be combined, except in cases where the processing is carried out by
p.(None): the State, of a penalty which the amount cannot exceed 100,000 € per day;
p.(None): "3 ° With the exception of processing which concerns state security or defense, the temporary or final limitation of processing, its prohibition or withdrawal
p.(None): an authorization granted pursuant to Regulation (EU) 2016/679 or this Law;
p.(None): "4 ° The withdrawal of a certification or the injunction, to the body concerned, to refuse or withdraw the certification granted;
p.(None): “5 ° The suspension of data flows addressed to a recipient located in a third country or to an international organization;
p.(None): "6 ° The withdrawal of the decision approving a binding business rule;
p.(None): "7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, being a
p.(None): company, 2% of the total global annual revenue for the previous fiscal year, whichever is greater. In the cases mentioned in
p.(None): paragraphs 5 and 6 of Article 83 of Regulation (EU) 2016/679, these ceilings are raised to 20 million euros and 4% of turnover respectively. The
p.(None): Restricted training takes into account, in determining the amount of the fine, the criteria specified in Article 83 of Regulation (EU) 2016/679.
p.(None): "When the restricted panel has pronounced a financial penalty which has become final before the criminal judge has finally ruled on the same facts or
p.(None): related facts, the latter may order that the administrative fine be deducted from the criminal fine which he pronounces.
p.(None): “The financial penalties are recovered like the debts of the State foreign to the tax and the field.
p.(None): "The draft measure is if necessary submitted to the other authorities concerned according to the procedures defined in Article 60 of Regulation (EU) 2016/679.
p.(None): "III. - When the controller or the processor does not comply with the obligations arising from Regulation (EU) 2016/679 or from this law, the
p.(None): President of the National Commission for Information Technology and Freedoms may also issue a formal notice to him within the time limit which he fixes:
p.(None): "1 ° To comply with requests made by the data subject with a view to exercising his rights;
p.(None): “2 ° To bring the processing operations into compliance with the applicable provisions;
p.(None): "3 ° With the exception of processing which concerns state security or defense and those mentioned in article 27, to communicate to the data subject
p.(None): a personal data breach;
p.(None): "4 ° To rectify or delete personal data, or to limit processing.
p.(None): "In the case provided for in 4 °, the president may, under the same conditions, give notice to the data controller or the processor to notify the
p.(None): recipients of the data the actions it has taken.
p.(None): "The deadline for compliance can be set at twenty-four hours in the event of an extreme emergency.
p.(None): “The president shall, if necessary, declare the procedure for formal notice closed.
p.(None): "The president may ask the office to make the formal notice public. In this case, the decision to close the formal notice procedure is made
p.(None): the subject of the same advertisement. "
p.(None): III. - Article 46 of the same law is replaced by the following provisions:
p.(None): "Art. 46. - I. - When non-compliance with the provisions of Regulation (EU) 2016/679 or this law leads to a violation of the rights and freedoms mentioned
p.(None): in article 1 and that the president of the commission considers that it is urgent to intervene, he enters the restricted formation which can, within the framework of a procedure
p.(None): contradictory emergency defined by decree in Council of State, adopt one of the following measures:
p.(None): "1 ° The temporary interruption of the processing, including the transfer of data outside the European Union, for a maximum period of
p.(None): three months, if the processing is not among those mentioned in I and II of article 26 and those mentioned in article 27;
p.(None): "2 ° The limitation of the processing of some of the personal data processed, for a maximum period of three months, if the processing is not within
p.(None): number of those mentioned in I and II of Article 26;
p.(None): “3 ° The temporary suspension of the certification issued to the data controller or the processor;
p.(None): "4 ° The temporary suspension of the approval issued to a certification body or a body responsible for compliance with a code of conduct;
p.(None): "5 ° The temporary suspension of the authorization issued on the basis of III of article 54 of chapter IX of this law.
p.(None): "6 ° The injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 or this law, which may be combined, except
p.(None): in cases where the processing is implemented by the State, a penalty payment the amount of which cannot exceed € 100,000 per day;
p.(None): "7 ° A call to order;
p.(None): "8 ° Information to the Prime Minister so that he may take, if necessary, the measures to put an end to the violation found, if the processing in question
p.(None): is among those mentioned in the same I and II of article 26. The Prime Minister then informs the restricted formation of the consequences it has
p.(None): given to this information no later than fifteen days after receiving it.
p.(None): "II. - In the exceptional circumstances provided for in Article 66 (1) of Regulation (EU) 2016/679, when the restricted formation adopts the measures
p.(None): provisional provided for in 1 ° to 4 ° of I of this article, it shall immediately inform the other supervisory authorities of the content of the measures taken and of their reasons.
p.(None): concerned, the European Data Protection Board and the European Commission.
p.(None): "When the restricted formation has taken such measures and considers that definitive measures must be taken, it shall implement the provisions of the
p.(None): 2 of Article 66 of the Regulation.
p.(None): "III. - For processing operations governed by Chapter XIII, when a competent supervisory authority under Regulation (EU) 2016/679 has not taken action
p.(None): appropriate in a situation where it is urgent to intervene in order to protect the rights and freedoms of the persons concerned, the restricted training, seized by the
p.(None): president of the commission, may ask the european data protection committee for an emergency opinion or a binding emergency decision in
p.(None): the conditions and according to the methods provided for in 3 and 4 of article 66 of this regulation.
p.(None): "IV. - In the event of a serious and immediate infringement of the rights and freedoms mentioned in article 1, the president of the commission may also request, through the
p.(None): referred, to the competent court to order, if necessary under penalty, any measure necessary to safeguard these rights and freedoms. "
p.(None): IV. - Article 47 of the same law is replaced by the following provisions:
p.(None): "Art. 47. - The measures provided for in II of article 45 and in 1 ° to 6 ° of I of article 46 are pronounced on the basis of a report drawn up by one of the members of the
p.(None): National Commission for Data Protection, appointed by its president from among the members not belonging to the restricted group. This
p.(None): report is notified to the data controller or the processor, who can file observations and be represented or assisted. The rapporteur may
p.(None): present oral observations to the restricted panel but does not take part in its deliberations. The restricted panel may hear any person whose
p.(None): the hearing seemed to him likely to contribute usefully to its information, including, at the request of the secretary general, the agents of the services.
p.(None): “Restricted training can make the measures it takes public. It can also order their insertion in publications, newspapers and
p.(None): supports it designates at the expense of sanctioned persons.
p.(None): "Without prejudice to the information obligations incumbent on them pursuant to Article 34 of Regulation (EU) 2016/679, the restricted panel may order
p.(None): that the person in charge or the subcontractor concerned informs each of the persons concerned, at his own expense, of the violation of the provisions of the
p.(None): this law or the aforementioned regulation as well as, if applicable, the measure pronounced. "
p.(None): V. - Article 48 of the same law is replaced by the following provisions:
p.(None): "Art. 48. - When a certification body or a body responsible for compliance with a code of conduct has failed to fulfill its obligations or has failed to comply with the
p.(None): provisions of Regulation (EU) 2016/679 or of this law, the president of the National Commission for Data Protection may, where appropriate
p.(None): after formal notice, refer to the restricted panel of the Commission which may pronounce, under the same conditions as those provided for in articles 45 to 47,
p.(None): withdrawal of the license issued to them. "
p.(None): Chapter II
p.(None): Provisions relating to certain categories of data
p.(None): Article 7
p.(None): Article 8 of the same law is amended as follows:
p.(None): 1 ° I is worded as follows:
p.(None): "I. - It is prohibited to process personal data, which reveals alleged racial or ethnic origin, political opinions,
p.(None): religious or philosophical beliefs or union membership or to process genetic data, biometric data for the purpose of identifying a
p.(None): uniquely natural person, data concerning health or data concerning a person's sexual life or sexual orientation
p.(None): physical. ";
p.(None): 2 ° In 7 ° of II, the words: “and under the conditions provided for in article 25 of this law” are deleted;
p.(None): 3 ° 8 ° of II is replaced by the following provisions: "8 ° Treatments containing data relating to health justified in the public interest and
p.(None): in accordance with the provisions of Chapter IX. ";
p.(None): 4 ° After 8 ° of II, a 9 ° is inserted as follows:
p.(None): "9 ° The processing implemented by employers or administrations which relate to biometric data necessary for access control to
p.(None): workplaces as well as the devices and applications used in the context of missions entrusted to employees or agents. ";
p.(None): 5 ° In III, the first sentence is replaced by the following sentence:
...
Social / Marital Status
Searching for indicator single:
(return to top)
p.(None): "II. - Reference standards and standard regulations, within the meaning of a bis and b of 2 ° of article 11, applying to processing operations falling under this chapter are established by
p.(None): the National Commission for Data Protection in conjunction with the National Institute for Health Data mentioned in article L. 1462-1 of the
p.(None): public health and public and private organizations representative of the actors concerned.
p.(None): "Processing in accordance with these standards and standard regulations may be implemented on the condition that their managers address beforehand
p.(None): the National IT Commission a declaration attesting to this compliance.
p.(None): "These standards can also relate to the description and the procedural guarantees allowing the provision for processing of
p.(None): health data with a low risk of impact on privacy.
p.(None): "III. - The processing operations mentioned in the first paragraph of I which do not comply with a standard or a standard regulation mentioned in II cannot be used
p.(None): implemented only after authorization by the National Commission for Data Protection.
p.(None): "The National Institute for Health Data mentioned in Article L. 1462-1 of the Public Health Code may seize or be seized, under defined conditions
p.(None): by decree in Council of State, by the National Commission for Data Protection and the Minister responsible for health on the nature of public interest that
p.(None): presents the treatment.
p.(None): "IV. - The commission may, by a single decision, issue the same applicant with authorization for processing for the same purpose, relating to
p.(None): identical categories of data and having identical categories of recipients.
p.(None): "V. - The National Commission for Information Technology and Freedoms decides within two months of receipt of the request. However, this
p.(None): deadline may be renewed once by reasoned decision of its president or when the National Institute for Health Data is referred to in application of II of
p.(None): this article.
p.(None): "When the committee has not made a decision within these deadlines, the request for authorization is deemed to have been accepted. However, this provision is not
p.(None): applicable if the authorization is subject to prior notice under the provisions of this chapter and the opinion or opinions given are not expressly
p.(None): favorable.
p.(None): "Art. 55. - By way of derogation from article 54, the processing of personal health data implemented by the bodies or departments responsible
p.(None): of a public service mission appearing on a list fixed by decree of the ministers responsible for health and social security, taken after opinion of the
p.(None): National Commission for Information Technology and Liberties, the sole purpose of which is to respond to and manage a health alert in the event of an emergency
p.(None): the consequences, within the meaning of section 1 of chapter III of title I of book IV of the public health code, are subject only to the provisions of section 3 of the
p.(None): Chapter IV of Regulation (EU) 2016/79.
p.(None): "The processing operations mentioned in the first paragraph which use the registration number of persons in the national directory of identification of persons
...
p.(None): consultation with the National Institute for Health Data mentioned in Article L. 1462-1 of the Public Health Code and public and private organizations
p.(None): representative of the actors concerned.
p.(None): "When the processing conforms to a reference methodology, it can be implemented without the authorization mentioned in article 54, provided that
p.(None): its manager shall send the National Informatics Commission a declaration attesting to this compliance.
p.(None): "Art. 63. - Authorization for processing is granted by the National Commission for Data Protection under the conditions defined in article 54 and
p.(None): after notice:
p.(None): "1 ° From the competent committee for the protection of persons mentioned in article L. 1123-6 of the public health code, for requests for authorization relating to
p.(None): research involving the human person mentioned in article L. 1121-1 of the same code;
p.(None): "2 ° The committee of expertise for research, studies and evaluations in the health field, for requests for authorization relating to
p.(None): studies or evaluations as well as research not involving the human person, within the meaning of 1 ° of this article. A decree in Council of State, taken
p.(None): after consulting the National Commission for Data Protection, sets the composition of this committee and de fi nes its operating rules. The committee
p.(None): of expertise is subject to article L. 1451-1 of the public health code.
p.(None): "The files presented in the context of this section, excluding research involving the human person, are filed with a
p.(None): single secretariat provided by the National Institute for Health Data, which directs them to the competent bodies. "
p.(None): Chapter IV
p.(None): Special provisions relating to the rights of data subjects
p.(None): Article 14
p.(None): Article 10 of the same law is amended as follows:
p.(None): 1 ° In the second paragraph:
p.(None): a) The words: "In addition to the cases mentioned in a and c under 2 of article 22 of regulation 2016/679" are introduced at the beginning of the first sentence;
p.(None): b) The words: "define the profile of the person concerned" are replaced by the word: "anticipate";
p.(None): c) The words: "of his personality" are replaced by the words: "personnel relating to the person concerned, with the exception of administrative decisions
p.(None): taken in compliance with Article L. 311-3-1 and Chapter I of Title I of Book IV of the Code of Public and Administrative Relations, provided
p.(None): that the processing does not relate to data mentioned in I of article 8, ";
p.(None): 2 ° The third paragraph is replaced by the following provisions:
p.(None): "For the administrative decisions mentioned in the previous paragraph, the controller ensures control of the algorithmic processing and its
p.(None): developments ”.
p.(None): Article 15
p.(None): After II of article 40 of the same law the following provisions are inserted:
p.(None): "III. - A decree in Council of State, taken after opinion of the National Commission for Data Protection, sets the list of treatments and categories of
p.(None): processing operations authorized to derogate from the right to communication of a data breach governed by Article 34 of, Regulation (EU) 2016/679 when the notification
...
p.(None): for the purposes of criminal proceedings.
p.(None): "This newspaper is made available to the National Commission for Data Protection at its request.
p.(None): "Art. 70-16. - Articles 31, 33 and 34 of Regulation (EU) 2016/679 are applicable to the processing of personal data covered by this
p.(None): chapter.
p.(None): "If the personal data breach relates to personal data which has been transmitted by the controller of a
p.(None): or to that other Member State, the controller also reports the violation to the controller of the other member state in the
p.(None): as fast as we can.
p.(None): "Communication of a personal data breach to the data subject may be delayed, limited or not delivered, therefore and
p.(None): as long as a measure of this nature constitutes a necessary and proportionate measure in a democratic society, with due regard
p.(None): fundamental rights and legitimate interests of the natural person concerned, when its implementation is likely to endanger security
p.(None): public security, national security or the rights or freedoms of others or to obstruct the proper conduct of investigations and procedures intended to prevent, detect
p.(None): or prosecute criminal offenses or to execute criminal sanctions.
p.(None): "Art. 70-17. - I. - Except for the jurisdictions acting in the exercise of their jurisdictional function, the controller designates a delegate to the
p.(None): Data protection.
p.(None): “A single data protection officer may be appointed for several competent authorities, taking into account their organizational structure and their
p.(None): cut.
p.(None): "The provisions of paragraphs 5 and 7 of article 37, paragraphs 1 and 2 of article 38 and paragraph 1 of article 39 of Regulation (EU) 2016/679, in
p.(None): what they relate to the controller, are applicable to the processing of personal data covered by this chapter.
p.(None): "Section 3
p.(None): "Rights of the data subject
p.(None): "Art. 70-18. - I. - The controller makes the following information available to the data subject:
p.(None): “1 ° The identity and contact details of the controller, and if applicable, those of his representative;
p.(None): “2 ° If necessary, the contact details of the data protection officer;
p.(None): “3 ° The purposes pursued by the processing for which the data is intended;
p.(None): "4 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "5 ° The existence of the right to request the controller to access personal data, their rectification or their erasure, and the
p.(None): limitation of the processing of personal data relating to a data subject.
p.(None): "II. - In addition to the information referred to in I, the controller provides the data subject, in special cases, with the information
p.(None): following to enable him to exercise his rights:
p.(None): “1 ° The legal basis for the processing;
...
Social / Police Officer
Searching for indicator officer:
(return to top)
p.(None): for the purposes of criminal proceedings.
p.(None): "This newspaper is made available to the National Commission for Data Protection at its request.
p.(None): "Art. 70-16. - Articles 31, 33 and 34 of Regulation (EU) 2016/679 are applicable to the processing of personal data covered by this
p.(None): chapter.
p.(None): "If the personal data breach relates to personal data which has been transmitted by the controller of a
p.(None): or to that other Member State, the controller also reports the violation to the controller of the other member state in the
p.(None): as fast as we can.
p.(None): "Communication of a personal data breach to the data subject may be delayed, limited or not delivered, therefore and
p.(None): as long as a measure of this nature constitutes a necessary and proportionate measure in a democratic society, with due regard
p.(None): fundamental rights and legitimate interests of the natural person concerned, when its implementation is likely to endanger security
p.(None): public security, national security or the rights or freedoms of others or to obstruct the proper conduct of investigations and procedures intended to prevent, detect
p.(None): or prosecute criminal offenses or to execute criminal sanctions.
p.(None): "Art. 70-17. - I. - Except for the jurisdictions acting in the exercise of their jurisdictional function, the controller designates a delegate to the
p.(None): Data protection.
p.(None): “A single data protection officer may be appointed for several competent authorities, taking into account their organizational structure and their
p.(None): cut.
p.(None): "The provisions of paragraphs 5 and 7 of article 37, paragraphs 1 and 2 of article 38 and paragraph 1 of article 39 of Regulation (EU) 2016/679, in
p.(None): what they relate to the controller, are applicable to the processing of personal data covered by this chapter.
p.(None): "Section 3
p.(None): "Rights of the data subject
p.(None): "Art. 70-18. - I. - The controller makes the following information available to the data subject:
p.(None): “1 ° The identity and contact details of the controller, and if applicable, those of his representative;
p.(None): “2 ° If necessary, the contact details of the data protection officer;
p.(None): “3 ° The purposes pursued by the processing for which the data is intended;
p.(None): "4 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "5 ° The existence of the right to request the controller to access personal data, their rectification or their erasure, and the
p.(None): limitation of the processing of personal data relating to a data subject.
p.(None): "II. - In addition to the information referred to in I, the controller provides the data subject, in special cases, with the information
p.(None): following to enable him to exercise his rights:
p.(None): “1 ° The legal basis for the processing;
p.(None): “2 ° The period of storage of personal data or, when this is not possible, the criteria used to determine this period;
p.(None): "3 ° Where applicable, the categories of recipients of personal data, including in States which are not members of the European Union or in
p.(None): within international organizations;
p.(None): “4 ° If necessary, additional information, in particular when personal data is collected without the knowledge of the person concerned.
p.(None): "Art. 70-19. - The data subject has the right to obtain confirmation from the controller that personal data concerning him
p.(None): are or are not processed and, when they are, access to said data as well as the following information:
p.(None): “1 ° The purposes of the processing and its legal basis;
p.(None): “2 ° The categories of personal data concerned;
p.(None): "3 ° The recipients or categories of recipients to whom the personal data have been communicated, in particular the recipients who are
...
