Which people are protected by law?

These are all natural persons who are the subject of personal data processing. 

What is meant by personal data?

It is “any information of any kind and irrespective of its medium, including sound and image, that relates to an identified or identifiable person…; a natural person is deemed identifiable if he can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, genetic, mental, cultural, social or economic identity”. 

What is meant by processing of personal data?

Processing of personal data consists of “any operation or set of operations which is performed upon data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.” 

Who is responsible for the data processing when it is carried out?

The law defines the controller as “the natural or legal person, public authority, department or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of the processing are determined by or pursuant to legal provisions, the controller shall be determined by or pursuant to specific criteria in accordance with legal stipulations. 

In principle, it is therefore the natural or legal person who decides to set up the data processing on their own behalf. 

What rules and conditions must be complied with by anyone who intends to set up a personal data processing system?

The purpose of the processing must be legitimate

Personal data may only be processed if there is a sufficiently legitimate reason for doing so. 

Anyone wishing to process data must in principle seek the consent of the data subject. However, in a number of cases data processing is necessary, for example, for the proper performance of a contract, to comply with a public service obligation or a legal obligation, or to protect the life of the person concerned by the processing. 

The purpose of the processing must be clearly established and highlighted

The use of personal data must be strictly limited to the purpose explicitly determined beforehand. 

The processing must therefore be necessary to achieve the purposes expressly set out in advance by the controller. A transfer of the collected data to third parties is only possible if the purpose of use by these third parties is exactly the same. 

The principle of proportionality and necessity

This principle implies that the processing must be limited to data for which there is a direct link with the initial purpose of the processing. The data must not only be useful, but also necessary for the person processing them. Thus, the data processed must not exceed what is necessary to achieve the purpose.  

The data processed must be correct and up-to-date

The processing must be fair

The collection, recording, use and transmission of personal data must be done in good faith and not without the knowledge of the person concerned. 

Thus, the subsequent use of personal data for purposes other than those originally intended is in principle prohibited. 

Data security and confidentiality

Personal data must be treated confidentially and stored in secure locations and on secure equipment. 

Sensitive data may not in principle be processed

The processing of data that reveal opinions, beliefs, health status or sex life is prohibited. The law nevertheless provides for some exceptional cases where such processing is possible. 

When can personal data be processed?

According to the law, personal data may only be processed : 

  • if it is necessary for compliance with a legal obligation to which the controller is subject; 
  • if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or the third party or parties to whom the data are disclosed; 
  • if it is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject; 
  • if it is necessary for the fulfilment of the legitimate interest pursued by the controller or by the third party or parties to whom the data are disclosed, provided that the interests or fundamental rights and freedoms of the data subject are not overridden; 
  • if it is necessary to safeguard the vital interests of the data subject; 
  • if the data subject has given his or her consent. 

Under what conditions can an employer process personal data for surveillance purposes in the workplace?

Article L. 261-1 of the Labour Code thus stipulates that processing of personal data for the purpose of monitoring employees may only be implemented by the employer in the cases referred to in Article 6(1) (a) to (f) of Regulation (EU) 2016/679 (GDPR). 

Under the general regime laid down by the GDPR, this would include: 

  • when the processing of the employee’s personal data is necessary for the performance of the employment contract; 
  • when the employer is subject to a legal obligation making it necessary to process the employee’s personal data; 
  • where the employer’s legitimate interest could justify surveillance.

when the processing of an employee’s personal data for surveillance purposes could be envisaged by the employer. 

It should be noted that when the employer invokes its legitimate interest to justify surveillance, the implementation of such surveillance requires the employer to balance its own legitimate interest with the need to protect the fundamental rights and freedoms of the employee concerned, such as the right to privacy in the workplace, the right to have one’s image respected, etc. 

In all these cases, it must be determined whether the surveillance is proportional and necessary in relation to the intended purpose. 

In addition to the right to information of the person concerned, the employer must inform the staff delegation or, failing that, the Labour and Mines Inspectorate before implementing surveillance. 

This prior information shall contain a detailed description of the purpose of the proposed processing operation, as well as the arrangements for implementing the monitoring system and, where appropriate, the duration or criteria for storing the data, together with a formal undertaking by the employer not to use the data collected for any purpose other than that explicitly provided for in the prior information. 

When monitoring is implemented: 

  • for the health and safety of employees; 
  • for the control of the employee’s production or performance, when such a measurement is the only way to determine the exact wage; 
  • within the framework of a flexitime work organization. 

it may only be carried out with the agreement of the staff delegation, in accordance with the provisions of articles L. 211-8, L. 414-9 of the Labour Code, except when the employer is meeting a legal or regulatory obligation through this surveillance. 

