Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

CNIL Simplifies Formalities for Non-EU Companies Using Data processors in France

In a decision published on 2 March 2011, the French data protection authority (the “CNIL”)  announced a simplification of the formalities regarding data processing in France done on behalf of non-EU entities.

Under French data protection law, the general rule is that a data controller processing personal data in France is required to either file a notification or obtain an authorization from the CNIL prior to the implementation of the processing. Such obligations apply not only to French entities or entities having local presence in France but also to entities located outside the EU but which use “processing means” (such as servers, third party service providers, etc.) on the French territory.

In order to comply with this requirement, foreign entities wishing to use the services of French companies to process their personal data in France are required to appoint a representative in France which acts as their local point of contact with the CNIL and completes the required formalities on their behalf.

In consideration of the development of such services in the fields of human resources or client and prospect management, the CNIL, using its regulatory powers for data protection formalities in France, has decided to exempt non-EU companies using service providers located in France to process their human resources and/or their client and prospects data from the completion of formalities. In such cases, the appointment of a local representative is therefore no longer required either.

Finally, it should also be noted that this exemption from formalities also applies to the “return transfer” of data from the French service provider to the non-EU based data controller. While international transfers of data from France to a jurisdiction not regarded as providing an adequate level of protection to personal data generally are subject to prior authorization from the CNIL, the exemption expressly indicates that such “return transfers” would be justified and dispensed from prior authorization on the basis of the “performance of an agreement” exceptions provided for in sections 69 (5°) and 69 (6°) of the French law, which implement into French law the provisions of sections 21(5) and 21(6) of the 1995 European Directive on data protection.

The full text of this exemption (exemption #15) can be found here (in French).