Social / Property Ownership
Searching for indicator home:
(return to top)
p.(None): By continuing to browse without changing your cookie settings, you accept the use of cookies. For30
p.(None): Saturday manage Information from
p.(None): and change these settings, update here
p.(None): click day
p.(None): Discover the modernized Légifrance site
p.(None): 2020 in beta
p.(None): https://beta.legifrance.gouv.fr
p.(None): Home French law European law International law Translations Databases
p.(None): You are in: Home> Legislative files> Bills of the 15th legislature> Legislative files - LAW n ° 2018-493 of 20 June 2018 relating to
p.(None): Protection of personal data
p.(None): LAW n ° 2018-493 of 20 June 2018 on the protection of personal data
p.(None): LAW n ° 2018-493 of 20 June 2018 on the protection of personal data
p.(None): Back to the legislative dossier
p.(None): Law Project
p.(None): NOR: JUSC1732261L
p.(None): TITLE I
p.(None): PROVISIONS COMMON TO REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 AND TO THE DIRECTIVE (EU)
p.(None): 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016
p.(None): Chapter I
p.(None): Provisions relating to the National Data Processing Commission
p.(None): and freedoms
p.(None): Article 1
p.(None): Article 11 of the law n ° 78-17 of January 6, 1978 relating to data processing, the files and freedoms is thus modified:
p.(None): 1 ° At the beginning of the first paragraph, the reference: "I. -" is inserted;
p.(None): 2 ° After the first sentence of the first paragraph is inserted the following sentence:
p.(None): "It is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679";
p.(None): 3 ° In a of 2 ° the words: "authorizes the treatments mentioned in article 25," and the words: "and receives the declarations relating to other treatments" are
p.(None): deleted;
p.(None): 4 ° After the a of 2 °, an a bis is inserted as follows:
p.(None): "(Aa) It establishes and publishes guidelines, recommendations or benchmarks intended to facilitate the compliance of data processing with
...
Social / Racial Minority
Searching for indicator racial:
(return to top)
p.(None): “Restricted training can make the measures it takes public. It can also order their insertion in publications, newspapers and
p.(None): supports it designates at the expense of sanctioned persons.
p.(None): "Without prejudice to the information obligations incumbent on them pursuant to Article 34 of Regulation (EU) 2016/679, the restricted panel may order
p.(None): that the person in charge or the subcontractor concerned informs each of the persons concerned, at his own expense, of the violation of the provisions of the
p.(None): this law or the aforementioned regulation as well as, if applicable, the measure pronounced. "
p.(None): V. - Article 48 of the same law is replaced by the following provisions:
p.(None): "Art. 48. - When a certification body or a body responsible for compliance with a code of conduct has failed to fulfill its obligations or has failed to comply with the
p.(None): provisions of Regulation (EU) 2016/679 or of this law, the president of the National Commission for Data Protection may, where appropriate
p.(None): after formal notice, refer to the restricted panel of the Commission which may pronounce, under the same conditions as those provided for in articles 45 to 47,
p.(None): withdrawal of the license issued to them. "
p.(None): Chapter II
p.(None): Provisions relating to certain categories of data
p.(None): Article 7
p.(None): Article 8 of the same law is amended as follows:
p.(None): 1 ° I is worded as follows:
p.(None): "I. - It is prohibited to process personal data, which reveals alleged racial or ethnic origin, political opinions,
p.(None): religious or philosophical beliefs or union membership or to process genetic data, biometric data for the purpose of identifying a
p.(None): uniquely natural person, data concerning health or data concerning a person's sexual life or sexual orientation
p.(None): physical. ";
p.(None): 2 ° In 7 ° of II, the words: “and under the conditions provided for in article 25 of this law” are deleted;
p.(None): 3 ° 8 ° of II is replaced by the following provisions: "8 ° Treatments containing data relating to health justified in the public interest and
p.(None): in accordance with the provisions of Chapter IX. ";
p.(None): 4 ° After 8 ° of II, a 9 ° is inserted as follows:
p.(None): "9 ° The processing implemented by employers or administrations which relate to biometric data necessary for access control to
p.(None): workplaces as well as the devices and applications used in the context of missions entrusted to employees or agents. ";
p.(None): 5 ° In III, the first sentence is replaced by the following sentence:
p.(None): "The personal data mentioned in I, which are called upon to be subject to short notice, are also not subject to the prohibition provided for in I
p.(None): an anonymization process previously recognized in accordance with the provisions of this law by the National Commission for Data Protection.
p.(None): "
p.(None): And the second sentence is deleted;
p.(None): 6 ° The IV is replaced by the following provisions:
...
Social / Religion
Searching for indicator conviction:
(return to top)
p.(None): 8 ° In article 70, the first and third paragraphs are deleted and in the second paragraph, the words: "entry of a declaration filed in application of articles
p.(None): 23 or 24 and showing that personal data will be transferred to this State, the National Commission for Data Protection
p.(None): issues the receipt and "are replaced by the words:" consulted in accordance with Article 36 of Regulation (EU) 2016/679 and in the event of data transfer to
p.(None): personal towards this State, the Commission ”;
p.(None): 9 ° The second sentence of article 71 is deleted.
p.(None): Article 22
p.(None): For processing operations that were subject to formalities prior to the entry into force of this law, the list mentioned in article 31 of law n ° 78-17
p.(None): mentioned above, adopted on this date, is made available to the public, in an open and easily reusable format for a period of ten years.
p.(None): Article 23
p.(None): I. - Article 230-8 of the Code of Criminal Procedure is amended as follows:
p.(None): 1 ° The first paragraph is replaced by the following provisions:
p.(None): "The processing of personal data is carried out under the supervision of the territorially competent public prosecutor who, from either
p.(None): request from the person concerned, request that they be deleted, supplemented or rectified, in particular in the event of a judicial complaint, or that they
p.(None): are mentioned. Rectification for judicial requalification is de jure. The public prosecutor decides within two months
p.(None): on the action to be taken on requests addressed to it. The data subject can make this request without delay following a
p.(None): decision which has become final, of acquittal, acquittal, conviction with exemption from sentence or exemption from mentioning in the criminal record, or dismissal, or
p.(None): classification decision without follow-up. In other cases, the person can make his request, under penalty of inadmissibility, when no more figures
p.(None): mention in the bulletin n ° 2 of his criminal record. In the event of an acquittal or acquittal decision, the personal data concerning the persons put
p.(None): in question are erased, unless the public prosecutor prescribes their maintenance, in which case it is the subject of a mention. When the public prosecutor
p.(None): République prescribes the maintenance of personal data relating to a person who has bene fi ted from an acquittal or acquittal, he notifies the
p.(None): concerned person. The decisions of dismissal or classification without continuation, are the subject of a mention, unless the public prosecutor orders
p.(None): erasure of personal data. When a decision is mentioned, the data relating to the person concerned cannot be the subject
p.(None): a consultation in the context of the administrative inquiries provided for in Articles L. 114-1, L. 234-1 to L. 234-3 of the Internal Security Code and in Article 17-
p.(None): 1 of the law n ° 95-73 of January 21, 1995 of orientation and programming relating to security. The decisions of the public prosecutor provided for in this
p.(None): paragraph ordering the maintenance or erasure of personal data or ordering that they be the subject of a mention are taken for reasons related to the
p.(None): purpose of the file with regard to the nature or circumstances of the commission of the offense or the personality of the person concerned. ";
p.(None): 2 ° In the third paragraph, the words: “in matters of erasure or rectification of personal data” are deleted.
...
Searching for indicator religious:
(return to top)
p.(None): supports it designates at the expense of sanctioned persons.
p.(None): "Without prejudice to the information obligations incumbent on them pursuant to Article 34 of Regulation (EU) 2016/679, the restricted panel may order
p.(None): that the person in charge or the subcontractor concerned informs each of the persons concerned, at his own expense, of the violation of the provisions of the
p.(None): this law or the aforementioned regulation as well as, if applicable, the measure pronounced. "
p.(None): V. - Article 48 of the same law is replaced by the following provisions:
p.(None): "Art. 48. - When a certification body or a body responsible for compliance with a code of conduct has failed to fulfill its obligations or has failed to comply with the
p.(None): provisions of Regulation (EU) 2016/679 or of this law, the president of the National Commission for Data Protection may, where appropriate
p.(None): after formal notice, refer to the restricted panel of the Commission which may pronounce, under the same conditions as those provided for in articles 45 to 47,
p.(None): withdrawal of the license issued to them. "
p.(None): Chapter II
p.(None): Provisions relating to certain categories of data
p.(None): Article 7
p.(None): Article 8 of the same law is amended as follows:
p.(None): 1 ° I is worded as follows:
p.(None): "I. - It is prohibited to process personal data, which reveals alleged racial or ethnic origin, political opinions,
p.(None): religious or philosophical beliefs or union membership or to process genetic data, biometric data for the purpose of identifying a
p.(None): uniquely natural person, data concerning health or data concerning a person's sexual life or sexual orientation
p.(None): physical. ";
p.(None): 2 ° In 7 ° of II, the words: “and under the conditions provided for in article 25 of this law” are deleted;
p.(None): 3 ° 8 ° of II is replaced by the following provisions: "8 ° Treatments containing data relating to health justified in the public interest and
p.(None): in accordance with the provisions of Chapter IX. ";
p.(None): 4 ° After 8 ° of II, a 9 ° is inserted as follows:
p.(None): "9 ° The processing implemented by employers or administrations which relate to biometric data necessary for access control to
p.(None): workplaces as well as the devices and applications used in the context of missions entrusted to employees or agents. ";
p.(None): 5 ° In III, the first sentence is replaced by the following sentence:
p.(None): "The personal data mentioned in I, which are called upon to be subject to short notice, are also not subject to the prohibition provided for in I
p.(None): an anonymization process previously recognized in accordance with the provisions of this law by the National Commission for Data Protection.
p.(None): "
p.(None): And the second sentence is deleted;
p.(None): 6 ° The IV is replaced by the following provisions:
p.(None): "IV. - Likewise, processing operations, automated or not, that are justified by the public interest and authorized under the conditions are not subject to the prohibition provided for in I
p.(None): provided for in II of Article 26. "
p.(None): TITLE II
...
Social / Threat of Stigma
Searching for indicator threat:
(return to top)
p.(None): or in a judicial file which is the subject of processing during criminal proceedings. In these cases, access to this data can only be done
p.(None): under the conditions provided for by the Code of Criminal Procedure.
p.(None): "Section 4
p.(None): “Transfers of personal data to non-member states
p.(None): "To the European Union or to recipients established in non-member states
p.(None): " of the European Union
p.(None): "Art. 70-25. - The person responsible for processing personal data cannot transfer data or authorize the transfer of data already
p.(None): transmitted to a State outside the European Union only when the following conditions are met:
p.(None): "1 ° The transfer of this data is necessary for one of the purposes set out in 1 ° of article 70-1;
p.(None): "2 ° Personal data is transferred to a person responsible in that third State or to an international organization which is an authority
p.(None): competent responsible in this State for purposes falling under 1 ° of article 70-1 in France;
p.(None): "3 ° If the personal data come from another State, the State which transmitted these data has previously authorized this transfer in accordance with
p.(None): national law.
p.(None): "However, if prior authorization cannot be obtained in good time, this personal data may be retransmitted without authorization
p.(None): prior notice from the State which transmitted the data when this retransmission is necessary to prevent a serious and immediate threat to security
p.(None): of another State or for the protection of the essential interests of France. The authority from which this personal data originated is informed without
p.(None): delay.
p.(None): "4 ° At least one of the following three conditions is met:
p.(None): “(A) The committee adopted an adequacy decision in accordance with article 36 of Directive (EU) 2016/680 of the Parliament and of the Council of 27 April 2016;
p.(None): "(B) In the absence of such an adequacy decision, appropriate safeguards with regard to the protection of personal data are provided
p.(None): in a legally binding instrument; these appropriate guarantees may either result from the data protection guarantees mentioned
p.(None): in the conventions implemented with this third State, either result from legally binding provisions required on the occasion of the exchange of
p.(None): data;
p.(None): "C) In the absence of such a decision on adequacy and appropriate guarantees as provided for in b, the controller has evaluated all
p.(None): circumstances of the transfer and considers that there are appropriate guarantees with regard to the protection of personal data;
p.(None): "When the controller of personal data transfers personal data on the sole basis of the existence of
p.(None): appropriate safeguards with regard to the protection of personal data, other than a jurisdiction carrying out processing activity in the context
p.(None): of its jurisdictional activities, it advises the National Commission for Information Technology and Freedoms of the categories of transfers falling under this basis.
...
p.(None): recipient, and the justification for the transfer and the personal data transferred. This documentation is made available to the authority of
p.(None): control, at his request.
p.(None): "When the commission has repealed, modified or suspended an adequacy decision adopted in application of article 36 of the abovementioned directive, the person responsible
p.(None): processing of personal data may nevertheless transfer personal data or authorize the transfer of data already transmitted to
p.(None): a State which does not belong to the European Union if appropriate guarantees with regard to the protection of personal data are provided
p.(None): in a legally binding instrument or if it considers after having assessed all the circumstances of the transfer that there are appropriate guarantees
p.(None): protection of personal data.
p.(None): "Art. 70-26. - Notwithstanding the provisions of the previous article, the person responsible for processing personal data cannot, in the absence of
p.(None): decision on adequacy or appropriate guarantees, transfer this data or authorize the transfer of data already transmitted to a State not belonging to
p.(None): the European Union only when the transfer is necessary:
p.(None): "1 ° Safeguarding the vital interests of the person concerned or of another person;
p.(None): "2 ° Safeguarding the legitimate interests of the person concerned when French law so provides;
p.(None): "3 ° To prevent a serious and immediate threat to the public security of a Member State of the European Union or of a third country;
p.(None): "4 ° In special cases, for one of the purposes set out in 1 ° of article 70-1;
p.(None): "5 ° In a particular case, the establishment, exercise or defense of legal claims in connection with the same ends.
p.(None): "In the cases referred to in 4 ° and 5 °, the controller of personal data does not transfer this data if he considers that the freedoms and
p.(None): fundamental rights of the data subject outweigh the public interest in the context of the proposed transfer.
p.(None): "When a transfer is made in order to safeguard the legitimate interests of the data subject, the controller keeps track of the date
p.(None): and the time of the transfer, information on the competent authority to which it was sent, and the justification for the transfer and the personal data transferred. he
p.(None): makes this information available to the National Commission for Data Protection, at its request.
p.(None): "Art. 70-27. - Any competent public authority mentioned in 2 ° of article 70-1 may, in certain special cases, transfer data of a personal nature.
p.(None): personnel directly to recipients established in a State not belonging to the European Union, when the other provisions of this law
p.(None): applicable to the treatments falling under article 70-1 are respected and that the following conditions are met:
p.(None): "1 ° The transfer is necessary for the performance of the mission of the competent authority which transfers this data for one of the purposes set out in article 70-1;
...