For any data processing implemented for the purpose of surveillance in the workplace, the staff delegation, or failing that, the employees concerned, may, within 15 days of receiving notification, submit a request for a prior opinion on the conformity of the processing data for the purpose of surveillance of the employee in the context of employment relations to the CNPD, which must give its opinion within one month of the referral. This request has a suspensive effect during this period. The employer may therefore not carry out the monitoring before obtaining the opinion of the CNPD. The employees affected by the monitoring also have the right to lodge a complaint with the CNPD. Such a complaint is neither a serious nor a legitimate reason for dismissal. 

What are the rights of the person whose data is processed?

Any person affected by data processing has a number of rights. These rights were greatly increased with Regulation (EU) 2016/679. 

These include the right to information, the right of access, the right of rectification, the right to erasure of data, the right to limitation of processing, the right to data portability, the right to object, the right to object to profiling and automated processing of one’s request, the right to complaint and the right to compensation. 

Right to be informed

Data collected directly from the individual 

The data subject shall have the right to be informed at the time the data are collected from him/her of the following: 

  • the identity and contact details of the controller; 
  • if applicable, the contact details of the data protection officer; 
  • the purpose of the processing and its legal basis; 
  • where the processing is based on the legitimate interest of the controller, such legitimate interest shall be specified; 
  • the recipient(s) of the data; 
  • the length of time the data will be retained, if not the criteria used to determine it; 
  • the existence of his other rights (right of access, rectification, deletion, limitation of data, etc.); 
  • the regulatory, contractual or compulsory nature for providing data and the consequences of a possible refusal; 
  • the existence of automated decision-making or profiling ; 
  • if necessary, the use of the data for another purpose. 

Data not collected from the data subject 

If the data are not collected directly from the data subject : 

  • the source of the data must be indicated, including whether or not the source is publicly available 
  • the data controller must provide the information listed above:  
    • within a reasonable time after obtaining the personal data, but not exceeding one month; or 
    • if the personal data are to be used for the purpose of communicating with the data subject, no later than at the time of the first communication with the data subject; or 
    • if it is planned to submit the information to another recipient, no later than when the personal data are communicated for the first time. 

It should also be noted that every person always retains the right to be informed on request within one month, as well as to be informed of any data breach. 

Right of access

The data subject has the right to access the data processed with the information under the right to information and to obtain a copy of the data free of charge. It should be noted that if additional copies are requested, the controller may charge a reasonable fee for any additional copies. 

Right of rectification

This includes the right to request the correction of inaccurate data as soon as possible, as well as the right to have incomplete data completed. 

Right to have data deleted as soon as possible

This right comes into play as soon as the data are no longer necessary for the purpose, when the processing is based on consent and consent is withdrawn, in the case of the justified exercise of the right to object, when the processing of data is unlawful, when the erasure is necessary to ensure compliance with a legal obligation, when the data are collected as part of services offered to children/young people under 16. 

It should be noted that there are exceptions to the exercise of this right, notably in the following cases 

  • exercise of the right to freedom of expression/information; 
  • need to ensure compliance with a legal obligation; 
  • public interest with regard to public health; 
  • archiving in the public interest, scientific or historical research, statistics;  
  • legal advocacy. 

Right to object

Where processing is carried out to accomplish a public task or is based on the legitimate interest of the controller, the data subject shall have the right to object on grounds relating to his or her particular situation, unless the public interest overrides it. 

In addition, every person has the right to object to the processing of his or her data for the purpose of canvassing, including profiling in connection with such canvassing. 

Right to restrict processing

This right may be exercised during verification of the data following a doubt as to the accuracy of the data or when the processing is unlawful and the data subject objects to the erasure but requests restriction. It also occurs when the controller no longer needs the data but data subjects need them to defend their legal rights or when the data subject objects to the processing and the processing is then restricted for the time necessary to verify whether legitimate grounds of the controller prevail. 

Right to portability

Where the processing is based on the consent of the data subject or where the processing is carried out by means of computerised processes, the data subject shall have the right to request that the data be automatically transferred by the controller to another controller. 

Profiling and automated data processing

Everyone has the right to object to a decision based on automated processing, including profiling, where it produces legal effects or affects the person significantly in a similar way. Except where the processing is necessary for the conclusion/performance of a contract or based on the explicit consent of the person or where the processing is permitted under the European or national law of the controller. 

SENSITIVE DATA: Such data may only be processed if data subjects have given their explicit consent or in the public interest and appropriate measures to protect rights and freedoms have been put in place. 

Right to claims

Any natural person may file a complaint with the CNPD for violation of their rights on the basis of the legislation on personal data protection. The CNPD informs complainants of the status and outcome of the complaint. 

Right to reparations

The controller must compensate the data subject for damages, unless he can prove that he is not responsible. 

Right of appeal

The law also provides for a right of appeal against a data controller, and even against the decisions of the CNPD, as well as the right to be represented by a non-profit organization/association of public interest and active in the field of protection of the rights and freedoms of individuals in the field of personal data protection. 

More information

CSL Publication


Download: Newsletter N°6-2018