Data Privacy & Transfer in Investigations: France

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

France

The following laws and regulations provide rules governing the collection and processing of personal data in France:

• the EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction; and
• Law No. 78-17 dated 6 January 1978 on information technology, data files and civil liberties (the French Data Protection Act) (as modified).

A number of provisions in the GDPR have particular relevance in the context of investigations. For example, the processing of personal data must have a valid legal basis under the GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts, and where the relevant data includes sensitive data. Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and to its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principles that processing must be fair, lawful and transparent and the principle of data minimisation. It can be challenging to ensure compliance with these principles in the context of an investigation. 

Regarding cross-border investigations, the GDPR provides for a cooperation mechanism known as a “one-stop shop” between the European Supervisory Authorities in the context of cross-border cases, whereby the Supervisory Authority for the main establishment of the controller in the EU would be the sole authority for monitoring and ensuring compliance by that controller throughout the EU.

In France, the Supervisory Authority is the Commission nationale de l’informatique et des libertés (the CNIL).

More specifically, if during an investigation or the examination of a complaint the personal data processing is identified as being cross-border, European cooperation is instigated. In this regard, processing is considered as cross-border in one of the following situations:

• data processing is carried out by an organisation with several undertakings in two or more European states; or
• data processing is carried out by a company established in a single state, but substantially affects individuals in more than one member state.

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

France

Under French law, data sharing in the context of an investigation may be restricted, principally, by four other statutes, the violation of which may be subject to criminal or regulatory sanctions, and may result in civil litigation risks:

• laws relating to banking secrecy (eg, article L511-33 of the French Monetary and Financial Code);
• Law No. 68-678 dated 26 July 1968, as amended, governing the request, research or disclosure of information of an economic, commercial, industrial, financial or technical nature, with a view to establishing evidence in foreign judicial or administrative proceedings or in relation thereto (the Blocking Statute);
• Law No. 2018-670 dated 30 July 2018, dealing with the protection of business secrecies; and
• Law No. 71-1130 dated 31 December 1971, where article 66-5 establishes a professional secrecy covering legal advice, meeting notes and any correspondence between a French lawyer and his client, including emails. 

In addition, from a French employment law stance, use of employee data (emails, files) marked as “personal” or “private” is prohibited in principle. 

For files, an exception exists where (i) this access is performed with the employee present or duly convened; or (ii) in the case of "particular risk or event". However, this exception only covers exceptional circumstances and French courts construe it very narrowly, in consideration of an absolute emergency for the employer to access information.

3. What constitutes personal data for the purposes of data protection laws?

France

The GDPR defines “personal data” as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person.

Data that is irreversibly anonymised will not be “personal data" for the purposes of the GDPR, as it does not identify the individual. Data is not truly anonymised if a re-identification of the individuals to which the data relates by reasonably available means remains possible. Pseudonymised data – information no longer attributable to a specific data subject without the use of additional information, kept separately and subject to appropriate measures – remains personal data for the purposes of the GDPR. 

The GDPR only applies to natural living persons. It does not cover legal persons.

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

France

The GDPR applies to “processing”, which is defined broadly and includes any activity in relation to personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.

The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed. 

However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.

The territorial scope of the GDPR is set out in article 3, which provides that it applies to:

• data controllers and data processors that process personal data in the context of the activities of an EU establishment, regardless of whether the data processing takes place in the EU;
• non-EU data controllers and data processors with no EU establishment that either (i) offer goods or services to individuals in the EU, regardless of whether they receive payment; or (ii) monitor their behaviour that takes place in the EU; and
• data controllers not established in the EU but where the national law of an EU member state applies because of international law.

In addition to the GDPR, the French Data Protection Act shall apply to the automatic as well as to the non-automatic processing of personal data that are or may be contained in a personal data filing system, with the exception of processing carried out for the exercise of exclusively private activities.

As regards the territorial scope, the French Data Protection Act is applicable:

• when the personal data processing is carried out as part of the activities of an establishment of a data controller or a data processor on French territory, regardless of whether the data processing takes place in France; and
• in circumstances where the GDPR refers to national law to adapt or complete the rights and obligations of the GDPR, when the data subject lives in France, including when the data controller is not established in France.