Social / Trade Union Membership
Searching for indicator union:
(return to top)
p.(None): medical, medical diagnosis, administration of care or treatment, or management of health service. However the communication of
p.(None): individual medical data included in this category of treatment can be done under the authority and in the presence of a doctor. ";
p.(None): 4 ° After the fourth paragraph of III, a paragraph is inserted as follows:
p.(None): "For the control of online public communication services, the members and agents mentioned in the first paragraph of I can carry out any operation
p.(None): necessary for their mission under a borrowed identity. The use of an assumed identity does not affect the regularity of the findings made
p.(None): in accordance with the previous paragraph. A decree in Council of State taken after opinion of the National Commission of data processing and liberties specifies the conditions
p.(None): in which they proceed in their cases to their findings. ";
p.(None): 5 ° The following paragraph is added:
p.(None): "V. - In the exercise of its supervisory power relating to processing under Regulation (EU) 2016/679 and this law, the National Commission
p.(None): of data processing and freedoms is not competent to control the processing operations carried out, in the exercise of their jurisdictional function, by
p.(None): the courts. "
p.(None): Article 5
p.(None): I. - Article 49 of the same law is replaced by the following provisions:
p.(None): "Art. 49. - Under the conditions provided for in Articles 60 to 67, of Regulation (EU) 2016/679, the National Commission for Data Protection sets out
p.(None): implements procedures of cooperation and mutual assistance with the supervisory authorities of the other Member States of the European Union, and carries out with
p.(None): them joint operations.
p.(None): "The commission, the president, the bureau, the restricted formation and the agents of the commission implement, each as far as they are concerned, the
p.(None): procedures referred to in the previous paragraph. "
p.(None): II. - After article 49, articles 49-1, 49-2, 49-3 and 49-4 are inserted as follows:
p.(None): "Art. 49-1. - I. - The National Data Protection Commission cooperates with the supervisory authorities of the other Member States of the Union
p.(None): European Union pursuant to Article 62 of Regulation (EU) 2016/679, under the conditions provided for in this article. This cooperation is not applicable to
p.(None): processing that does not fall within the scope of European Union law.
p.(None): "II. - Whether it acts as head supervisor or as concerned authority within the meaning of Articles 4 and 56 of Regulation (EU) 2016/679, the
p.(None): National Commission for Data Protection has the power to deal with a complaint or a possible violation of the provisions of the same
p.(None): regulation affecting other Member States as well. The chairman of the committee invites the other supervisory authorities concerned to participate in the
p.(None): joint control operations that he decides to conduct.
p.(None): "III. - When a joint control operation takes place on French territory, members or authorized agents of the commission, acting as
p.(None): that the host control authorities are present alongside the members and agents of the other control authorities participating, where appropriate, in the operation. To the
p.(None): request of the supervisory authority of the Member State, the chairman of the committee may empower, by special decision, those of the members or agents of
p.(None): the supervisory authority concerned, which presents guarantees comparable to those required of the agents of the commission, in application of the provisions of
p.(None): section 19, to exercise, under his authority, all or part of the powers of verification and investigation available to the members and agents of the commission.
p.(None): "IV. - When the committee is invited to contribute to a joint control operation decided by another competent authority, the president of the
p.(None): commission decides on the principle and the conditions of participation, appoints the members and authorized agents, and informs the requesting authority thereof within
p.(None): conditions provided for in Article 62 of Regulation (EU) 2016/679.
p.(None): "Art. 49-2. - I. - The processing operations mentioned in article 70-1 are the subject of cooperation between the National Commission for Data Protection and the
p.(None): supervisory authorities of the other Member States of the European Union under the conditions provided for in this article.
p.(None): "II. - The committee communicates to the supervisory authorities of other member states the relevant information and provides them with assistance, in particular by
p.(None): implement, at their request, control measures such as consultation, inspections and investigation.
p.(None): "The committee shall respond to a request for mutual assistance made by another supervisory authority as soon as possible and at the latest one month
p.(None): after receipt of the request containing all the necessary information, in particular its purpose and reasons. She cannot refuse to comply with this
p.(None): requests that if it is not competent to deal with the subject of the request or the measures it is asked to execute, or if a provision of the right to
p.(None): the European Union or French law is an obstacle.
p.(None): "The Commission shall inform the requesting authority of the results obtained or, as the case may be, of the progress of the file or of the measures taken to follow up on the
p.(None): request.
p.(None): "The committee may, for the exercise of its tasks, request the assistance of a supervisory authority from another Member State of the European Union.
p.(None): "The commission shall give the reasons for any refusal to satisfy a request when it considers that it is not competent or when it considers that satisfying the
p.(None): request would constitute a violation of European Union law, or French law.
p.(None): "Art. 49-3. - When the commission acts as the lead supervisory authority for cross-border processing within the European Union, it
p.(None): communicate the report of the rapporteur member, as well as all the relevant information from the procedure used to draw up the report, to the other authorities
p.(None): control concerned without delay and before the possible hearing of the data controller or the processor. The authorities concerned are put in
p.(None): able to attend the hearing through the limited training of the controller or processor by any appropriate means of retransmission, or
p.(None): take note of the minutes drawn up following the hearing.
p.(None): "After having deliberated on it, the restricted panel submits its draft decision to the other authorities concerned in accordance with the procedure defined in article
p.(None): 60 of Regulation (EU) 2016/679. As such, it decides on the taking into account of the relevant and reasoned objections raised by the authorities concerned and
p.(None): seizes, if it decides to reject one of the objections, the European Data Protection Board in accordance with Article 65 of the regulation.
p.(None): "The conditions for the application of this article are defined by a decree in Council of State, after opinion of the National Commission for Information Technology and
p.(None): freedoms.
p.(None): "Art. 49-4. - When the committee acts as the authority concerned, within the meaning of Regulation (EU) 2016/679, the chairman of the committee is seized of the projects
p.(None): corrective measures submitted to the commission by another lead authority.
p.(None): "When these measures have an equivalent object to those defined in I and III of article 45, the president decides, if necessary, to raise a relevant objection
...
p.(None): “2 ° To bring the processing operations into compliance with the applicable provisions;
p.(None): "3 ° With the exception of processing which concerns state security or defense and those mentioned in article 27, to communicate to the data subject
p.(None): a personal data breach;
p.(None): "4 ° To rectify or delete personal data, or to limit processing.
p.(None): "In the case provided for in 4 °, the president may, under the same conditions, give notice to the data controller or the processor to notify the
p.(None): recipients of the data the actions it has taken.
p.(None): "The deadline for compliance can be set at twenty-four hours in the event of an extreme emergency.
p.(None): “The president shall, if necessary, declare the procedure for formal notice closed.
p.(None): "The president may ask the office to make the formal notice public. In this case, the decision to close the formal notice procedure is made
p.(None): the subject of the same advertisement. "
p.(None): III. - Article 46 of the same law is replaced by the following provisions:
p.(None): "Art. 46. - I. - When non-compliance with the provisions of Regulation (EU) 2016/679 or this law leads to a violation of the rights and freedoms mentioned
p.(None): in article 1 and that the president of the commission considers that it is urgent to intervene, he enters the restricted formation which can, within the framework of a procedure
p.(None): contradictory emergency defined by decree in Council of State, adopt one of the following measures:
p.(None): "1 ° The temporary interruption of the processing, including the transfer of data outside the European Union, for a maximum period of
p.(None): three months, if the processing is not among those mentioned in I and II of article 26 and those mentioned in article 27;
p.(None): "2 ° The limitation of the processing of some of the personal data processed, for a maximum period of three months, if the processing is not within
p.(None): number of those mentioned in I and II of Article 26;
p.(None): “3 ° The temporary suspension of the certification issued to the data controller or the processor;
p.(None): "4 ° The temporary suspension of the approval issued to a certification body or a body responsible for compliance with a code of conduct;
p.(None): "5 ° The temporary suspension of the authorization issued on the basis of III of article 54 of chapter IX of this law.
p.(None): "6 ° The injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 or this law, which may be combined, except
p.(None): in cases where the processing is implemented by the State, a penalty payment the amount of which cannot exceed € 100,000 per day;
p.(None): "7 ° A call to order;
p.(None): "8 ° Information to the Prime Minister so that he may take, if necessary, the measures to put an end to the violation found, if the processing in question
p.(None): is among those mentioned in the same I and II of article 26. The Prime Minister then informs the restricted formation of the consequences it has
p.(None): given to this information no later than fifteen days after receiving it.
p.(None): "II. - In the exceptional circumstances provided for in Article 66 (1) of Regulation (EU) 2016/679, when the restricted formation adopts the measures
...
p.(None): "Without prejudice to the information obligations incumbent on them pursuant to Article 34 of Regulation (EU) 2016/679, the restricted panel may order
p.(None): that the person in charge or the subcontractor concerned informs each of the persons concerned, at his own expense, of the violation of the provisions of the
p.(None): this law or the aforementioned regulation as well as, if applicable, the measure pronounced. "
p.(None): V. - Article 48 of the same law is replaced by the following provisions:
p.(None): "Art. 48. - When a certification body or a body responsible for compliance with a code of conduct has failed to fulfill its obligations or has failed to comply with the
p.(None): provisions of Regulation (EU) 2016/679 or of this law, the president of the National Commission for Data Protection may, where appropriate
p.(None): after formal notice, refer to the restricted panel of the Commission which may pronounce, under the same conditions as those provided for in articles 45 to 47,
p.(None): withdrawal of the license issued to them. "
p.(None): Chapter II
p.(None): Provisions relating to certain categories of data
p.(None): Article 7
p.(None): Article 8 of the same law is amended as follows:
p.(None): 1 ° I is worded as follows:
p.(None): "I. - It is prohibited to process personal data, which reveals alleged racial or ethnic origin, political opinions,
p.(None): religious or philosophical beliefs or union membership or to process genetic data, biometric data for the purpose of identifying a
p.(None): uniquely natural person, data concerning health or data concerning a person's sexual life or sexual orientation
p.(None): physical. ";
p.(None): 2 ° In 7 ° of II, the words: “and under the conditions provided for in article 25 of this law” are deleted;
p.(None): 3 ° 8 ° of II is replaced by the following provisions: "8 ° Treatments containing data relating to health justified in the public interest and
p.(None): in accordance with the provisions of Chapter IX. ";
p.(None): 4 ° After 8 ° of II, a 9 ° is inserted as follows:
p.(None): "9 ° The processing implemented by employers or administrations which relate to biometric data necessary for access control to
p.(None): workplaces as well as the devices and applications used in the context of missions entrusted to employees or agents. ";
p.(None): 5 ° In III, the first sentence is replaced by the following sentence:
p.(None): "The personal data mentioned in I, which are called upon to be subject to short notice, are also not subject to the prohibition provided for in I
p.(None): an anonymization process previously recognized in accordance with the provisions of this law by the National Commission for Data Protection.
p.(None): "
p.(None): And the second sentence is deleted;
p.(None): 6 ° The IV is replaced by the following provisions:
p.(None): "IV. - Likewise, processing operations, automated or not, that are justified by the public interest and authorized under the conditions are not subject to the prohibition provided for in I
p.(None): provided for in II of Article 26. "
p.(None): TITLE II
p.(None): LEVELS OF OPERATION PERMITTED BY REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 ON
p.(None): THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND FREE
p.(None): CIRCULATION OF THIS DATA, AND REPEALING DIRECTIVE 95/46 / EC
p.(None): Chapter I
p.(None): Territorial scope of the provisions
p.(None): supplementing Regulation (EU) 2016/679
p.(None): Article 8
p.(None): After article 5 of the same law, an article 5-1 is inserted as follows:
p.(None): "Art. 5-1 - National rules, taken on the basis of the provisions of Regulation (EU) 2016/679 referring to national law the task of adapting or
p.(None): complete the rights and obligations provided for by these regulations, apply when the person concerned resides in France, including when the person responsible
p.(None): treatment is not established in France.
p.(None): “However, when one of the treatments mentioned in paragraph 2 of article 85 of the same regulation is in question, the national rules mentioned in the first paragraph
p.(None): are those to which the controller is responsible, when he is established in the European Union. "
p.(None): Chapter II
p.(None): Provisions relating to the simplification of prior formalities
p.(None): to the implementation of treatments
p.(None): Article 9
p.(None): I. - Article 22 of the same law is replaced by the following provisions:
p.(None): "Art. 22. - A decree in the Council of State, taken after reasoned and published opinion of the National Commission for Information Technology and Liberties determines the categories of
p.(None): data controllers and the purposes of these treatments in view of which they can be implemented when they relate to data
p.(None): with the registration number of persons in the national directory of identi fi cation of natural persons. The processing takes place
p.(None): without prejudice to the obligations of controllers or processors under section 3 of chapter IV of the regulation (EU)
p.(None): 2016/679.
p.(None): "The processing of personal data, including the number, is not subject to the provisions of the first paragraph.
p.(None): registration of persons in the national directory of identification of natural persons or who require a consultation of this directory:
p.(None): "1 ° Which have exclusively the purposes of official statistics, implemented by the public statistical service and do not include any of the data
p.(None): mentioned in I of article 8 or in article 9;
p.(None): “2 ° which have exclusively scientific or historical research purposes;
p.(None): "3 ° Who make available to users of the administration one or more electronic administration teleservices defined in article 1 of the order
p.(None): n ° 2005-1516 of December 8, 2005 relating to the electronic exchanges between the users and the administrative authorities and between the administrative authorities,
p.(None): implemented by the State or a legal person under public law or a legal person under private law managing a public service.
...
p.(None): of a legal obligation which requires the processing of this data or necessary for the exercise of a public interest mission vested in the responsible of
p.(None): treatment. "
p.(None): Chapter V
p.(None): Remedies
p.(None): Article 16
p.(None): After article 43 ter of the same law, article 43 quater is inserted as follows:
p.(None): "Art. 43c. - The person concerned may mandate an association or an organization mentioned in IV of article 43b in order to exercise on his behalf
p.(None): the rights referred to in Articles 77 to 79 of Regulation (EU) 2016/679. It can also mandate them to act before the National Commission for Information Technology and
p.(None): freedoms, against this before a judge or against the controller or the processor before a court when a processing is involved
p.(None): falling under Chapter XIII. "
p.(None): Article 17
p.(None): Section 2 of Chapter V of the same law is supplemented by an article 43d as follows:
p.(None): "Art. 43d. - In the event that, when entering a complaint directed against a controller or a processor, the National Commission for
p.(None): IT and liberties believes that the complaints made relating to the protection of the rights and freedoms of a person with regard to the processing of their data are founded
p.(None): personal, or generally to ensure the protection of these rights and freedoms as part of its mission, it may request the Council
p.(None): to order the suspension or the cessation of the transfer of data in question, if necessary under penalty, and then attaches its conclusions to a request
p.(None): for a preliminary ruling to the Court of Justice of the European Union in order to assess the validity of the adequacy decision of the European Commission
p.(None): taken on the basis of Article 45 of Regulation (EU) 2016/679 and of all acts taken by the European Commission authorizing or approving
p.(None): appropriate guarantees in the context of data transfers taken on the basis of article 46 of the same regulation. When the data transfer in
p.(None): cause does not constitute a processing operation carried out by a court in the exercise of its jurisdictional function, the National Commission for
p.(None): IT and civil liberties can apply to the Council of State under the same conditions to obtain the suspension of data transfer based on a decision
p.(None): of adequacy of the European Commission taken on the basis of Article 36 of Directive (EU) 2016/680 pending the Court's assessment of
p.(None): justice of the European Union of the validity of this adequacy decision. "
p.(None): TITLE III
p.(None): PROVISIONS PROVIDING FOR DIRECTIVE (EU) 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016
p.(None): RELATING TO THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA BY
p.(None): COMPETENT AUTHORITIES FOR THE PREVENTION AND DETECTION OF CRIMINAL OFFENSES, INVESTIGATIONS AND PROCEEDINGS
p.(None): THE MATERIAL OR EXECUTION OF CRIMINAL PENALTIES, AND THE FREE MOVEMENT OF SUCH DATA
p.(None): Article 18
p.(None): I. - In the penultimate paragraph of article 32 of the same law, the words: "or having as its object the execution of criminal convictions or security measures" are
p.(None): replaced by the words: ", without prejudice to the application of the provisions of Chapter XIII".
p.(None): II. - The last paragraph of article 32 is deleted.
p.(None): III. - In article 41 of the same law, after the words: "public security" are inserted the words: ", subject to the application of the provisions of chapter XIII,
p.(None): "
p.(None): IV. - In article 42 of the same law, the words: "prevent, investigate or find infringements, or of" are deleted.
p.(None): Article 19
p.(None): Chapter XIII of the same law becomes Chapter XIV and, after article 70, the following provisions are inserted:
p.(None): "Chapter XIII
p.(None): “Provisions applicable to processing operations covered by Directive (EU) 2016/680 of April 27, 2016
p.(None): "Section 1
p.(None): " General provisions
p.(None): "Art. 70-1. - The provisions of this chapter apply, where applicable by way of derogation from the other provisions of this law, to the processing of
p.(None): personal data used:
...
p.(None): "Art. 70-4. - If the processing is likely to create a high risk for the rights and freedoms of natural persons, in particular because it relates to
p.(None): of the data mentioned in I of Article 8, the controller performs an impact analysis relating to the protection of personal data
p.(None): staff.
p.(None): "If the processing is carried out on behalf of the State, this impact assessment is sent to the National Commission for Data Protection with
p.(None): the request for an opinion provided for in Article 30.
p.(None): "In other cases, the controller or the processor consults the National Commission for Data Protection before the
p.(None): processing of personal data:
p.(None): "1 ° Or when the data protection impact analysis indicates that the processing would present a high risk if the controller does not
p.(None): was not taking steps to mitigate the risk;
p.(None): "2. Either when the type of treatment, in particular due to the use of new mechanisms, technologies or procedures, presents high risks
p.(None): for the freedoms and rights of the persons concerned.
p.(None): "Art. 70-5. - Personal data collected by the competent authorities for the purposes set out in 1 ° of article 70-1, cannot be
p.(None): processed for other purposes, unless such processing is authorized by laws or regulations, or by Union law
p.(None): European. When personal data is processed for such other purposes, Regulation (EU) 2016/679 applies, unless the processing
p.(None): is carried out in the context of an activity outside the scope of European Union law.
p.(None): "Processing by a processor is governed by a contract or other legal act, which binds the processor to the controller, defines the purpose and
p.(None): the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the
p.(None): obligations and rights of the controller, and which provides that the processor only acts on the instructions of the controller. The content of this
p.(None): contract or legal act is specified by decree in Council of State taken after opinion of the National Commission of data processing and freedoms.
p.(None): "Section 2
p.(None): "Obligations incumbent on the competent authorities and the controllers
p.(None): "Art. 70-11. - The competent authorities take all reasonable measures to ensure that personal data which is inaccurate,
p.(None): incomplete or out of date are erased or rectified without delay or are not transmitted or made available. To this end, each authority
p.(None): competent checks, as far as possible, the quality of personal data before their transmission or making available.
p.(None): "As far as possible, when transmitting personal data, are added necessary information allowing the authority
p.(None): competent recipient to judge the accuracy, completeness, and reliability of the personal data, and their level of updating.
p.(None): "If it turns out that inaccurate personal data has been transmitted or that personal data has been transmitted in a
p.(None): illicit, the recipient is informed without delay. In this case, personal data is rectified or erased or their processing is limited
p.(None): in accordance with article 70-20.
