French Act No. 2018-493 (France)

    Overview

    The French Act No. 2018-493 of June 20, 2018, adapts national data protection laws to align with the European General Data Protection Regulation (GDPR). It reinforces protections for personal data, streamlines procedures, and provides the Commission nationale de l'informatique et des libertés (CNIL) with greater authority to regulate data processing activities in France. This law also defines specific requirements for entities handling personal data, ensuring consistency with the GDPR framework while addressing France-specific considerations.

     

    Regulation Summary

    Timeline
    • January 6, 1978: Original French Data Protection Act (Loi Informatique et Libertés) is passed.
    • May 25, 2018: GDPR becomes enforceable across the EU.
    • June 20, 2018: Law No. 2018-493 adopted to integrate GDPR into French legislation.
    • July 22, 2019: Updates made for better implementation and harmonization.
    What Businesses Are Affected
    • All businesses operating in France or processing personal data of individuals residing in France.
    • Regardless of size: Applies to startups, SMEs, and large corporations.
    • Sector-neutral: Covers industries ranging from tech to healthcare, retail, and beyond.
    • Non-French companies targeting French residents (e.g., via websites or apps).
    Exemptions
    • National Security: Processing for national defense or public safety is excluded.
    • Journalistic Activities: Protections for press freedom and artistic/literary expression.
    • Personal Use: Data processing for purely private, non-commercial purposes.
    Responsibilities for Businesses
    • Data Collection: Must have a clear and lawful purpose.
    • Data Minimization: Only collect data strictly necessary for the stated purpose.
    • Data Security: Implement technical and organizational measures to safeguard data.
    • Transparency: Provide clear and accessible information on data usage.
    • Accountability: Maintain records of processing activities (Article 30 GDPR).
    Specific Responsibilities for Website Owners
    • Cookie Consent: Obtain explicit user consent before storing or accessing cookies (except essential cookies).
    • Privacy Policy: Display a detailed, easy-to-understand privacy notice that includes the types of data collected, purposes of processing, data retention periods, third-party sharing details, user rights, and contact information for further inquiries.
    • User Rights Portal: Enable users to exercise rights like access, rectification, or erasure.
    • Secure Forms: Ensure encryption for data submitted via forms (e.g., contact or payment forms).
    Additional Requirements
    • Cross-Border Data Transfers: Restricted unless adequate safeguards are in place (e.g., EU-approved mechanisms).
    • Data Protection Officer (DPO): Mandatory for certain organizations (e.g., large-scale data processing).
    • Impact Assessments: Required for high-risk processing activities (e.g., biometric data).
    Data Subject Rights
    • Access: Request a copy of personal data.
    • Rectification: Correct inaccurate or incomplete data.
    • Erasure: “Right to be forgotten” in certain situations.
    • Portability: Receive data in a machine-readable format to transfer elsewhere.
    • Objection: Refuse processing for marketing purposes or certain other grounds.
    • Restriction: Limit processing under specific conditions.
    Enforcement
    • Authority: The CNIL (Commission Nationale de l’Informatique et des Libertés) oversees enforcement.
    • Fines: Up to €20 million or 4% of global annual turnover, whichever is higher, for serious violations.
    • Audits: Regular inspections and potential penalties for non-compliance.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you..

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596