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

France

The GDPR provides a number of obligations with which compliance is required, whether in the context of investigations or not.

When processing personal data, the controller must consider the following key principles:

• informing the data subjects about how their personal data is being used (transparency);
• establishing the appropriate legal basis for the processing of personal data (lawful basis);
• ensuring that the use of personal data is proportionate and limited to what is necessary in relation to the specified, explicit and legitimate purposes of the investigation (purpose limitation and data minimisation); 
• processing data that is accurate and, where necessary, kept up to date (accuracy);
• keeping data for no longer than is necessary for the purposes of the investigation (storage limitation);
• processing data in a manner that ensures appropriate security of the data (integrity and confidentiality); and
• being able to demonstrate compliance with its obligations under the GDPR, notably by maintaining a record of processing activities (accountability).

Additionally, the controller must:

• if relevant, determine whether the processing covers a “special category” of personal data (ie, sensitive personal data that may require taking additional measures), as such processing is generally prohibited unless in the case of the exemptions listed under article 9 of the GDPR;
• if personal data is transferred to a third party, ensure such transfers are governed by an agreement that includes all the requirements set forth in article 28 of the GDPR; and
• if personal data is transferred to a third country outside the European Economic Area (EEA), ensure the third country offers an adequate level of protection as per article 45 of the GDPR or otherwise implement appropriate safeguards as described under article 46 of the GDPR (eg, standard contractual clauses).

Regarding the requirement for the controller to establish a lawful basis for the processing in case of an investigation, two legal bases may presumably be invoked: the processing is necessary, (i) to comply with a legal obligation to which the controller is subject or, (ii) for the purposes of the legitimate interests pursued by the controller or a third party.

In the event data controllers are asked to answer requests by authorities because they are required to do so by law, they must ensure they still fully comply with GDPR requirements. In this case, the ‘legal obligation’ basis for processing personal data may be relevant when providing data to authorities. However, such disclosure should only occur to the extent necessary to comply with the legal obligation, and can only be established where a clear and binding legal obligation exists, under EU law or French law.

Further, in the specific case of investigations led by authorities, article 23 of the GDPR provides the right for member states to derogate to the obligation of transparency and data subject rights where it is needed for the purposes of an investigation of criminal offences or breaches of ethics in regulated professions. EU law or a member state law allowing authorities to have access to personal data must provide specific provisions to this effect. In particular, it must set out, among other elements, the purposes of the processing and the scope of the restrictions to the GDPR that are introduced by the measure, the safeguards introduced to prevent abuse, the unlawful access or transfer, and the controllers who may rely on the restrictions.

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

France

The data protection requirements applicable to the different parties involved in an investigation will depend on their role under the GDPR (ie, whether they qualify as controller or processor). On occasion, when one or more controllers are involved, it should be verified whether they qualify as joint controllers.

Under the GDPR, the role of the parties involved in the processing must be assessed using a fact-based analysis and cannot be determined, for instance, based on contractual provisions.

In principle, the organisation in the interest of which the investigation is carried out presumably qualifies as the controller (ie, the party that determines the purposes and means of the processing). A third party assisting with the furtherance of the investigation may either qualify as a controller or a processor depending on the level of influence that it exerts on the means and purposes of the processing.

Data protection requirements applicable to the data controller

A company carrying out an internal investigation must comply with the following requirements:

General GDPR requirements

A company carrying out an internal investigation must comply with the general principles of data processing such as lawfulness, fairness and transparency, purpose limitation and data minimisation, and it should attentively assess whether the processing is limited and necessary, adequate and relevant.

The company must also, as data controller, comply with the related obligations, i.e., providing proper information to data subjects in accordance with articles 13 and/or 14 of the GDPR, conducting a data protection impact assessment where necessary, establishing appropriate records of processing activities, ensure compliance with data protection by design and by default principles and set up appropriate technical and organisational measures.