...
p.(None): cut.
p.(None): "The provisions of paragraphs 5 and 7 of article 37, paragraphs 1 and 2 of article 38 and paragraph 1 of article 39 of Regulation (EU) 2016/679, in
p.(None): what they relate to the controller, are applicable to the processing of personal data covered by this chapter.
p.(None): "Section 3
p.(None): "Rights of the data subject
p.(None): "Art. 70-18. - I. - The controller makes the following information available to the data subject:
p.(None): “1 ° The identity and contact details of the controller, and if applicable, those of his representative;
p.(None): “2 ° If necessary, the contact details of the data protection officer;
p.(None): “3 ° The purposes pursued by the processing for which the data is intended;
p.(None): "4 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "5 ° The existence of the right to request the controller to access personal data, their rectification or their erasure, and the
p.(None): limitation of the processing of personal data relating to a data subject.
p.(None): "II. - In addition to the information referred to in I, the controller provides the data subject, in special cases, with the information
p.(None): following to enable him to exercise his rights:
p.(None): “1 ° The legal basis for the processing;
p.(None): “2 ° The period of storage of personal data or, when this is not possible, the criteria used to determine this period;
p.(None): "3 ° Where applicable, the categories of recipients of personal data, including in States which are not members of the European Union or in
p.(None): within international organizations;
p.(None): “4 ° If necessary, additional information, in particular when personal data is collected without the knowledge of the person concerned.
p.(None): "Art. 70-19. - The data subject has the right to obtain confirmation from the controller that personal data concerning him
p.(None): are or are not processed and, when they are, access to said data as well as the following information:
p.(None): “1 ° The purposes of the processing and its legal basis;
p.(None): “2 ° The categories of personal data concerned;
p.(None): "3 ° The recipients or categories of recipients to whom the personal data have been communicated, in particular the recipients who are
p.(None): established in non-member states of the European Union or international organizations;
p.(None): "4 ° When possible, the envisaged period of retention of personal data or, when this is not possible, the criteria used
p.(None): to determine this duration;
p.(None): "5 ° The existence of the right to ask the data controller for the rectification or erasure of personal data, or the limitation of
p.(None): processing of this data;
p.(None): "6 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "7 ° Communication of personal data being processed, as well as any available information as to their source.
p.(None): "Art. 70-20. - I. - The data subject has the right to obtain from the controller:
p.(None): “1 ° That personal data concerning him that are inaccurate be rectified as soon as possible;
p.(None): “2 ° That incomplete personal data concerning it be completed, including by providing a complementary declaration for this purpose;
p.(None): "3 ° That personal data concerning him be erased as soon as possible when the processing is carried out in violation of the provisions
p.(None): of this law or when this data must be erased in order to comply with a legal obligation to which the controller is subject.
p.(None): "II. - When the interested party requests it, the controller must justify that he has carried out the operations required under I.
p.(None): "III. - Instead of erasing, the controller limits the processing when:
p.(None): "1 ° Either the accuracy of the personal data is disputed by the data subject and it cannot be determined whether the data is accurate or not
p.(None): ;
p.(None): “2 ° Either personal data must be kept for probative purposes.
...
p.(None): concerned with the possibility of exercising his rights through the National Commission for Data Protection and to file an appeal
p.(None): jurisdictional.
p.(None): "Art. 70-22. - In case of restriction of the rights of the data subject intervened in application of II or III of article 70-21, the data subject may
p.(None): refer to the National Commission for Data Protection.
p.(None): "The provisions of the second and third paragraphs of article 41 then apply.
p.(None): "When the commission informs the person concerned that the necessary verifications have been made, it also informs him of his right to form a
p.(None): jurisdictional appeal.
p.(None): "Art. 70-23. - No payment is required to take the measures and provide the information referred to in articles 70-18 to 70-20, unless requested
p.(None): manifestly unfounded or abusive.
p.(None): “In this case, the controller may also refuse to comply with the request.
p.(None): "In the event of a dispute, the burden of proving the manifestly unfounded or abusive nature of the requests lies with the data controller
p.(None): from which they are addressed.
p.(None): "Art 70-24. - The provisions of this sub-section do not apply when the personal data appear either in a decision
p.(None): or in a judicial file which is the subject of processing during criminal proceedings. In these cases, access to this data can only be done
p.(None): under the conditions provided for by the Code of Criminal Procedure.
p.(None): "Section 4
p.(None): “Transfers of personal data to non-member states
p.(None): "To the European Union or to recipients established in non-member states
p.(None): " of the European Union
p.(None): "Art. 70-25. - The person responsible for processing personal data cannot transfer data or authorize the transfer of data already
p.(None): transmitted to a State outside the European Union only when the following conditions are met:
p.(None): "1 ° The transfer of this data is necessary for one of the purposes set out in 1 ° of article 70-1;
p.(None): "2 ° Personal data is transferred to a person responsible in that third State or to an international organization which is an authority
p.(None): competent responsible in this State for purposes falling under 1 ° of article 70-1 in France;
p.(None): "3 ° If the personal data come from another State, the State which transmitted these data has previously authorized this transfer in accordance with
p.(None): national law.
p.(None): "However, if prior authorization cannot be obtained in good time, this personal data may be retransmitted without authorization
p.(None): prior notice from the State which transmitted the data when this retransmission is necessary to prevent a serious and immediate threat to security
p.(None): of another State or for the protection of the essential interests of France. The authority from which this personal data originated is informed without
p.(None): delay.
p.(None): "4 ° At least one of the following three conditions is met:
p.(None): “(A) The committee adopted an adequacy decision in accordance with article 36 of Directive (EU) 2016/680 of the Parliament and of the Council of 27 April 2016;
p.(None): "(B) In the absence of such an adequacy decision, appropriate safeguards with regard to the protection of personal data are provided
p.(None): in a legally binding instrument; these appropriate guarantees may either result from the data protection guarantees mentioned
p.(None): in the conventions implemented with this third State, either result from legally binding provisions required on the occasion of the exchange of
p.(None): data;
p.(None): "C) In the absence of such a decision on adequacy and appropriate guarantees as provided for in b, the controller has evaluated all
p.(None): circumstances of the transfer and considers that there are appropriate guarantees with regard to the protection of personal data;
p.(None): "When the controller of personal data transfers personal data on the sole basis of the existence of
p.(None): appropriate safeguards with regard to the protection of personal data, other than a jurisdiction carrying out processing activity in the context
p.(None): of its jurisdictional activities, it advises the National Commission for Information Technology and Freedoms of the categories of transfers falling under this basis.
p.(None): "In this case, the data controller must keep track of the date and time of the transfer, information on the competent authority
p.(None): recipient, and the justification for the transfer and the personal data transferred. This documentation is made available to the authority of
p.(None): control, at his request.
p.(None): "When the commission has repealed, modified or suspended an adequacy decision adopted in application of article 36 of the abovementioned directive, the person responsible
p.(None): processing of personal data may nevertheless transfer personal data or authorize the transfer of data already transmitted to
p.(None): a State which does not belong to the European Union if appropriate guarantees with regard to the protection of personal data are provided
p.(None): in a legally binding instrument or if it considers after having assessed all the circumstances of the transfer that there are appropriate guarantees
p.(None): protection of personal data.
p.(None): "Art. 70-26. - Notwithstanding the provisions of the previous article, the person responsible for processing personal data cannot, in the absence of
p.(None): decision on adequacy or appropriate guarantees, transfer this data or authorize the transfer of data already transmitted to a State not belonging to
p.(None): the European Union only when the transfer is necessary:
p.(None): "1 ° Safeguarding the vital interests of the person concerned or of another person;
p.(None): "2 ° Safeguarding the legitimate interests of the person concerned when French law so provides;
p.(None): "3 ° To prevent a serious and immediate threat to the public security of a Member State of the European Union or of a third country;
p.(None): "4 ° In special cases, for one of the purposes set out in 1 ° of article 70-1;
p.(None): "5 ° In a particular case, the establishment, exercise or defense of legal claims in connection with the same ends.
p.(None): "In the cases referred to in 4 ° and 5 °, the controller of personal data does not transfer this data if he considers that the freedoms and
p.(None): fundamental rights of the data subject outweigh the public interest in the context of the proposed transfer.
p.(None): "When a transfer is made in order to safeguard the legitimate interests of the data subject, the controller keeps track of the date
p.(None): and the time of the transfer, information on the competent authority to which it was sent, and the justification for the transfer and the personal data transferred. he
p.(None): makes this information available to the National Commission for Data Protection, at its request.
p.(None): "Art. 70-27. - Any competent public authority mentioned in 2 ° of article 70-1 may, in certain special cases, transfer data of a personal nature.
p.(None): personnel directly to recipients established in a State not belonging to the European Union, when the other provisions of this law
p.(None): applicable to the treatments falling under article 70-1 are respected and that the following conditions are met:
p.(None): "1 ° The transfer is necessary for the performance of the mission of the competent authority which transfers this data for one of the purposes set out in article 70-1;
p.(None): "2 ° The competent authority which transfers these data establishes that there are no fundamental rights or freedoms of the data subject which prevail over
p.(None): the public interest requiring the transfer in the case under consideration;
p.(None): "3 ° The competent authority which transfers this data considers that the transfer to the competent authority of the other State is ine ffi cient or inappropriate, in particular
p.(None): because the transfer cannot be made in a timely manner;
p.(None): "4 ° The competent authority of the other State shall be informed as soon as possible, unless it is ineffective or inappropriate;
p.(None): "5 ° The competent authority which transfers this data shall inform the recipient of the specific purpose or purposes for which the personal data
p.(None): transmitted personnel must only be subject to processing by this recipient, provided that such processing is necessary;
p.(None): "The competent authority which transfers data informs the National Commission for Data Protection and Freedoms of transfers under this article.
...
p.(None): mention in the bulletin n ° 2 of his criminal record. In the event of an acquittal or acquittal decision, the personal data concerning the persons put
p.(None): in question are erased, unless the public prosecutor prescribes their maintenance, in which case it is the subject of a mention. When the public prosecutor
p.(None): République prescribes the maintenance of personal data relating to a person who has bene fi ted from an acquittal or acquittal, he notifies the
p.(None): concerned person. The decisions of dismissal or classification without continuation, are the subject of a mention, unless the public prosecutor orders
p.(None): erasure of personal data. When a decision is mentioned, the data relating to the person concerned cannot be the subject
p.(None): a consultation in the context of the administrative inquiries provided for in Articles L. 114-1, L. 234-1 to L. 234-3 of the Internal Security Code and in Article 17-
p.(None): 1 of the law n ° 95-73 of January 21, 1995 of orientation and programming relating to security. The decisions of the public prosecutor provided for in this
p.(None): paragraph ordering the maintenance or erasure of personal data or ordering that they be the subject of a mention are taken for reasons related to the
p.(None): purpose of the file with regard to the nature or circumstances of the commission of the offense or the personality of the person concerned. ";
p.(None): 2 ° In the third paragraph, the words: “in matters of erasure or rectification of personal data” are deleted.
p.(None): II. - The first paragraph of article 804 of the same code is worded as follows:
p.(None): "This code is applicable, in its drafting resulting from law n ° xxx of the xxx of adaptation to the law of the European Union of law n ° 78-17 of January 6, 1978
p.(None): relating to computers, files and freedoms, in New Caledonia, French Polynesia and the Wallis and Futuna Islands, subject to
p.(None): adaptations provided for in this title and with the only exceptions: ".
p.(None): Article 24
p.(None): Titles I to III, and articles 21 and 22 of this law come into force from May 25, 2018.
p.(None): However, the provisions of article 70-15 of the law n ° 78-17 of January 6, 1978 relating to data processing, the files and freedoms in their drafting resulting
p.(None): of article 19 of this law and relating to the obligation to journal may come into force at a later date which may not exceed May 6, 2023
p.(None): when such an obligation would require disproportionate e ff orts, and could not exceed May 6, 2026 when, failing such a postponement, it would result in serious
p.(None): di ffi culties for the operation of the automated processing system. The list of processing operations concerned by these postponements and the dates on which, for these
p.(None): processing, the entry into force of this obligation will be postponed will be determined by regulation.
p.(None): Top of the page
p.(None): About the French legal system Licenses What's new on the site?
...
Social / Youth/Minors
Searching for indicator minor:
(return to top)
p.(None): "However, this information may not be provided if the person concerned has intended to make use of the right granted to him by article L. 1111-2 of
p.(None): health code to be left in the dark about a diagnosis or prognosis.
p.(None): "Art. 59. - The recipients of the information and exercise the rights of the data subject are the holders of parental authority,
p.(None): for minors, or the person charged with a mission of representation within the framework of a guardianship, a family empowerment or a protection mandate
p.(None): future, for protected adults whose condition does not allow them to make an informed personal decision alone.
p.(None): "By way of derogation from the first paragraph of this article, for the processing of personal data carried out in the context of the research mentioned
p.(None): in 2 ° and 3 ° of article L. 1121-1 of the public health code or of studies or evaluations in the health field, having a public interest purpose and
p.(None): including minors, information can be obtained from only one of the holders of parental authority, if it is impossible to inform
p.(None): the other holder, or if he cannot be consulted within a timeframe compatible with the methodological requirements specific to carrying out the research, study
p.(None): or evaluation with regard to its finalities. This paragraph does not preclude the subsequent exercise by each holder of the exercise of parental authority,
p.(None): of the rights mentioned in the first paragraph.
p.(None): "For these treatments, the minor aged fifteen or more may object to the holders of parental authority having access to the data on
p.(None): concerning collected during research, study or evaluation. The minor then receives the information and exercises his rights alone.
p.(None): “For these same treatments, minors aged fifteen or over may object to holders of parental authority being informed of the
p.(None): data processing if the fact of participating in it leads to revealing information on a preventive action, screening, diagnosis, treatment or
p.(None): intervention for which the minor expressly objected to consulting the holders of parental authority in application of Articles L. 1111-5 and L.
p.(None): 1111-5-1 of the public health code or if the family ties are broken and the minor bene fi ts personally from the reimbursement of benefits in
p.(None): nature of health and maternity insurance and of the additional cover set up by law n ° 99-641 of July 27, 1999 creating a
p.(None): Universal health coverage. He then exercises his rights alone.
p.(None): "Art. 60. - Information relating to the provisions of this chapter must in particular be provided in any establishment or center where
p.(None): prevention, diagnosis and care activities giving rise to the transmission of personal data with a view to the treatment referred to in this
p.(None): chapter.
p.(None): "Section 2
p.(None): "Special provisions for processing for research and study purposes
p.(None): "Or health assessment.
p.(None): "Art. 61. - Automated processing of personal data the purpose of which is or becomes research or studies in the health field
p.(None): as well as the evaluation or analysis of care or prevention practices or activities are subject to the provisions of section 1 of this chapter, under
p.(None): reserve those of this section.
p.(None): "Art. 62. - Reference methodologies are approved and published by the National Commission for Data Protection. They are established in
p.(None): consultation with the National Institute for Health Data mentioned in Article L. 1462-1 of the Public Health Code and public and private organizations
p.(None): representative of the actors concerned.
p.(None): "When the processing conforms to a reference methodology, it can be implemented without the authorization mentioned in article 54, provided that
p.(None): its manager shall send the National Informatics Commission a declaration attesting to this compliance.
p.(None): "Art. 63. - Authorization for processing is granted by the National Commission for Data Protection under the conditions defined in article 54 and
...
Social / employees
Searching for indicator employees:
(return to top)
p.(None): after formal notice, refer to the restricted panel of the Commission which may pronounce, under the same conditions as those provided for in articles 45 to 47,
p.(None): withdrawal of the license issued to them. "
p.(None): Chapter II
p.(None): Provisions relating to certain categories of data
p.(None): Article 7
p.(None): Article 8 of the same law is amended as follows:
p.(None): 1 ° I is worded as follows:
p.(None): "I. - It is prohibited to process personal data, which reveals alleged racial or ethnic origin, political opinions,
p.(None): religious or philosophical beliefs or union membership or to process genetic data, biometric data for the purpose of identifying a
p.(None): uniquely natural person, data concerning health or data concerning a person's sexual life or sexual orientation
p.(None): physical. ";
p.(None): 2 ° In 7 ° of II, the words: “and under the conditions provided for in article 25 of this law” are deleted;
p.(None): 3 ° 8 ° of II is replaced by the following provisions: "8 ° Treatments containing data relating to health justified in the public interest and
p.(None): in accordance with the provisions of Chapter IX. ";
p.(None): 4 ° After 8 ° of II, a 9 ° is inserted as follows:
p.(None): "9 ° The processing implemented by employers or administrations which relate to biometric data necessary for access control to
p.(None): workplaces as well as the devices and applications used in the context of missions entrusted to employees or agents. ";
p.(None): 5 ° In III, the first sentence is replaced by the following sentence:
p.(None): "The personal data mentioned in I, which are called upon to be subject to short notice, are also not subject to the prohibition provided for in I
p.(None): an anonymization process previously recognized in accordance with the provisions of this law by the National Commission for Data Protection.
p.(None): "
p.(None): And the second sentence is deleted;
p.(None): 6 ° The IV is replaced by the following provisions:
p.(None): "IV. - Likewise, processing operations, automated or not, that are justified by the public interest and authorized under the conditions are not subject to the prohibition provided for in I
p.(None): provided for in II of Article 26. "
p.(None): TITLE II
p.(None): LEVELS OF OPERATION PERMITTED BY REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 ON
p.(None): THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND FREE
p.(None): CIRCULATION OF THIS DATA, AND REPEALING DIRECTIVE 95/46 / EC
p.(None): Chapter I
p.(None): Territorial scope of the provisions
p.(None): supplementing Regulation (EU) 2016/679
p.(None): Article 8
p.(None): After article 5 of the same law, an article 5-1 is inserted as follows:
p.(None): "Art. 5-1 - National rules, taken on the basis of the provisions of Regulation (EU) 2016/679 referring to national law the task of adapting or
p.(None): complete the rights and obligations provided for by these regulations, apply when the person concerned resides in France, including when the person responsible
p.(None): treatment is not established in France.
...
Social / philosophical differences/differences of opinion
Searching for indicator opinion:
(return to top)
p.(None): controllers and their processors. It encourages the development of codes of conduct defining the obligations incumbent on those responsible
p.(None): of the processing and the subcontractors, taking into account the risk inherent in the processing of personal data for the rights and freedoms of individuals
p.(None): physical; it approves and publishes the reference methodologies mentioned in IV of Article 54, intended to promote compliance in the processing of
p.(None): personal health data ';
p.(None): 5 ° The b of 2 ° is replaced by the following provisions:
p.(None): "(B) It establishes and publishes standard regulations with a view to ensuring the security of personal data processing systems and governing
p.(None): processing of health data falling under Chapter IX. As such, except for processing carried out on behalf of the State, acting in the exercise of
p.(None): its prerogatives of public power, it can prescribe additional technical and organizational measures for data processing
p.(None): biometric, genetic and health in accordance with Article 9.4 of Regulation (EU) 2016/679 and additional guarantees regarding the processing of
p.(None): offense data in accordance with article 10 of the same regulation. ";
p.(None): 6 ° After the f of 2 °, a f bis is inserted as follows:
p.(None): "Fa) It may decide to certify persons, products, data systems or procedures in order to recognize that they comply with the
p.(None): Regulation (EU) 2016/679 and this law. It approves, for the same purposes, certifying bodies, on the basis, where appropriate, of their accreditation by
p.(None): the national accreditation body, mentioned in article 43 (1) b of the regulations, under conditions specified by decree in Council of State taken after opinion of the
p.(None): National Commission for Data Protection. The committee draws up or approves the criteria for the certification and accreditation standards. She can
p.(None): establish additional requirements to accreditation standards. ";
p.(None): 7 ° In g of 2 °, after the word: “certification” are inserted the words: “, by approved or accredited third parties according to the terms mentioned in fa,”;
p.(None): 8 ° At the hour of 2 °, the words: “of access concerning the treatments mentioned in articles 41 and 42” are replaced by the words: “of exercise of the rights provided
p.(None): Articles 41, 42 and 70-22 ”;
p.(None): 9 ° After the h of 2 °, an i is inserted as follows:
p.(None): "I) It may establish a list of treatments likely to create a high risk which must be subject to prior consultation in accordance with article 70-4
p.(None): ";
p.(None): 10 ° In a of 4 °, after the first sentence, a sentence worded as follows is inserted:
p.(None): "It can also be consulted by the President of the National Assembly or by the President of the Senate on any draft law relating to protection
p.(None): personal data or the processing of such data. ";
p.(None): 11 ° After the f of 4 °, a paragraph worded as follows is inserted:
p.(None): "5 ° It may submit observations before any court in the event of a dispute relating to the application of Regulation (EU) 2016/679 and this law";
p.(None): 12 ° At the beginning of the twenty-sixth paragraph, the reference is inserted: “II. - ".
p.(None): Article 2
p.(None): In 7 ° of I of article 13 of the same law, after the word: "digital" are inserted the words: "or questions relating to individual freedoms".
p.(None): Article 3
...
p.(None): members and agents mentioned in the first paragraph of I may request communication of any document, whatever the medium, and take a copy. They
p.(None): may collect, in particular on the spot or on convocation, any useful information and justi fi cation. They can access, in conditions preserving
p.(None): con fi dentiality with regard to third parties, to computer programs and data, as well as to request transcription by any appropriate processing in
p.(None): documents directly usable for the purposes of control. Secrecy cannot be opposed to them except concerning the information covered by the secret
p.(None): professional applicable to relations between a lawyer and his client, by the secrecy of the sources of journalistic processing or, subject to the provisions
p.(None): of the following paragraph, by medical confidentiality.
p.(None): "Medical secrecy is opposable with regard to the information which figures in a treatment necessary for the purposes of preventive medicine, research
p.(None): medical, medical diagnosis, administration of care or treatment, or management of health service. However the communication of
p.(None): individual medical data included in this category of treatment can be done under the authority and in the presence of a doctor. ";
p.(None): 4 ° After the fourth paragraph of III, a paragraph is inserted as follows:
p.(None): "For the control of online public communication services, the members and agents mentioned in the first paragraph of I can carry out any operation
p.(None): necessary for their mission under a borrowed identity. The use of an assumed identity does not affect the regularity of the findings made
p.(None): in accordance with the previous paragraph. A decree in Council of State taken after opinion of the National Commission of data processing and liberties specifies the conditions
p.(None): in which they proceed in their cases to their findings. ";
p.(None): 5 ° The following paragraph is added:
p.(None): "V. - In the exercise of its supervisory power relating to processing under Regulation (EU) 2016/679 and this law, the National Commission
p.(None): of data processing and freedoms is not competent to control the processing operations carried out, in the exercise of their jurisdictional function, by
p.(None): the courts. "
p.(None): Article 5
p.(None): I. - Article 49 of the same law is replaced by the following provisions:
p.(None): "Art. 49. - Under the conditions provided for in Articles 60 to 67, of Regulation (EU) 2016/679, the National Commission for Data Protection sets out
p.(None): implements procedures of cooperation and mutual assistance with the supervisory authorities of the other Member States of the European Union, and carries out with
p.(None): them joint operations.
p.(None): "The commission, the president, the bureau, the restricted formation and the agents of the commission implement, each as far as they are concerned, the
p.(None): procedures referred to in the previous paragraph. "
p.(None): II. - After article 49, articles 49-1, 49-2, 49-3 and 49-4 are inserted as follows:
p.(None): "Art. 49-1. - I. - The National Data Protection Commission cooperates with the supervisory authorities of the other Member States of the Union
...
p.(None): "The commission shall give the reasons for any refusal to satisfy a request when it considers that it is not competent or when it considers that satisfying the
p.(None): request would constitute a violation of European Union law, or French law.
p.(None): "Art. 49-3. - When the commission acts as the lead supervisory authority for cross-border processing within the European Union, it
p.(None): communicate the report of the rapporteur member, as well as all the relevant information from the procedure used to draw up the report, to the other authorities
p.(None): control concerned without delay and before the possible hearing of the data controller or the processor. The authorities concerned are put in
p.(None): able to attend the hearing through the limited training of the controller or processor by any appropriate means of retransmission, or
p.(None): take note of the minutes drawn up following the hearing.
p.(None): "After having deliberated on it, the restricted panel submits its draft decision to the other authorities concerned in accordance with the procedure defined in article
p.(None): 60 of Regulation (EU) 2016/679. As such, it decides on the taking into account of the relevant and reasoned objections raised by the authorities concerned and
p.(None): seizes, if it decides to reject one of the objections, the European Data Protection Board in accordance with Article 65 of the regulation.
p.(None): "The conditions for the application of this article are defined by a decree in Council of State, after opinion of the National Commission for Information Technology and
p.(None): freedoms.
p.(None): "Art. 49-4. - When the committee acts as the authority concerned, within the meaning of Regulation (EU) 2016/679, the chairman of the committee is seized of the projects
p.(None): corrective measures submitted to the commission by another lead authority.
p.(None): "When these measures have an equivalent object to those defined in I and III of article 45, the president decides, if necessary, to raise a relevant objection
p.(None): and motivated according to the terms provided for in article 60 of these regulations.
p.(None): "When these measures are of equivalent purpose to those defined in II of article 45 and in article 46, the president seizes the restricted formation. The President of the
p.(None): restricted party or the member of the restricted party it designates may, if applicable, raise a relevant and reasoned objection using the same
p.(None): modalities. "
p.(None): Article 6
p.(None): I. - The title of chapter VII of the same law is deleted and replaced by the following title:
p.(None): "Measures and sanctions taken by the restricted formation of the National Commission for Data Protection and Liberties"
p.(None): II. - Article 45 of the same law is replaced by the following provisions:
...
p.(None): is among those mentioned in the same I and II of article 26. The Prime Minister then informs the restricted formation of the consequences it has
p.(None): given to this information no later than fifteen days after receiving it.
p.(None): "II. - In the exceptional circumstances provided for in Article 66 (1) of Regulation (EU) 2016/679, when the restricted formation adopts the measures
p.(None): provisional provided for in 1 ° to 4 ° of I of this article, it shall immediately inform the other supervisory authorities of the content of the measures taken and of their reasons.
p.(None): concerned, the European Data Protection Board and the European Commission.
p.(None): "When the restricted formation has taken such measures and considers that definitive measures must be taken, it shall implement the provisions of the
p.(None): 2 of Article 66 of the Regulation.
p.(None): "III. - For processing operations governed by Chapter XIII, when a competent supervisory authority under Regulation (EU) 2016/679 has not taken action
p.(None): appropriate in a situation where it is urgent to intervene in order to protect the rights and freedoms of the persons concerned, the restricted training, seized by the
p.(None): president of the commission, may ask the european data protection committee for an emergency opinion or a binding emergency decision in
p.(None): the conditions and according to the methods provided for in 3 and 4 of article 66 of this regulation.
p.(None): "IV. - In the event of a serious and immediate infringement of the rights and freedoms mentioned in article 1, the president of the commission may also request, through the
p.(None): referred, to the competent court to order, if necessary under penalty, any measure necessary to safeguard these rights and freedoms. "
p.(None): IV. - Article 47 of the same law is replaced by the following provisions:
p.(None): "Art. 47. - The measures provided for in II of article 45 and in 1 ° to 6 ° of I of article 46 are pronounced on the basis of a report drawn up by one of the members of the
p.(None): National Commission for Data Protection, appointed by its president from among the members not belonging to the restricted group. This
p.(None): report is notified to the data controller or the processor, who can file observations and be represented or assisted. The rapporteur may
p.(None): present oral observations to the restricted panel but does not take part in its deliberations. The restricted panel may hear any person whose
p.(None): the hearing seemed to him likely to contribute usefully to its information, including, at the request of the secretary general, the agents of the services.
p.(None): “Restricted training can make the measures it takes public. It can also order their insertion in publications, newspapers and
p.(None): supports it designates at the expense of sanctioned persons.
...
p.(None): "IV. - Likewise, processing operations, automated or not, that are justified by the public interest and authorized under the conditions are not subject to the prohibition provided for in I
p.(None): provided for in II of Article 26. "
p.(None): TITLE II
p.(None): LEVELS OF OPERATION PERMITTED BY REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 ON
p.(None): THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA AND FREE
p.(None): CIRCULATION OF THIS DATA, AND REPEALING DIRECTIVE 95/46 / EC
p.(None): Chapter I
p.(None): Territorial scope of the provisions
p.(None): supplementing Regulation (EU) 2016/679
p.(None): Article 8
p.(None): After article 5 of the same law, an article 5-1 is inserted as follows:
p.(None): "Art. 5-1 - National rules, taken on the basis of the provisions of Regulation (EU) 2016/679 referring to national law the task of adapting or
p.(None): complete the rights and obligations provided for by these regulations, apply when the person concerned resides in France, including when the person responsible
p.(None): treatment is not established in France.
p.(None): “However, when one of the treatments mentioned in paragraph 2 of article 85 of the same regulation is in question, the national rules mentioned in the first paragraph
p.(None): are those to which the controller is responsible, when he is established in the European Union. "
p.(None): Chapter II
p.(None): Provisions relating to the simplification of prior formalities
p.(None): to the implementation of treatments
p.(None): Article 9
p.(None): I. - Article 22 of the same law is replaced by the following provisions:
p.(None): "Art. 22. - A decree in the Council of State, taken after reasoned and published opinion of the National Commission for Information Technology and Liberties determines the categories of
p.(None): data controllers and the purposes of these treatments in view of which they can be implemented when they relate to data
p.(None): with the registration number of persons in the national directory of identi fi cation of natural persons. The processing takes place
p.(None): without prejudice to the obligations of controllers or processors under section 3 of chapter IV of the regulation (EU)
p.(None): 2016/679.
p.(None): "The processing of personal data, including the number, is not subject to the provisions of the first paragraph.
p.(None): registration of persons in the national directory of identification of natural persons or who require a consultation of this directory:
p.(None): "1 ° Which have exclusively the purposes of official statistics, implemented by the public statistical service and do not include any of the data
p.(None): mentioned in I of article 8 or in article 9;
p.(None): “2 ° which have exclusively scientific or historical research purposes;
p.(None): "3 ° Who make available to users of the administration one or more electronic administration teleservices defined in article 1 of the order
p.(None): n ° 2005-1516 of December 8, 2005 relating to the electronic exchanges between the users and the administrative authorities and between the administrative authorities,
p.(None): implemented by the State or a legal person under public law or a legal person under private law managing a public service.
p.(None): "For the treatments whose purposes are mentioned in 1 ° and 2 °, the registration number in the national directory of identi fi cation of natural persons makes
p.(None): the object beforehand of a cryptographic operation replacing it with a non-significant statistical code. This operation is repeated at a defined frequency
p.(None): by decree in Council of State taken after reasoned and published opinion of the National Commission for Data Protection. Treatments with a finality
p.(None): exclusive to carry out this cryptographic operation are not subject to the provisions of the first paragraph.
p.(None): "For the treatments whose purposes are mentioned in 1 °, the use of the non-significant statistical code is only authorized within the statistical service
p.(None): public.
p.(None): "For processing whose purposes are mentioned in 2 °, the cryptographic operation and, where appropriate, the interconnection of two files by the use of the
p.(None): specific non-significant code which results from it, cannot be ensured by the same person or by the data controller.
p.(None): "With the exception of the processing operations mentioned in the second paragraph of article 55, this article does not apply to the processing of personal data
p.(None): health personnel who are governed by the provisions of Chapter IX. "
p.(None): II. - Article 27 of the same law is amended as follows:
p.(None): 1 ° In 2 ° of I:
p.(None): a) The reference: "2 °" is deleted;
p.(None): b) After the word: "State", are inserted the words: ", acting in the exercise of its prerogatives of public power,";
p.(None): c) After the words: "which bear", the words: "on genetic data or" are inserted;
p.(None): 2 ° 1 ° of I as well as II, III and IV are repealed.
p.(None): III. - Articles 24 and 25 of the same law are repealed.
p.(None): Chapter III
p.(None): Obligations incumbent on data controllers and processors
p.(None): Article 10
p.(None): Article 35 of the same law is supplemented by the following paragraph: "However, within the scope of Regulation (EU) 2016/679, the subcontractor respects the
p.(None): conditions provided for in Chapter IV of these regulations. "
p.(None): Chapter IV
p.(None): Provisions relating to certain specific categories of processing
p.(None): Article 11
...
p.(None): health data with a low risk of impact on privacy.
p.(None): "III. - The processing operations mentioned in the first paragraph of I which do not comply with a standard or a standard regulation mentioned in II cannot be used
p.(None): implemented only after authorization by the National Commission for Data Protection.
p.(None): "The National Institute for Health Data mentioned in Article L. 1462-1 of the Public Health Code may seize or be seized, under defined conditions
p.(None): by decree in Council of State, by the National Commission for Data Protection and the Minister responsible for health on the nature of public interest that
p.(None): presents the treatment.
p.(None): "IV. - The commission may, by a single decision, issue the same applicant with authorization for processing for the same purpose, relating to
p.(None): identical categories of data and having identical categories of recipients.
p.(None): "V. - The National Commission for Information Technology and Freedoms decides within two months of receipt of the request. However, this
p.(None): deadline may be renewed once by reasoned decision of its president or when the National Institute for Health Data is referred to in application of II of
p.(None): this article.
p.(None): "When the committee has not made a decision within these deadlines, the request for authorization is deemed to have been accepted. However, this provision is not
p.(None): applicable if the authorization is subject to prior notice under the provisions of this chapter and the opinion or opinions given are not expressly
p.(None): favorable.
p.(None): "Art. 55. - By way of derogation from article 54, the processing of personal health data implemented by the bodies or departments responsible
p.(None): of a public service mission appearing on a list fixed by decree of the ministers responsible for health and social security, taken after opinion of the
p.(None): National Commission for Information Technology and Liberties, the sole purpose of which is to respond to and manage a health alert in the event of an emergency
p.(None): the consequences, within the meaning of section 1 of chapter III of title I of book IV of the public health code, are subject only to the provisions of section 3 of the
p.(None): Chapter IV of Regulation (EU) 2016/79.
p.(None): "The processing operations mentioned in the first paragraph which use the registration number of persons in the national directory of identification of persons
p.(None): physical are implemented under the conditions provided for in article 22.
p.(None): "The derogations governed by the first paragraph of this article end one year after the creation of the processing if it continues to be implemented.
p.(None): "Art. 56. - Notwithstanding the rules relating to professional secrecy, members of the health professions may transmit to the data controller
p.(None): data authorized pursuant to Article 54 the personal data they hold.
p.(None): "When these data allow the identi fi cation of persons, their transmission must be carried out under conditions likely to guarantee their
p.(None): confidentiality. The National Commission for Information Technology and Liberties can adopt recommendations or standards on the technical procedures to
p.(None): enforce.
p.(None): “When the result of the data processing is made public, the direct or indirect identification of the persons concerned must be impossible.
p.(None): "The persons called upon to implement data processing as well as those who have access to the data to which it relates are subject to the
p.(None): professional secrecy under the penalties provided for in article 226-13 of the penal code.