Establishing a lawful basis for data processing

A company may carry out an internal investigation and therefore process personal data if it can establish that the investigation is based on a lawful basis. As required under article 6 of the GDPR, data processing can lawfully occur if it is based on one of the following legal bases: (i) consent of the data subject; (ii) performance of a contract; (iii) compliance with a legal obligation; (iv) protecting the vital interests of the subject; (v) performance of a public task and (vi) pursuance of legitimate interests.

The appropriate legal basis may vary depending on the objective of the investigation, the categories of data subjects affected and the nature of the data at stake. For instance, the company could likely base such processing on the existence of a legal obligation or the pursuance of legitimate interests. It is unlikely that consent would be a valid ground as requiring consent in the employment context would create an imbalance between the employee and the employer.

Further, if the internal investigation also concerns special categories of personal data (eg, health data, race, political opinions), additional curtailments apply, as a company may only process sensitive data if it can rely, along with the appropriate legal basis, on one of the exemptions provided for by article 9(2) of the GDPR. For example, a company may process sensitive data to the extent necessary for the establishment, exercise or defence of legal claims.

Accountability

In undertaking the internal investigation, the company must make sure to comply, at all stages, with the accountability principle and be able to prove that the internal investigation was performed in compliance with the GDPR requirements. The company must comprehensively document the legal considerations and technical and organisational safeguards implemented for conducting the investigation.

Privacy impact assessment

Where the processing is likely to result in a high risk to the rights and freedoms of natural persons, the controller must carry out a data protection impact assessment in accordance with article 35 of the GDPR. The guidance of the European Data Protection Board provides for factors to take into account when determining whether there is such high-risk processing. The controller must notably carry out a data protection impact assessment if the investigation involves the monitoring of employees.

The CNIL sets out in particular that processing carried out in the context of an internal whistleblowing process requires a privacy impact assessment.

Compliance with French labour law

The investigation must respect the right to privacy at work. If the processing of personal data in the context of the investigation qualifies as monitoring of employees (eg, CCTV, use of access badges, monitoring the use of IT devices, recording of telephones conversations), the employer must comply with (i) article L1121-1 of the French labour code, which infers that the surveillance of employees must be justified by the nature of the task to be performed and proportionate to the aim pursued and, (ii) article L2312-38 of the French labour code, which requires notifying and consulting with employee representatives (Comité économique et social).

2. Requirements applicable to an assisting third party

In the event a third party assists a company in conducting an internal investigation (ie, if personal data is transferred to a third party outside the company in furtherance of the investigation, the third party must also comply with the requirements of the GDPR).

If the third party is an external provider acting as a processor on behalf of and under the instructions of the company (ie, the controller), the personal data may be shared provided the parties have entered into a data processing agreement or other legal act under EU law or member state law, which reflects the requirements of the GDPR (article 28). Such agreement must set out, among other information, the subject matter, duration, nature and purpose of the processing, as well as the type of personal data and categories of data subjects concerned, the rights of the controller and certain specific contractual obligations.

If the third party is acting as a controller, the company must carefully assess whether and on what basis the personal data can be shared, as well as the appropriate safeguards that have to be implemented. Additionally, if the transfer of personal data involves an international transfer to a third country outside the EEA, the parties must take measures to ensure an adequate level of protection exists in the third country as per article 45 of the GDPR, or otherwise implement appropriate safeguards as provided under article 46 of the GDPR (eg, standard contractual clauses).

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

France

The consent of the data subject is one legal basis for the processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if no other legal basis exists.

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

France

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing personal data solely in reliance of this ground is rarely appropriate. One reason is that consent must be capable of being withdrawn at any time (a right that it is not possible to contract out of), which would be difficult to manage in the context of an investigation.

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

France

In the vast majority of processing operations carried out in the workplace, the employee’s consent cannot serve as a legal basis for the processing carried out as it is not freely given because of the inherent imbalance between the parties resulting from the subordination relationship between the employee and the employer.

Therefore, in most cases, the employer will likely not be able to rely on the employee’s consent to use their data, including in investigations carried out by employers.