...
p.(None): of expertise is subject to article L. 1451-1 of the public health code.
p.(None): "The files presented in the context of this section, excluding research involving the human person, are filed with a
p.(None): single secretariat provided by the National Institute for Health Data, which directs them to the competent bodies. "
p.(None): Chapter IV
p.(None): Special provisions relating to the rights of data subjects
p.(None): Article 14
p.(None): Article 10 of the same law is amended as follows:
p.(None): 1 ° In the second paragraph:
p.(None): a) The words: "In addition to the cases mentioned in a and c under 2 of article 22 of regulation 2016/679" are introduced at the beginning of the first sentence;
p.(None): b) The words: "define the profile of the person concerned" are replaced by the word: "anticipate";
p.(None): c) The words: "of his personality" are replaced by the words: "personnel relating to the person concerned, with the exception of administrative decisions
p.(None): taken in compliance with Article L. 311-3-1 and Chapter I of Title I of Book IV of the Code of Public and Administrative Relations, provided
p.(None): that the processing does not relate to data mentioned in I of article 8, ";
p.(None): 2 ° The third paragraph is replaced by the following provisions:
p.(None): "For the administrative decisions mentioned in the previous paragraph, the controller ensures control of the algorithmic processing and its
p.(None): developments ”.
p.(None): Article 15
p.(None): After II of article 40 of the same law the following provisions are inserted:
p.(None): "III. - A decree in Council of State, taken after opinion of the National Commission for Data Protection, sets the list of treatments and categories of
p.(None): processing operations authorized to derogate from the right to communication of a data breach governed by Article 34 of, Regulation (EU) 2016/679 when the notification
p.(None): unauthorized disclosure or access to this data is likely to pose a risk to national security, national defense or the
p.(None): public security. The exemption provided for in this paragraph applies only to the processing of personal data necessary for compliance
p.(None): of a legal obligation which requires the processing of this data or necessary for the exercise of a public interest mission vested in the responsible of
p.(None): treatment. "
p.(None): Chapter V
p.(None): Remedies
p.(None): Article 16
p.(None): After article 43 ter of the same law, article 43 quater is inserted as follows:
p.(None): "Art. 43c. - The person concerned may mandate an association or an organization mentioned in IV of article 43b in order to exercise on his behalf
p.(None): the rights referred to in Articles 77 to 79 of Regulation (EU) 2016/679. It can also mandate them to act before the National Commission for Information Technology and
p.(None): freedoms, against this before a judge or against the controller or the processor before a court when a processing is involved
p.(None): falling under Chapter XIII. "
p.(None): Article 17
p.(None): Section 2 of Chapter V of the same law is supplemented by an article 43d as follows:
p.(None): "Art. 43d. - In the event that, when entering a complaint directed against a controller or a processor, the National Commission for
...
p.(None): "For the application of this chapter, when the concepts used are not defined in chapter 1 of this law, the definitions of article 4 of
p.(None): Regulation (EU) 2016/679 are applicable.
p.(None): "Art. 70-2. - The processing of data mentioned in I of article 8 is possible only in case of absolute necessity, subject to guarantees
p.(None): appropriate for the rights and freedoms of the data subject, and either if it is provided for by a legislative or regulatory act, or if it aims to protect the interests
p.(None): of a natural person, or if it relates to data manifestly made public by the data subject.
p.(None): "Art. 70-3. - If the processing is carried out on behalf of the State for at least one of the purposes provided for in 1 ° of article 70-1, it must be provided by a
p.(None): regulatory act taken in accordance with I of article 26 and articles 28 to 31.
p.(None): "If the processing relates to data mentioned in I of article 8, it is provided for by a regulatory act taken in accordance with II of article 26.
p.(None): "Art. 70-4. - If the processing is likely to create a high risk for the rights and freedoms of natural persons, in particular because it relates to
p.(None): of the data mentioned in I of Article 8, the controller performs an impact analysis relating to the protection of personal data
p.(None): staff.
p.(None): "If the processing is carried out on behalf of the State, this impact assessment is sent to the National Commission for Data Protection with
p.(None): the request for an opinion provided for in Article 30.
p.(None): "In other cases, the controller or the processor consults the National Commission for Data Protection before the
p.(None): processing of personal data:
p.(None): "1 ° Or when the data protection impact analysis indicates that the processing would present a high risk if the controller does not
p.(None): was not taking steps to mitigate the risk;
p.(None): "2. Either when the type of treatment, in particular due to the use of new mechanisms, technologies or procedures, presents high risks
p.(None): for the freedoms and rights of the persons concerned.
p.(None): "Art. 70-5. - Personal data collected by the competent authorities for the purposes set out in 1 ° of article 70-1, cannot be
p.(None): processed for other purposes, unless such processing is authorized by laws or regulations, or by Union law
p.(None): European. When personal data is processed for such other purposes, Regulation (EU) 2016/679 applies, unless the processing
p.(None): is carried out in the context of an activity outside the scope of European Union law.
p.(None): "Processing by a processor is governed by a contract or other legal act, which binds the processor to the controller, defines the purpose and
p.(None): the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the
p.(None): obligations and rights of the controller, and which provides that the processor only acts on the instructions of the controller. The content of this
p.(None): contract or legal act is specified by decree in Council of State taken after opinion of the National Commission of data processing and freedoms.
p.(None): "Section 2
p.(None): "Obligations incumbent on the competent authorities and the controllers
p.(None): "Art. 70-11. - The competent authorities take all reasonable measures to ensure that personal data which is inaccurate,
p.(None): incomplete or out of date are erased or rectified without delay or are not transmitted or made available. To this end, each authority
p.(None): competent checks, as far as possible, the quality of personal data before their transmission or making available.
p.(None): "As far as possible, when transmitting personal data, are added necessary information allowing the authority
p.(None): competent recipient to judge the accuracy, completeness, and reliability of the personal data, and their level of updating.
p.(None): "If it turns out that inaccurate personal data has been transmitted or that personal data has been transmitted in a
p.(None): illicit, the recipient is informed without delay. In this case, personal data is rectified or erased or their processing is limited
p.(None): in accordance with article 70-20.
p.(None): "Art. 70-12. - The data controller establishes as far as possible and where appropriate a clear distinction between the personal data of
p.(None): different categories of data subjects, such as:
p.(None): "1 ° Persons for whom there are serious grounds to believe that they have committed or are about to commit a criminal offense;
p.(None): "2 ° Persons convicted of a criminal offense;
p.(None): "3 ° Victims of a criminal offense or persons in respect of whom certain facts suggest that they could be victims of an offense
...
p.(None): personal character transferred. "
p.(None): TITLE IV
p.(None): AUTHORIZATION TO IMPROVE THE INTELLIGIBILITY OF THE LEGISLATION APPLICABLE TO DATA PROTECTION
p.(None): Article 20
p.(None): I. - Under the conditions provided for in article 38 of the Constitution, the Government is authorized to take by ordinance the measures within the domain
p.(None): of the necessary law:
p.(None): 1 ° On the rewriting of all the law n ° 78-17 of January 6, 1978 relating to data processing, the files and freedoms in order to make the formal corrections and
p.(None): the adaptations necessary for the simpli fi cation and consistency as well as the simplicity of the implementation by the persons concerned of the provisions which
p.(None): bring national law into line with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and transpose the Directive (EU)
p.(None): 2016/680 of the European Parliament and of the Council of April 27, 2016, as resulting from this law;
p.(None): 2 ° To bring all of the legislation applicable to the protection of personal data into line with these changes, provide
p.(None): modifications that would be made necessary to ensure compliance with the hierarchy of standards and the editorial consistency of texts, harmonize the state
p.(None): of the law, remedy any errors and omissions resulting from this law, and repeal the provisions which have become devoid of purpose;
p.(None): 3 ° The adaptation and extensions to the overseas provisions of 1 ° and 2 °, as well as the application in New Caledonia, in Wallis and Futuna in
p.(None): French Polynesia, in Saint-Barthélemy, in Saint-Pierre-et-Miquelon and in the French Southern and Antarctic Lands.
p.(None): II. - This order is taken, after the opinion of the National Commission for Data Protection, within six months of the promulgation
p.(None): of this law.
p.(None): III. - A ratification bill is tabled in Parliament within six months of the publication of the ordinance.
p.(None): TITLE V
p.(None): MISCELLANEOUS AND FINAL PROVISIONS
p.(None): Article 21
p.(None): The law n ° 78-17 of January 6, 1978 relating to data processing and freedoms is thus modified:
p.(None): 1 ° In Article 15, the fourth paragraph is deleted;
p.(None): 2 ° In Article 16, the third paragraph is deleted;
p.(None): 3 ° In Article 29, the word: "25," is deleted;
p.(None): 4 ° In I of article 30, the word: "declarations," and the references to article 25 are deleted;
p.(None): 5 ° In I of article 31, the words: "23 to" are replaced by the words: "26 and" and the words: "or the date of the declaration of this treatment" are deleted;
p.(None): 6 ° In the last paragraph of article 39, the words: "or in the declaration" are deleted;
p.(None): 7 ° In Article 67, the following are deleted:
p.(None): a) In the first paragraph, the words: "22, 1 ° and 3 ° of I of article 25, the articles";
p.(None): b) The fourth paragraph;
p.(None): c) In the fifth paragraph, the words: "In the event of a breach of his duties, the correspondent is relieved of his duties upon request, or after
p.(None): consultation, of the National Commission for Information Technology and Liberties ”;
p.(None): 8 ° In article 70, the first and third paragraphs are deleted and in the second paragraph, the words: "entry of a declaration filed in application of articles
p.(None): 23 or 24 and showing that personal data will be transferred to this State, the National Commission for Data Protection
...
General/Other / Public Emergency
Searching for indicator emergency:
(return to top)
p.(None): "When the restricted panel has pronounced a financial penalty which has become final before the criminal judge has finally ruled on the same facts or
p.(None): related facts, the latter may order that the administrative fine be deducted from the criminal fine which he pronounces.
p.(None): “The financial penalties are recovered like the debts of the State foreign to the tax and the field.
p.(None): "The draft measure is if necessary submitted to the other authorities concerned according to the procedures defined in Article 60 of Regulation (EU) 2016/679.
p.(None): "III. - When the controller or the processor does not comply with the obligations arising from Regulation (EU) 2016/679 or from this law, the
p.(None): President of the National Commission for Information Technology and Freedoms may also issue a formal notice to him within the time limit which he fixes:
p.(None): "1 ° To comply with requests made by the data subject with a view to exercising his rights;
p.(None): “2 ° To bring the processing operations into compliance with the applicable provisions;
p.(None): "3 ° With the exception of processing which concerns state security or defense and those mentioned in article 27, to communicate to the data subject
p.(None): a personal data breach;
p.(None): "4 ° To rectify or delete personal data, or to limit processing.
p.(None): "In the case provided for in 4 °, the president may, under the same conditions, give notice to the data controller or the processor to notify the
p.(None): recipients of the data the actions it has taken.
p.(None): "The deadline for compliance can be set at twenty-four hours in the event of an extreme emergency.
p.(None): “The president shall, if necessary, declare the procedure for formal notice closed.
p.(None): "The president may ask the office to make the formal notice public. In this case, the decision to close the formal notice procedure is made
p.(None): the subject of the same advertisement. "
p.(None): III. - Article 46 of the same law is replaced by the following provisions:
p.(None): "Art. 46. - I. - When non-compliance with the provisions of Regulation (EU) 2016/679 or this law leads to a violation of the rights and freedoms mentioned
p.(None): in article 1 and that the president of the commission considers that it is urgent to intervene, he enters the restricted formation which can, within the framework of a procedure
p.(None): contradictory emergency defined by decree in Council of State, adopt one of the following measures:
p.(None): "1 ° The temporary interruption of the processing, including the transfer of data outside the European Union, for a maximum period of
p.(None): three months, if the processing is not among those mentioned in I and II of article 26 and those mentioned in article 27;
p.(None): "2 ° The limitation of the processing of some of the personal data processed, for a maximum period of three months, if the processing is not within
p.(None): number of those mentioned in I and II of Article 26;
p.(None): “3 ° The temporary suspension of the certification issued to the data controller or the processor;
p.(None): "4 ° The temporary suspension of the approval issued to a certification body or a body responsible for compliance with a code of conduct;
p.(None): "5 ° The temporary suspension of the authorization issued on the basis of III of article 54 of chapter IX of this law.
p.(None): "6 ° The injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 or this law, which may be combined, except
p.(None): in cases where the processing is implemented by the State, a penalty payment the amount of which cannot exceed € 100,000 per day;
p.(None): "7 ° A call to order;
p.(None): "8 ° Information to the Prime Minister so that he may take, if necessary, the measures to put an end to the violation found, if the processing in question
p.(None): is among those mentioned in the same I and II of article 26. The Prime Minister then informs the restricted formation of the consequences it has
p.(None): given to this information no later than fifteen days after receiving it.
p.(None): "II. - In the exceptional circumstances provided for in Article 66 (1) of Regulation (EU) 2016/679, when the restricted formation adopts the measures
p.(None): provisional provided for in 1 ° to 4 ° of I of this article, it shall immediately inform the other supervisory authorities of the content of the measures taken and of their reasons.
p.(None): concerned, the European Data Protection Board and the European Commission.
p.(None): "When the restricted formation has taken such measures and considers that definitive measures must be taken, it shall implement the provisions of the
p.(None): 2 of Article 66 of the Regulation.
p.(None): "III. - For processing operations governed by Chapter XIII, when a competent supervisory authority under Regulation (EU) 2016/679 has not taken action
p.(None): appropriate in a situation where it is urgent to intervene in order to protect the rights and freedoms of the persons concerned, the restricted training, seized by the
p.(None): president of the commission, may ask the european data protection committee for an emergency opinion or a binding emergency decision in
p.(None): the conditions and according to the methods provided for in 3 and 4 of article 66 of this regulation.
p.(None): "IV. - In the event of a serious and immediate infringement of the rights and freedoms mentioned in article 1, the president of the commission may also request, through the
p.(None): referred, to the competent court to order, if necessary under penalty, any measure necessary to safeguard these rights and freedoms. "
p.(None): IV. - Article 47 of the same law is replaced by the following provisions:
p.(None): "Art. 47. - The measures provided for in II of article 45 and in 1 ° to 6 ° of I of article 46 are pronounced on the basis of a report drawn up by one of the members of the
p.(None): National Commission for Data Protection, appointed by its president from among the members not belonging to the restricted group. This
p.(None): report is notified to the data controller or the processor, who can file observations and be represented or assisted. The rapporteur may
p.(None): present oral observations to the restricted panel but does not take part in its deliberations. The restricted panel may hear any person whose
p.(None): the hearing seemed to him likely to contribute usefully to its information, including, at the request of the secretary general, the agents of the services.
p.(None): “Restricted training can make the measures it takes public. It can also order their insertion in publications, newspapers and
p.(None): supports it designates at the expense of sanctioned persons.
...
p.(None): by decree in Council of State, by the National Commission for Data Protection and the Minister responsible for health on the nature of public interest that
p.(None): presents the treatment.
p.(None): "IV. - The commission may, by a single decision, issue the same applicant with authorization for processing for the same purpose, relating to
p.(None): identical categories of data and having identical categories of recipients.
p.(None): "V. - The National Commission for Information Technology and Freedoms decides within two months of receipt of the request. However, this
p.(None): deadline may be renewed once by reasoned decision of its president or when the National Institute for Health Data is referred to in application of II of
p.(None): this article.
p.(None): "When the committee has not made a decision within these deadlines, the request for authorization is deemed to have been accepted. However, this provision is not
p.(None): applicable if the authorization is subject to prior notice under the provisions of this chapter and the opinion or opinions given are not expressly
p.(None): favorable.
p.(None): "Art. 55. - By way of derogation from article 54, the processing of personal health data implemented by the bodies or departments responsible
p.(None): of a public service mission appearing on a list fixed by decree of the ministers responsible for health and social security, taken after opinion of the
p.(None): National Commission for Information Technology and Liberties, the sole purpose of which is to respond to and manage a health alert in the event of an emergency
p.(None): the consequences, within the meaning of section 1 of chapter III of title I of book IV of the public health code, are subject only to the provisions of section 3 of the
p.(None): Chapter IV of Regulation (EU) 2016/79.
p.(None): "The processing operations mentioned in the first paragraph which use the registration number of persons in the national directory of identification of persons
p.(None): physical are implemented under the conditions provided for in article 22.
p.(None): "The derogations governed by the first paragraph of this article end one year after the creation of the processing if it continues to be implemented.
p.(None): "Art. 56. - Notwithstanding the rules relating to professional secrecy, members of the health professions may transmit to the data controller
p.(None): data authorized pursuant to Article 54 the personal data they hold.
p.(None): "When these data allow the identi fi cation of persons, their transmission must be carried out under conditions likely to guarantee their
p.(None): confidentiality. The National Commission for Information Technology and Liberties can adopt recommendations or standards on the technical procedures to
p.(None): enforce.
p.(None): “When the result of the data processing is made public, the direct or indirect identification of the persons concerned must be impossible.
p.(None): "The persons called upon to implement data processing as well as those who have access to the data to which it relates are subject to the
p.(None): professional secrecy under the penalties provided for in article 226-13 of the penal code.
p.(None): "Art. 57. - Everyone has the right to object to personal data concerning him or her being lifted professional secrecy
p.(None): made necessary by processing the nature of those referred to in Article 53.
...
General/Other / Relationship to Authority
Searching for indicator authority:
(return to top)
p.(None): By continuing to browse without changing your cookie settings, you accept the use of cookies. For30
p.(None): Saturday manage Information from
p.(None): and change these settings, update here
p.(None): click day
p.(None): Discover the modernized Légifrance site
p.(None): 2020 in beta
p.(None): https://beta.legifrance.gouv.fr
p.(None): Home French law European law International law Translations Databases
p.(None): You are in: Home> Legislative files> Bills of the 15th legislature> Legislative files - LAW n ° 2018-493 of 20 June 2018 relating to
p.(None): Protection of personal data
p.(None): LAW n ° 2018-493 of 20 June 2018 on the protection of personal data
p.(None): LAW n ° 2018-493 of 20 June 2018 on the protection of personal data
p.(None): Back to the legislative dossier
p.(None): Law Project
p.(None): NOR: JUSC1732261L
p.(None): TITLE I
p.(None): PROVISIONS COMMON TO REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016 AND TO THE DIRECTIVE (EU)
p.(None): 2016/680 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF 27 APRIL 2016
p.(None): Chapter I
p.(None): Provisions relating to the National Data Processing Commission
p.(None): and freedoms
p.(None): Article 1
p.(None): Article 11 of the law n ° 78-17 of January 6, 1978 relating to data processing, the files and freedoms is thus modified:
p.(None): 1 ° At the beginning of the first paragraph, the reference: "I. -" is inserted;
p.(None): 2 ° After the first sentence of the first paragraph is inserted the following sentence:
p.(None): "It is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679";
p.(None): 3 ° In a of 2 ° the words: "authorizes the treatments mentioned in article 25," and the words: "and receives the declarations relating to other treatments" are
p.(None): deleted;
p.(None): 4 ° After the a of 2 °, an a bis is inserted as follows:
p.(None): "(Aa) It establishes and publishes guidelines, recommendations or benchmarks intended to facilitate the compliance of data processing with
p.(None): personal information with the texts relating to the protection of personal data and to carry out a prior risk assessment by the
p.(None): controllers and their processors. It encourages the development of codes of conduct defining the obligations incumbent on those responsible
p.(None): of the processing and the subcontractors, taking into account the risk inherent in the processing of personal data for the rights and freedoms of individuals
p.(None): physical; it approves and publishes the reference methodologies mentioned in IV of Article 54, intended to promote compliance in the processing of
p.(None): personal health data ';
p.(None): 5 ° The b of 2 ° is replaced by the following provisions:
p.(None): "(B) It establishes and publishes standard regulations with a view to ensuring the security of personal data processing systems and governing
p.(None): processing of health data falling under Chapter IX. As such, except for processing carried out on behalf of the State, acting in the exercise of
p.(None): its prerogatives of public power, it can prescribe additional technical and organizational measures for data processing
p.(None): biometric, genetic and health in accordance with Article 9.4 of Regulation (EU) 2016/679 and additional guarantees regarding the processing of
...
p.(None): establishments "and in the last sentence of the same II, after the word:" visit "the following sentence is added:
p.(None): "Whose purpose is the effective exercise of the missions provided for in III";
p.(None): 3 ° In III, the first three paragraphs are replaced by two paragraphs worded as follows:
p.(None): "For the exercise of the missions entrusted to the National Commission for Information Technology and Freedoms by regulation (EU) 2016/679 and by this law, the
p.(None): members and agents mentioned in the first paragraph of I may request communication of any document, whatever the medium, and take a copy. They
p.(None): may collect, in particular on the spot or on convocation, any useful information and justi fi cation. They can access, in conditions preserving
p.(None): con fi dentiality with regard to third parties, to computer programs and data, as well as to request transcription by any appropriate processing in
p.(None): documents directly usable for the purposes of control. Secrecy cannot be opposed to them except concerning the information covered by the secret
p.(None): professional applicable to relations between a lawyer and his client, by the secrecy of the sources of journalistic processing or, subject to the provisions
p.(None): of the following paragraph, by medical confidentiality.
p.(None): "Medical secrecy is opposable with regard to the information which figures in a treatment necessary for the purposes of preventive medicine, research
p.(None): medical, medical diagnosis, administration of care or treatment, or management of health service. However the communication of
p.(None): individual medical data included in this category of treatment can be done under the authority and in the presence of a doctor. ";
p.(None): 4 ° After the fourth paragraph of III, a paragraph is inserted as follows:
p.(None): "For the control of online public communication services, the members and agents mentioned in the first paragraph of I can carry out any operation
p.(None): necessary for their mission under a borrowed identity. The use of an assumed identity does not affect the regularity of the findings made
p.(None): in accordance with the previous paragraph. A decree in Council of State taken after opinion of the National Commission of data processing and liberties specifies the conditions
p.(None): in which they proceed in their cases to their findings. ";
p.(None): 5 ° The following paragraph is added:
p.(None): "V. - In the exercise of its supervisory power relating to processing under Regulation (EU) 2016/679 and this law, the National Commission
p.(None): of data processing and freedoms is not competent to control the processing operations carried out, in the exercise of their jurisdictional function, by
p.(None): the courts. "
p.(None): Article 5
p.(None): I. - Article 49 of the same law is replaced by the following provisions:
p.(None): "Art. 49. - Under the conditions provided for in Articles 60 to 67, of Regulation (EU) 2016/679, the National Commission for Data Protection sets out
p.(None): implements procedures of cooperation and mutual assistance with the supervisory authorities of the other Member States of the European Union, and carries out with
p.(None): them joint operations.
p.(None): "The commission, the president, the bureau, the restricted formation and the agents of the commission implement, each as far as they are concerned, the
p.(None): procedures referred to in the previous paragraph. "
p.(None): II. - After article 49, articles 49-1, 49-2, 49-3 and 49-4 are inserted as follows:
p.(None): "Art. 49-1. - I. - The National Data Protection Commission cooperates with the supervisory authorities of the other Member States of the Union
p.(None): European Union pursuant to Article 62 of Regulation (EU) 2016/679, under the conditions provided for in this article. This cooperation is not applicable to
p.(None): processing that does not fall within the scope of European Union law.
p.(None): "II. - Whether it acts as head supervisor or as concerned authority within the meaning of Articles 4 and 56 of Regulation (EU) 2016/679, the
p.(None): National Commission for Data Protection has the power to deal with a complaint or a possible violation of the provisions of the same
p.(None): regulation affecting other Member States as well. The chairman of the committee invites the other supervisory authorities concerned to participate in the
p.(None): joint control operations that he decides to conduct.
p.(None): "III. - When a joint control operation takes place on French territory, members or authorized agents of the commission, acting as
p.(None): that the host control authorities are present alongside the members and agents of the other control authorities participating, where appropriate, in the operation. To the
p.(None): request of the supervisory authority of the Member State, the chairman of the committee may empower, by special decision, those of the members or agents of
p.(None): the supervisory authority concerned, which presents guarantees comparable to those required of the agents of the commission, in application of the provisions of
p.(None): section 19, to exercise, under his authority, all or part of the powers of verification and investigation available to the members and agents of the commission.
p.(None): "IV. - When the committee is invited to contribute to a joint control operation decided by another competent authority, the president of the
p.(None): commission decides on the principle and the conditions of participation, appoints the members and authorized agents, and informs the requesting authority thereof within
p.(None): conditions provided for in Article 62 of Regulation (EU) 2016/679.
p.(None): "Art. 49-2. - I. - The processing operations mentioned in article 70-1 are the subject of cooperation between the National Commission for Data Protection and the
p.(None): supervisory authorities of the other Member States of the European Union under the conditions provided for in this article.
p.(None): "II. - The committee communicates to the supervisory authorities of other member states the relevant information and provides them with assistance, in particular by
p.(None): implement, at their request, control measures such as consultation, inspections and investigation.
p.(None): "The committee shall respond to a request for mutual assistance made by another supervisory authority as soon as possible and at the latest one month
p.(None): after receipt of the request containing all the necessary information, in particular its purpose and reasons. She cannot refuse to comply with this
p.(None): requests that if it is not competent to deal with the subject of the request or the measures it is asked to execute, or if a provision of the right to
p.(None): the European Union or French law is an obstacle.
p.(None): "The Commission shall inform the requesting authority of the results obtained or, as the case may be, of the progress of the file or of the measures taken to follow up on the
p.(None): request.
p.(None): "The committee may, for the exercise of its tasks, request the assistance of a supervisory authority from another Member State of the European Union.
p.(None): "The commission shall give the reasons for any refusal to satisfy a request when it considers that it is not competent or when it considers that satisfying the
p.(None): request would constitute a violation of European Union law, or French law.
p.(None): "Art. 49-3. - When the commission acts as the lead supervisory authority for cross-border processing within the European Union, it
p.(None): communicate the report of the rapporteur member, as well as all the relevant information from the procedure used to draw up the report, to the other authorities
p.(None): control concerned without delay and before the possible hearing of the data controller or the processor. The authorities concerned are put in
p.(None): able to attend the hearing through the limited training of the controller or processor by any appropriate means of retransmission, or
p.(None): take note of the minutes drawn up following the hearing.
p.(None): "After having deliberated on it, the restricted panel submits its draft decision to the other authorities concerned in accordance with the procedure defined in article
p.(None): 60 of Regulation (EU) 2016/679. As such, it decides on the taking into account of the relevant and reasoned objections raised by the authorities concerned and
p.(None): seizes, if it decides to reject one of the objections, the European Data Protection Board in accordance with Article 65 of the regulation.
p.(None): "The conditions for the application of this article are defined by a decree in Council of State, after opinion of the National Commission for Information Technology and
p.(None): freedoms.
p.(None): "Art. 49-4. - When the committee acts as the authority concerned, within the meaning of Regulation (EU) 2016/679, the chairman of the committee is seized of the projects
p.(None): corrective measures submitted to the commission by another lead authority.
p.(None): "When these measures have an equivalent object to those defined in I and III of article 45, the president decides, if necessary, to raise a relevant objection
p.(None): and motivated according to the terms provided for in article 60 of these regulations.
p.(None): "When these measures are of equivalent purpose to those defined in II of article 45 and in article 46, the president seizes the restricted formation. The President of the
p.(None): restricted party or the member of the restricted party it designates may, if applicable, raise a relevant and reasoned objection using the same
p.(None): modalities. "
p.(None): Article 6
p.(None): I. - The title of chapter VII of the same law is deleted and replaced by the following title:
p.(None): "Measures and sanctions taken by the restricted formation of the National Commission for Data Protection and Liberties"
p.(None): II. - Article 45 of the same law is replaced by the following provisions:
p.(None): "Art. 45. - I. - The president of the National Commission for Information Technology and Liberties may warn a data controller or a processor that
p.(None): the processing operations envisaged are likely to violate the provisions of regulation (EU) 2016/679 or of this law.
p.(None): "II. - When the controller or the processor does not comply with the obligations resulting from Regulation (EU) 2016/679 or this law, the
...
p.(None): "5 ° The temporary suspension of the authorization issued on the basis of III of article 54 of chapter IX of this law.
p.(None): "6 ° The injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 or this law, which may be combined, except
p.(None): in cases where the processing is implemented by the State, a penalty payment the amount of which cannot exceed € 100,000 per day;
p.(None): "7 ° A call to order;
p.(None): "8 ° Information to the Prime Minister so that he may take, if necessary, the measures to put an end to the violation found, if the processing in question
p.(None): is among those mentioned in the same I and II of article 26. The Prime Minister then informs the restricted formation of the consequences it has
p.(None): given to this information no later than fifteen days after receiving it.
p.(None): "II. - In the exceptional circumstances provided for in Article 66 (1) of Regulation (EU) 2016/679, when the restricted formation adopts the measures
p.(None): provisional provided for in 1 ° to 4 ° of I of this article, it shall immediately inform the other supervisory authorities of the content of the measures taken and of their reasons.
p.(None): concerned, the European Data Protection Board and the European Commission.
p.(None): "When the restricted formation has taken such measures and considers that definitive measures must be taken, it shall implement the provisions of the
p.(None): 2 of Article 66 of the Regulation.
p.(None): "III. - For processing operations governed by Chapter XIII, when a competent supervisory authority under Regulation (EU) 2016/679 has not taken action
p.(None): appropriate in a situation where it is urgent to intervene in order to protect the rights and freedoms of the persons concerned, the restricted training, seized by the
p.(None): president of the commission, may ask the european data protection committee for an emergency opinion or a binding emergency decision in
p.(None): the conditions and according to the methods provided for in 3 and 4 of article 66 of this regulation.
p.(None): "IV. - In the event of a serious and immediate infringement of the rights and freedoms mentioned in article 1, the president of the commission may also request, through the
p.(None): referred, to the competent court to order, if necessary under penalty, any measure necessary to safeguard these rights and freedoms. "
p.(None): IV. - Article 47 of the same law is replaced by the following provisions:
p.(None): "Art. 47. - The measures provided for in II of article 45 and in 1 ° to 6 ° of I of article 46 are pronounced on the basis of a report drawn up by one of the members of the
p.(None): National Commission for Data Protection, appointed by its president from among the members not belonging to the restricted group. This
p.(None): report is notified to the data controller or the processor, who can file observations and be represented or assisted. The rapporteur may
...
p.(None): specific non-significant code which results from it, cannot be ensured by the same person or by the data controller.
p.(None): "With the exception of the processing operations mentioned in the second paragraph of article 55, this article does not apply to the processing of personal data
p.(None): health personnel who are governed by the provisions of Chapter IX. "
p.(None): II. - Article 27 of the same law is amended as follows:
p.(None): 1 ° In 2 ° of I:
p.(None): a) The reference: "2 °" is deleted;
p.(None): b) After the word: "State", are inserted the words: ", acting in the exercise of its prerogatives of public power,";
p.(None): c) After the words: "which bear", the words: "on genetic data or" are inserted;
p.(None): 2 ° 1 ° of I as well as II, III and IV are repealed.
p.(None): III. - Articles 24 and 25 of the same law are repealed.
p.(None): Chapter III
p.(None): Obligations incumbent on data controllers and processors
p.(None): Article 10
p.(None): Article 35 of the same law is supplemented by the following paragraph: "However, within the scope of Regulation (EU) 2016/679, the subcontractor respects the
p.(None): conditions provided for in Chapter IV of these regulations. "
p.(None): Chapter IV
p.(None): Provisions relating to certain specific categories of processing
p.(None): Article 11
p.(None): Article 9 of the same law is amended as follows:
p.(None): 1 ° In the first paragraph, the words: “offenses, convictions and security measures may only be implemented by:” are replaced by the words: “
p.(None): criminal convictions, offenses or related security measures may only be carried out under the supervision of the public authority or by: ";
p.(None): 2 ° The 1 ° is supplemented by the following words:
p.(None): “As well as legal persons under private law collaborating in the public service of justice, and belonging to categories whose list is fixed by decree in
p.(None): Council of State taken after advice from the National Commission for Data Protection, to the extent strictly necessary for their mission; "
p.(None): 3 ° 3 ° is replaced by the following provisions:
p.(None): "3 ° Natural or legal persons, in order to enable them to prepare and where appropriate, to exercise and monitor legal action as
p.(None): victim, third party, or on behalf of the latter and to have the decision rendered enforced, for a period commensurate with this purpose; communication to
p.(None): a third party is then only possible under the same conditions and to the extent strictly necessary for the pursuit of these same purposes; "
p.(None): 4 ° After the 4 °, a 5 ° is inserted as follows:
p.(None): "5 ° The reusers of public information appearing in the judgments and decisions mentioned in articles L. 10 of the code of administrative justice and L.
p.(None): 111-13 of the code of judicial organization, provided that the processing carried out has neither the purpose nor the purpose and allows the re-identification of
p.(None): persons concerned. "
p.(None): Article 12
p.(None): Article 36 of the same law is amended as follows:
p.(None): 1 ° In the first paragraph, the words: “historical, statistical or scienti fi c” are replaced by the words: “archival in the public interest, for the purpose of
p.(None): scientific or historical research, or for statistical purposes ”;
...
p.(None): enforce.
p.(None): “When the result of the data processing is made public, the direct or indirect identification of the persons concerned must be impossible.
p.(None): "The persons called upon to implement data processing as well as those who have access to the data to which it relates are subject to the
p.(None): professional secrecy under the penalties provided for in article 226-13 of the penal code.
p.(None): "Art. 57. - Everyone has the right to object to personal data concerning him or her being lifted professional secrecy
p.(None): made necessary by processing the nature of those referred to in Article 53.
p.(None): "In the event that the research requires the collection of identi fi cant biological samples, the informed and express consent of the persons concerned must
p.(None): be obtained prior to the implementation of data processing.
p.(None): "Information concerning deceased persons, including those which appear on the certificates of cause of death, may be processed
p.(None): data, unless the interested party has, in his lifetime, expressed his refusal in writing.
p.(None): "Art. 58. - The persons from whom personal data are collected or about whom such data are transmitted are
p.(None): individually informed in accordance with the provisions of Regulation (EU) 2016/679.
p.(None): "However, this information may not be provided if the person concerned has intended to make use of the right granted to him by article L. 1111-2 of
p.(None): health code to be left in the dark about a diagnosis or prognosis.
p.(None): "Art. 59. - The recipients of the information and exercise the rights of the data subject are the holders of parental authority,
p.(None): for minors, or the person charged with a mission of representation within the framework of a guardianship, a family empowerment or a protection mandate
p.(None): future, for protected adults whose condition does not allow them to make an informed personal decision alone.
p.(None): "By way of derogation from the first paragraph of this article, for the processing of personal data carried out in the context of the research mentioned
p.(None): in 2 ° and 3 ° of article L. 1121-1 of the public health code or of studies or evaluations in the health field, having a public interest purpose and
p.(None): including minors, information can be obtained from only one of the holders of parental authority, if it is impossible to inform
p.(None): the other holder, or if he cannot be consulted within a timeframe compatible with the methodological requirements specific to carrying out the research, study
p.(None): or evaluation with regard to its finalities. This paragraph does not preclude the subsequent exercise by each holder of the exercise of parental authority,
p.(None): of the rights mentioned in the first paragraph.
p.(None): "For these treatments, the minor aged fifteen or more may object to the holders of parental authority having access to the data on
p.(None): concerning collected during research, study or evaluation. The minor then receives the information and exercises his rights alone.
p.(None): “For these same treatments, minors aged fifteen or over may object to holders of parental authority being informed of the
p.(None): data processing if the fact of participating in it leads to revealing information on a preventive action, screening, diagnosis, treatment or
p.(None): intervention for which the minor expressly objected to consulting the holders of parental authority in application of Articles L. 1111-5 and L.
p.(None): 1111-5-1 of the public health code or if the family ties are broken and the minor bene fi ts personally from the reimbursement of benefits in
p.(None): nature of health and maternity insurance and of the additional cover set up by law n ° 99-641 of July 27, 1999 creating a
p.(None): Universal health coverage. He then exercises his rights alone.