However, this may be different where the processing grants a legal or economic advantage to the employee, where both the employee and the employer have similar interests in the processing operations, or where it is in the interest of the wider community (eg, attempting to prevent criminal activities or fraud, upholding legal duties, etc). In these situations, consent may not be required, as the processing would be based on legitimate interest rather than consent. The employer should carry out and document a balancing assessment of the interests at stake if processing is performed on this ground. 

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

France

There is no prescribed form for consent. However, it must meet four cumulative criteria to be considered validly given. As such, consent must be:

• free – ie, not coerced or influenced. The data subject must be offered a real choice, without having to suffer negative consequences in the event of refusal;
• specific – ie, corresponding to a single processing operation, for a specific purpose;
• informed – ie, accompanied by a certain amount of information communicated to the data subject before they consent, including:

• • the identity of the controller;
  • the purposes for which the data are being processed;
  • the categories of data collected;
  • the existence of a right to withdraw consent, which must be as easy to exert as it is to give consent; and depending on the case; and
  • the fact that the data will be used for automated individual decisions or that it will be transferred to a third country outside the EEA; and

• unambiguous – ie, given by a statement or other clear positive act.

In the case of sensitive data, where consent is relied upon to provide a legal basis under article 9 of the GDPR, it must also be explicit. A controller may therefore wish to obtain consent by means of an additional formality to demonstrate “explicit” consent.

Whether consent given in advance, such as through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR will depend, among other things, on the balance of power between the controller and data subject. Consent is not freely given (and is therefore invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties. Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid in the context of an investigation.

Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. In any event, there is a risk that a generic consent provided through general terms and conditions is not specific and informed, and so not validly given by the data subject. Similarly, pre-checked or pre-activated boxes, or inaction from the data subject are not valid methods for obtaining consent.

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

France

Under chapter 3 of the GDPR, data subjects have the following rights regarding their data.

Right of access

A data subject has a right to request information regarding whether their personal data is being processed, which is known as a “data subject access request”. The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject when requested to do so by the concerned data subject.

A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of the GDPR). When relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. If a controller refuses to act on a request, it must also inform the data subjects of the reason why, and of the fact that they have a right to lodge a complaint before the relevant supervisory authority and enforce their rights through judicial remedy.

As regards the workplace, the French supervisory authority (the CNIL) has issued guidelines on the right of employees to access their data and professional emails, noting that the principles of data protection under the applicable regulation apply to all personal data collected by an organisation and that, even in a professional context, an employee can therefore exercise their right of access with their employer.

The CNIL establishes that the organisation may request certain information to verify the identity of the requesting subject in case it has grounds to doubt it – without, however, asking for documentation that would be disproportionate or abusive with regard to the request. Generally speaking, the CNIL considers that an employee’s internal professional identifier should be sufficient for such verification.

The organisation must grant these requests free of charge, except for certain exceptional situations where reasonable file-processing fees may be charged (eg, request of additional copies). 

Finally, the CNIL reminds that this right of access must not infringe the rights of others. When an employee requests to access their professional emails, employers will have to distinguish between two situations:

• if the requesting employee is the sender or recipient of the emails, it can be presumed that transmission is compliant and does not infringe on the rights of others; and
• if the requesting employee is merely mentioned in the emails, employers will have to strike a balance between granting the right of access and respecting the rights of others on a case-by-case basis. Redacting third-party personal data could be an option in such situations. 

Right to rectification

Data subjects have the right to request rectification of any personal data relating to them that is inaccurate and also that the controller complete any incomplete data, including by way of a supplementary statement. As per article 5(c) of the GDPR, the controller has an obligation to ensure the data is accurate and, where necessary, kept up to date.

Right to erasure

Data subjects have the right to obtain the erasure of their personal data from the controller without undue delay if one of the grounds specified under article 17 of the GDPR applies. This includes situations in which the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

Right to object

When processing is based on (i) the performance of a task carried out in the public interest or, (ii) the pursuance of legitimate interests by the data controller or a third party, data subjects have a right to object to the processing of personal data concerning them at any time, on grounds relating to their particular situation. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings.

Right to restriction of processing

Data subjects also have a right to obtain a restriction of processing from the controller where they believe the relevant personal data are inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the concerned data subject can require the controller to limit the processing to what is required in the context of legal proceedings.

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

France

Organisations sometimes rely on third parties to assist with investigations, who need to have access to personal data to be able to perform their mission.

In this event, and where they are established in the EU or when they process EU data subjects’ personal data, third parties usually qualify as data processors when they act on behalf and under the authority of the organisations acting as data controllers. In that respect, they must enter into a data processing agreement or other legal act as part of the EU law or member state law, setting out each party’s obligations in order to comply with the requirements of the GDPR.

The contract entered into between the data processor and controller shall provide for the following:

• a written list of the controller’s instructions bearing on the processing of its data to demonstrate that the processing occurs only “on documented instructions from the controller;”
• written authorisation from the controller if the processor is to engage a sub-processor;
• providing the controller with all necessary information for demonstrating compliance with the processor’s obligations and for enabling the performance of audits;
• a maintained record of the processing carried out on behalf of the controller;
• providing the controller with the necessary guarantees that the processing carried out meets the requirements of the GDPR;
• a guarantee of the security of the processed data (eg, notifying the controller of any breach of its data, implementing appropriate organisational and technical measures, etc);
• informing the controller if the processor is of the opinion that an instruction from the controller infringes the rules governing data protection;
• assisting the controller, to the extent possible, in responding to requests from data subjects exercising their rights; and
• assisting the controller in guaranteeing compliance with the obligations regarding security of processing, notification of a data breach and impact assessment concerning data protection.

If the processor engages a sub-processor, article 28 of the GDPR provides that they must also enter into a contract, which must reflect the same data protection obligations as set out in the contract between the controller and the processor.

If processors are located outside the European Economic Area (EEA), the parties will have to ensure compliance with the applicable provisions regarding the international transfer of personal data (ie, adequacy of the third country or appropriate safeguards). 

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

France

A transfer of personal data to a third-party law firm for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so must be carried out in compliance with the GDPR and the principles relating to the processing of personal data.

Data protection laws do not provide restrictions on individuals sharing data with law firms to obtain legal advice. Therefore, clients are allowed to share personal data that is relevant to a particular matter or representation with their lawyer, insofar as they ensure that this data transfer complies with general GDPR requirements such as the principle of data minimisation, whereby no more data must be shared than those necessary in relation to the pursued purpose.

Moreover, the data subject must be informed of such processing in accordance with articles 13 and 14 of the GDPR (depending on whether the data was obtained directly from the data subject or not).

Finally, if the law firm is established outside of the European economic area (EEA), the controller must ensure that the destination country was the subject of an adequacy decision as per article 45 of the GDPR or that the transfer is otherwise protected by appropriate safeguards as described under article 46 of the GDPR.

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

France

Law firms collect, store and use personal data about their clients or about individuals who work within their clients’ organisations. More particularly, law firms typically collect different kinds of personal data for various reasons, which can be (i) employee data; (ii) data about prospects and about current clients; (iii) data from third parties that may be relevant to representation; and (iv) data received from clients themselves in the context of representation.

The article 29 Working Party has taken the position that lawyers act as data controllers given the level of independence their role requires in determining the purposes and means of processing. Similarly, the French supervisory authority (the CNIL) considers that in the context of the management of litigation cases, lawyers act as data controllers (ie, independently in the exercise of their missions and in implementing processing of personal data accordingly). Law firms also act as data controllers when entering into agreements with processors who process data on their behalf (eg, accountants, software publishers, hosting providers, etc).

Consequently, the law firm and its client will be considered independently responsible for complying with the applicable regulation regarding data protection. Law firms must therefore comply with all GDPR requirements that apply to data controllers (see questions 5 and 6 above).

15. What is the position and status of legal process outsourcing firms under data protection laws?

France

The qualification of a party as either controller or processor depends on a fact-based analysis of the situation, in particular to assess if the party factually determines the purposes and means of the processing of personal data as provided under article 4(7) of the GDPR.