p.(None): "Art. 60. - Information relating to the provisions of this chapter must in particular be provided in any establishment or center where
p.(None): prevention, diagnosis and care activities giving rise to the transmission of personal data with a view to the treatment referred to in this
p.(None): chapter.
p.(None): "Section 2
p.(None): "Special provisions for processing for research and study purposes
p.(None): "Or health assessment.
p.(None): "Art. 61. - Automated processing of personal data the purpose of which is or becomes research or studies in the health field
p.(None): as well as the evaluation or analysis of care or prevention practices or activities are subject to the provisions of section 1 of this chapter, under
p.(None): reserve those of this section.
p.(None): "Art. 62. - Reference methodologies are approved and published by the National Commission for Data Protection. They are established in
p.(None): consultation with the National Institute for Health Data mentioned in Article L. 1462-1 of the Public Health Code and public and private organizations
p.(None): representative of the actors concerned.
p.(None): "When the processing conforms to a reference methodology, it can be implemented without the authorization mentioned in article 54, provided that
...
p.(None): THE MATERIAL OR EXECUTION OF CRIMINAL PENALTIES, AND THE FREE MOVEMENT OF SUCH DATA
p.(None): Article 18
p.(None): I. - In the penultimate paragraph of article 32 of the same law, the words: "or having as its object the execution of criminal convictions or security measures" are
p.(None): replaced by the words: ", without prejudice to the application of the provisions of Chapter XIII".
p.(None): II. - The last paragraph of article 32 is deleted.
p.(None): III. - In article 41 of the same law, after the words: "public security" are inserted the words: ", subject to the application of the provisions of chapter XIII,
p.(None): "
p.(None): IV. - In article 42 of the same law, the words: "prevent, investigate or find infringements, or of" are deleted.
p.(None): Article 19
p.(None): Chapter XIII of the same law becomes Chapter XIV and, after article 70, the following provisions are inserted:
p.(None): "Chapter XIII
p.(None): “Provisions applicable to processing operations covered by Directive (EU) 2016/680 of April 27, 2016
p.(None): "Section 1
p.(None): " General provisions
p.(None): "Art. 70-1. - The provisions of this chapter apply, where applicable by way of derogation from the other provisions of this law, to the processing of
p.(None): personal data used:
p.(None): "1 ° For the purposes of prevention and detection of criminal offenses, of investigation and prosecution in the matter or of the execution of criminal sanctions, including the
p.(None): protection against threats to public security and the prevention of such threats;
p.(None): "2 ° By any public authority competent for any of the purposes set out in 1 °, or any other body or entity to which has been entrusted, for these same purposes,
p.(None): the exercise of public authority and the powers of a public authority, hereinafter referred to as the competent authority.
p.(None): "These treatments are only lawful if and insofar as they are necessary for the execution of a mission carried out, for the purposes set out in 1 °, by a
p.(None): competent authority within the meaning of 2 °, and where the provisions of articles 70-3 and 70-4 are respected.
p.(None): "For the application of this chapter, when the concepts used are not defined in chapter 1 of this law, the definitions of article 4 of
p.(None): Regulation (EU) 2016/679 are applicable.
p.(None): "Art. 70-2. - The processing of data mentioned in I of article 8 is possible only in case of absolute necessity, subject to guarantees
p.(None): appropriate for the rights and freedoms of the data subject, and either if it is provided for by a legislative or regulatory act, or if it aims to protect the interests
p.(None): of a natural person, or if it relates to data manifestly made public by the data subject.
p.(None): "Art. 70-3. - If the processing is carried out on behalf of the State for at least one of the purposes provided for in 1 ° of article 70-1, it must be provided by a
p.(None): regulatory act taken in accordance with I of article 26 and articles 28 to 31.
p.(None): "If the processing relates to data mentioned in I of article 8, it is provided for by a regulatory act taken in accordance with II of article 26.
p.(None): "Art. 70-4. - If the processing is likely to create a high risk for the rights and freedoms of natural persons, in particular because it relates to
p.(None): of the data mentioned in I of Article 8, the controller performs an impact analysis relating to the protection of personal data
p.(None): staff.
p.(None): "If the processing is carried out on behalf of the State, this impact assessment is sent to the National Commission for Data Protection with
p.(None): the request for an opinion provided for in Article 30.
...
p.(None): "2. Either when the type of treatment, in particular due to the use of new mechanisms, technologies or procedures, presents high risks
p.(None): for the freedoms and rights of the persons concerned.
p.(None): "Art. 70-5. - Personal data collected by the competent authorities for the purposes set out in 1 ° of article 70-1, cannot be
p.(None): processed for other purposes, unless such processing is authorized by laws or regulations, or by Union law
p.(None): European. When personal data is processed for such other purposes, Regulation (EU) 2016/679 applies, unless the processing
p.(None): is carried out in the context of an activity outside the scope of European Union law.
p.(None): "Processing by a processor is governed by a contract or other legal act, which binds the processor to the controller, defines the purpose and
p.(None): the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, and the
p.(None): obligations and rights of the controller, and which provides that the processor only acts on the instructions of the controller. The content of this
p.(None): contract or legal act is specified by decree in Council of State taken after opinion of the National Commission of data processing and freedoms.
p.(None): "Section 2
p.(None): "Obligations incumbent on the competent authorities and the controllers
p.(None): "Art. 70-11. - The competent authorities take all reasonable measures to ensure that personal data which is inaccurate,
p.(None): incomplete or out of date are erased or rectified without delay or are not transmitted or made available. To this end, each authority
p.(None): competent checks, as far as possible, the quality of personal data before their transmission or making available.
p.(None): "As far as possible, when transmitting personal data, are added necessary information allowing the authority
p.(None): competent recipient to judge the accuracy, completeness, and reliability of the personal data, and their level of updating.
p.(None): "If it turns out that inaccurate personal data has been transmitted or that personal data has been transmitted in a
p.(None): illicit, the recipient is informed without delay. In this case, personal data is rectified or erased or their processing is limited
p.(None): in accordance with article 70-20.
p.(None): "Art. 70-12. - The data controller establishes as far as possible and where appropriate a clear distinction between the personal data of
p.(None): different categories of data subjects, such as:
p.(None): "1 ° Persons for whom there are serious grounds to believe that they have committed or are about to commit a criminal offense;
p.(None): "2 ° Persons convicted of a criminal offense;
p.(None): "3 ° Victims of a criminal offense or persons in respect of whom certain facts suggest that they could be victims of an offense
p.(None): criminal;
p.(None): "4 ° Third parties to a criminal offense, such as persons who may be called to testify in investigations relating to criminal offenses or
p.(None): subsequent criminal proceedings, persons who can provide information on criminal offenses, or contacts or associates of one of the
p.(None): persons referred to in 1 ° and 2 °.
p.(None): "Art. 70-13. - I. - In order to demonstrate that the processing is carried out in accordance with this chapter, the controller and the processor
...
p.(None): "6 ° The right to lodge a complaint with the National Commission for Data Protection and the contact details of the commission;
p.(None): "7 ° Communication of personal data being processed, as well as any available information as to their source.
p.(None): "Art. 70-20. - I. - The data subject has the right to obtain from the controller:
p.(None): “1 ° That personal data concerning him that are inaccurate be rectified as soon as possible;
p.(None): “2 ° That incomplete personal data concerning it be completed, including by providing a complementary declaration for this purpose;
p.(None): "3 ° That personal data concerning him be erased as soon as possible when the processing is carried out in violation of the provisions
p.(None): of this law or when this data must be erased in order to comply with a legal obligation to which the controller is subject.
p.(None): "II. - When the interested party requests it, the controller must justify that he has carried out the operations required under I.
p.(None): "III. - Instead of erasing, the controller limits the processing when:
p.(None): "1 ° Either the accuracy of the personal data is disputed by the data subject and it cannot be determined whether the data is accurate or not
p.(None): ;
p.(None): “2 ° Either personal data must be kept for probative purposes.
p.(None): "When the processing is limited under 1 °, the controller informs the data subject before lifting the limitation of processing.
p.(None): "IV. - The data controller informs the data subject of any refusal to rectify or erase personal data or to limit the
p.(None): processing, as well as reasons for refusal.
p.(None): "V. - The controller communicates the rectification of inaccurate personal data to the competent authority from which they come.
p.(None): "VI. - When personal data have been rectified or erased or the processing has been limited under I, II and III, the person responsible for
p.(None): processing notifies the recipients so that they rectify or erase the data or limit the processing of the data under their responsibility.
p.(None): "Art. 70-21. - I. - The rights of the natural person concerned may be subject to restrictions in accordance with the procedures provided for in II of this article therefore
p.(None): and as long as such a restriction constitutes a necessary and proportionate measure in a democratic society with due regard to the rights
p.(None): fundamental and legitimate interests of the person for:
p.(None): "1 ° Avoid hindering investigations, research or official or judicial procedures:
p.(None): “2 ° Avoid harming the prevention or detection of criminal offenses, the investigations or prosecutions in the matter or the execution of criminal sanctions;
p.(None): “3 ° Protect public security;
p.(None): “4 ° Protect national security;
p.(None): "5 ° Protect the rights and freedoms of others.
p.(None): "These restrictions are provided for in the treatment initiation act.
p.(None): "II. - When the conditions provided for in I are fulfilled, the controller may:
p.(None): "1 ° Delay or limit the supply to the data subject of the information mentioned in II of article 70-18, or not provide this information;
p.(None): "2 ° Limit, in whole or in part, the right of access of the data subject provided for in article 70-19;
...
p.(None): jurisdictional appeal.
p.(None): "Art. 70-23. - No payment is required to take the measures and provide the information referred to in articles 70-18 to 70-20, unless requested
p.(None): manifestly unfounded or abusive.
p.(None): “In this case, the controller may also refuse to comply with the request.
p.(None): "In the event of a dispute, the burden of proving the manifestly unfounded or abusive nature of the requests lies with the data controller
p.(None): from which they are addressed.
p.(None): "Art 70-24. - The provisions of this sub-section do not apply when the personal data appear either in a decision
p.(None): or in a judicial file which is the subject of processing during criminal proceedings. In these cases, access to this data can only be done
p.(None): under the conditions provided for by the Code of Criminal Procedure.
p.(None): "Section 4
p.(None): “Transfers of personal data to non-member states
p.(None): "To the European Union or to recipients established in non-member states
p.(None): " of the European Union
p.(None): "Art. 70-25. - The person responsible for processing personal data cannot transfer data or authorize the transfer of data already
p.(None): transmitted to a State outside the European Union only when the following conditions are met:
p.(None): "1 ° The transfer of this data is necessary for one of the purposes set out in 1 ° of article 70-1;
p.(None): "2 ° Personal data is transferred to a person responsible in that third State or to an international organization which is an authority
p.(None): competent responsible in this State for purposes falling under 1 ° of article 70-1 in France;
p.(None): "3 ° If the personal data come from another State, the State which transmitted these data has previously authorized this transfer in accordance with
p.(None): national law.
p.(None): "However, if prior authorization cannot be obtained in good time, this personal data may be retransmitted without authorization
p.(None): prior notice from the State which transmitted the data when this retransmission is necessary to prevent a serious and immediate threat to security
p.(None): of another State or for the protection of the essential interests of France. The authority from which this personal data originated is informed without
p.(None): delay.
p.(None): "4 ° At least one of the following three conditions is met:
p.(None): “(A) The committee adopted an adequacy decision in accordance with article 36 of Directive (EU) 2016/680 of the Parliament and of the Council of 27 April 2016;
p.(None): "(B) In the absence of such an adequacy decision, appropriate safeguards with regard to the protection of personal data are provided
p.(None): in a legally binding instrument; these appropriate guarantees may either result from the data protection guarantees mentioned
p.(None): in the conventions implemented with this third State, either result from legally binding provisions required on the occasion of the exchange of
p.(None): data;
p.(None): "C) In the absence of such a decision on adequacy and appropriate guarantees as provided for in b, the controller has evaluated all
p.(None): circumstances of the transfer and considers that there are appropriate guarantees with regard to the protection of personal data;
p.(None): "When the controller of personal data transfers personal data on the sole basis of the existence of
p.(None): appropriate safeguards with regard to the protection of personal data, other than a jurisdiction carrying out processing activity in the context
p.(None): of its jurisdictional activities, it advises the National Commission for Information Technology and Freedoms of the categories of transfers falling under this basis.
p.(None): "In this case, the data controller must keep track of the date and time of the transfer, information on the competent authority
p.(None): recipient, and the justification for the transfer and the personal data transferred. This documentation is made available to the authority of
p.(None): control, at his request.
p.(None): "When the commission has repealed, modified or suspended an adequacy decision adopted in application of article 36 of the abovementioned directive, the person responsible
p.(None): processing of personal data may nevertheless transfer personal data or authorize the transfer of data already transmitted to
p.(None): a State which does not belong to the European Union if appropriate guarantees with regard to the protection of personal data are provided
p.(None): in a legally binding instrument or if it considers after having assessed all the circumstances of the transfer that there are appropriate guarantees
p.(None): protection of personal data.
p.(None): "Art. 70-26. - Notwithstanding the provisions of the previous article, the person responsible for processing personal data cannot, in the absence of
p.(None): decision on adequacy or appropriate guarantees, transfer this data or authorize the transfer of data already transmitted to a State not belonging to
p.(None): the European Union only when the transfer is necessary:
p.(None): "1 ° Safeguarding the vital interests of the person concerned or of another person;
p.(None): "2 ° Safeguarding the legitimate interests of the person concerned when French law so provides;
p.(None): "3 ° To prevent a serious and immediate threat to the public security of a Member State of the European Union or of a third country;
p.(None): "4 ° In special cases, for one of the purposes set out in 1 ° of article 70-1;
p.(None): "5 ° In a particular case, the establishment, exercise or defense of legal claims in connection with the same ends.
p.(None): "In the cases referred to in 4 ° and 5 °, the controller of personal data does not transfer this data if he considers that the freedoms and
p.(None): fundamental rights of the data subject outweigh the public interest in the context of the proposed transfer.
p.(None): "When a transfer is made in order to safeguard the legitimate interests of the data subject, the controller keeps track of the date
p.(None): and the time of the transfer, information on the competent authority to which it was sent, and the justification for the transfer and the personal data transferred. he
p.(None): makes this information available to the National Commission for Data Protection, at its request.
p.(None): "Art. 70-27. - Any competent public authority mentioned in 2 ° of article 70-1 may, in certain special cases, transfer data of a personal nature.
p.(None): personnel directly to recipients established in a State not belonging to the European Union, when the other provisions of this law
p.(None): applicable to the treatments falling under article 70-1 are respected and that the following conditions are met:
p.(None): "1 ° The transfer is necessary for the performance of the mission of the competent authority which transfers this data for one of the purposes set out in article 70-1;
p.(None): "2 ° The competent authority which transfers these data establishes that there are no fundamental rights or freedoms of the data subject which prevail over
p.(None): the public interest requiring the transfer in the case under consideration;
p.(None): "3 ° The competent authority which transfers this data considers that the transfer to the competent authority of the other State is ine ffi cient or inappropriate, in particular
p.(None): because the transfer cannot be made in a timely manner;
p.(None): "4 ° The competent authority of the other State shall be informed as soon as possible, unless it is ineffective or inappropriate;
p.(None): "5 ° The competent authority which transfers this data shall inform the recipient of the specific purpose or purposes for which the personal data
p.(None): transmitted personnel must only be subject to processing by this recipient, provided that such processing is necessary;
p.(None): "The competent authority which transfers data informs the National Commission for Data Protection and Freedoms of transfers under this article.
p.(None): "The competent authority shall keep a record of the date and time of this transfer, of information on the recipient, and of the justification for the transfer and the data to
p.(None): personal character transferred. "
p.(None): TITLE IV
p.(None): AUTHORIZATION TO IMPROVE THE INTELLIGIBILITY OF THE LEGISLATION APPLICABLE TO DATA PROTECTION
p.(None): Article 20
p.(None): I. - Under the conditions provided for in article 38 of the Constitution, the Government is authorized to take by ordinance the measures within the domain
p.(None): of the necessary law:
p.(None): 1 ° On the rewriting of all the law n ° 78-17 of January 6, 1978 relating to data processing, the files and freedoms in order to make the formal corrections and
p.(None): the adaptations necessary for the simpli fi cation and consistency as well as the simplicity of the implementation by the persons concerned of the provisions which
p.(None): bring national law into line with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and transpose the Directive (EU)
p.(None): 2016/680 of the European Parliament and of the Council of April 27, 2016, as resulting from this law;
p.(None): 2 ° To bring all of the legislation applicable to the protection of personal data into line with these changes, provide
p.(None): modifications that would be made necessary to ensure compliance with the hierarchy of standards and the editorial consistency of texts, harmonize the state
p.(None): of the law, remedy any errors and omissions resulting from this law, and repeal the provisions which have become devoid of purpose;
p.(None): 3 ° The adaptation and extensions to the overseas provisions of 1 ° and 2 °, as well as the application in New Caledonia, in Wallis and Futuna in
...
Orphaned Trigger Words
Appendix
Indicator List
Indicator | Vulnerability |
access | Access to Social Goods |
authority | Relationship to Authority |
conviction | Religion |
criminal | criminal |
emergency | Public Emergency |
employees | employees |
ethnic | Ethnicity |
family | Motherhood/Family |
home | Property Ownership |
minor | Youth/Minors |
officer | Police Officer |
opinion | philosophical differences/differences of opinion |
party | political affiliation |
political | political affiliation |
racial | Racial Minority |
religious | Religion |
restricted | Incarcerated |
single | Marital Status |
threat | Threat of Stigma |
union | Trade Union Membership |
Indicator Peers (Indicators in Same Vulnerability)
Indicator | Peers |
conviction | ['religious'] |
party | ['political'] |
political | ['party'] |
religious | ['conviction'] |
Trigger Words
consent
justice
protect
protection
risk
Applicable Type / Vulnerability / Indicator Overlay for this Input