Legal process outsourcing firms are generally characterised as data processors because they only follow the specific instructions and are under the control of the law firms who are in the position of data controllers.

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

France

There are no additional requirements, beyond those specified above, that regulate the disclosure of data to third parties in France.

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

France

The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.

Within the EEA

A transfer of personal data from France to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within French territory.

Outside the EEA

Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory was the subject of an adequacy decision by the European Commission, as provided by article 45 of the GDPR.

Currently, the European Commission deems the following countries as providing an adequate level of personal data protection: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom and Uruguay.  

In the absence of such an adequacy decision, the controller acting as a transferor could ensure an adequate level of protection through alternative safeguards provided in article 46 of the GDPR, such as:

• entering into standard contractual clauses (SCCs) approved by the European Commission; or  
• adopting binding corporate rules (BICs) for transfers within the same group.

In the Schrems II judgment dated 16 July 2020, the Court of Justice of the European Union held that standard contractual clauses should be viewed as offering only the basic level of protection and that they may only be used where the protection provided by the contract is not undermined in the particular circumstances. This means that controllers exporting personal data and looking to rely on standard contractual clauses approved by the European Commission must assess on a case-by-case basis whether additional safeguards (supplementary measures) are needed to remedy any identified deficiency and ensure adequate data protection. 

Accordingly, the European Commission issued on 4 June 2021 modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA. These new standard contractual clauses replace the standard contractual clauses adopted in 2001 and 2010 under the Data Protection Directive 95/46/EC and include different modules that parties may select and complete depending on the circumstances of the transfer (controller-to-controller; controller-to-processor; processor-to-processor and processor-to-controller).  

Further, and in light of the Schrems II decision, companies transferring personal data outside of the EU now shall, when implementing an international data transfer mechanism:

• evaluate the third-country legislation to which the personal data will be transferred; and
• if necessary, implement supplementary measures to ensure an adequate level of personal data protection in the third country.

The European Data Protection Board (EDPB) has published recommendations on measures to supplement transfer tools (including standard contractual clauses) here.

Otherwise, article 49(1) of the GDPR provides that data can be transferred if one of the following derogations, among others, applies:

• the data subject has consented to the transfer (as noted above, consent should be explicit as well as freely given, specific, informed and unambiguous);  
• the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request;  
• the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests;  
• the transfer is necessary for important reasons of public interest;  
• the transfer is necessary for the establishment, exercise or defence of legal claims; or  
• the transfer is necessary to protect the vital interests of the data subject.

Where none of the above measures are available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information provided under articles 13 and 14 of the GDPR, shall inform the data subject of the transfer and of the compelling legitimate interests pursued. As such, this derogation is unlikely to be of practical application in the context of an investigation. 

It should be noted that the above derogations pursuant to Article 49(1) are construed restrictively by Supervisory authorities and the EDPB states in this regard that “data exporters should first endeavor possibilities to frame the transfer with one of the mechanisms included in Articles 45 and 46 GDPR, and only in their absence use the derogations provided in Article 49 (1).”

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

France

Indeed, article 49 of the GDPR sets a list of derogations under which international transfers of personal data can occur. It notably includes situations where transfers are necessary for important reasons of public interests (article 49 (1) (d)) and where transfers are necessary for the establishment, exercise or defence of legal claims (article 49 (1) (e)), both of which provide grounds for international transfers of personal data in connection with investigations.

EDPB guidelines on derogations of article 49 of the GDPR underline that article 49 applies when it can also be inferred from EU law or the law of the member state to which the controller is subject, that the data transfers in question are authorised in virtue of public interest purposes “in the spirit of reciprocity of international cooperation”. As such, an international agreement or convention binding the EU or a member state that provides for international cooperation to promote a certain objective can indicate the existence of a public interest justifying a transfer of personal data to a third country. The nature of the organisation transferring or receiving data can be either public, private or an international organisation.

The same guidelines provide that with regards the latter, international transfers can be made only where they are occasional and necessary for the purpose of various activities, for example, a criminal or administrative investigation in a third country, in the context of formal pretrial discovery procedures in civil litigation, in order to obtain a waiver of a fine legally foreseen (eg, in anti-trust investigations), etc. This derogation can also apply to activities carried out by public authorities. At any rate, the international data transfer in question must be closely linked to a specific procedure or investigation and the data controllers and processors must take into account any “blocking statute” forbidding them or restricting them from transferring data to a third country.

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

France

The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing. In particular, a legal basis must be established under article 6 of the GDPR. 

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

France

The provisions that apply to cross-border data transfer generally also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction.

Any disclosure of personal data to an overseas regulator or law enforcement authority would require compliance with the principles of the GDPR in the same way as any other processing, including that the processing must be fair and transparent. In particular, the controller must establish a legal basis under article 6 of the GDPR and observe prohibitions on cross-border transfers of personal data.

Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle on the basis that it is not a purpose about which the data subjects will have been sufficiently informed. Recital 62 of the GDPR sets out exemptions to providing a privacy notice where the information of the data subject proves to be impossible or would involve disproportionate effort on the part of the controller, but these exemptions are interpreted narrowly.

The cross-border transfer of personal data would additionally require safeguards and a legal basis for processing. There is no clear exemption or derogation from either the first principle, the requirement for a legal basis for processing, or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.

The transfer may lack a legal basis, depending on the circumstances of the processing. The possible legal bases that a controller may rely on in this context include:

• the consent of each affected data subject to the disclosure and transfer. However, as noted above, this can be problematic to obtain, as consent can be withdrawn at any time and (in the case of sensitive data) consent must be explicit;
• that the processing is necessary for the establishment, exercise or defence of legal claims, depending on the circumstances;
• that the processing is in the legitimate interests of the controller; or
• that the processing is necessary for the performance of a task carried out in the public interests.

The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place. Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or the implementation of safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.

Article 48 of the GDPR provides that, without prejudice to other grounds for international transfers, a decision from a third-country authority, court or tribunal does not in itself justify the transfer of personal data to a non-EEA country. This is the case unless the transfer is based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state, in relation to article 48: “In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.”

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

France

The recipient of such a request may consider taking the following steps, among others:

• consider if there is a legal obligation to respond to the request and, if so, to what extent;  
• seek further information in writing from the requesting regulator to evaluate the purpose of the request;  
• if possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation;  
• in accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose;  
• consider whether it is practicable to obtain data subject consent and/or give a further privacy notice;
• put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor); and
• consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.

22. What are the sanctions and penalties for non-compliance with data protection laws?

France

Administrative fine

There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (e.g., for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement. Furthermore, the decision relating to the amount of this sanction will depend in particular on the degree of cooperation with the supervisory authority, to remedy the infringement and commitments to mitigate the possible adverse effects of the infringements.

Other material sanctions

As part of an inspection revealing infringements of the applicable data protection regulation, the CNIL may also issue (i) a warning; (ii) a formal order to comply with the applicable regulation; (iii) a temporary or definitive restriction to processing; (iv) a suspension of data transfers; and (v) an order to fulfil the requests of a data subject to exercise his or her rights.

In addition, every above-mentioned sanction can be made public and would therefore trigger reputational damage.

Criminal sanctions: for infringing the French data protection legislation, criminal sanctions could also be levied (ie, up to five years imprisonment and up to €1.5 million for a legal entity). In practice, criminal sanctions are rather theoretical. To our best knowledge, there have been very few criminal proceedings based on the French data protection legislation.

Group action: a group action may be brought before a civil court or the competent administrative court under certain conditions, to (i) put an end to a breach or (ii) to engage the liability of the company that caused the damage to obtain compensation for the material and moral damages suffered or for both purposes.

Civil claim

A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

France

EU General Data Protection Regulation (2016/679)

Law No. 78-17 dated 6 January 1978 on information technology, data files and civil liberties (the French Data Protection Act), as amended

EDPB guidelines 2/2018 on derogations of article 49 under Regulation 2016/679

EDPB recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data

Article 29 Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

CNIL guidance on the right of employees to access their data and professional emails

CNIL standard (“Référentiel”) on data processing relating to whistleblowing systems