A “Deliberation” of the CNIL (French Data Protection Authority) published in the February 16, 2011 Official Journal of the Republic of France as “Deliberation No. 2011-023” should ease the burden on companies that have no operations in France, and engage France-based subcontractors (or cloud service providers) in order to process their data on the French territory. This is the case, for example for US based companies that hire French service providers to process their payroll or manage databases of client information, where the concerned individuals (employees or customers) are located outside of France.
Under the French Data Protection law, companies that intend to process personal data on the French territory must file with the French Data Protection Authority a “declaration” (i.e. notification) regarding their proposed processing of these data. In some cases, a company must obtain preliminary authorization to perform this processing. This obligation creates a significant burden for companies that otherwise are not established and do not have a physical presence on the French territory.
Under the Deliberation published on February 16, 2011, certain categories of data will be exempt from the requirement to file a “declaration” or request an authorization. The exemption applies specifically to three categories of activities: (i) processing of payroll; (ii) management of workforce; and (iii) management of database of clients and prospects.
Only specific data and specific activities are exempt. The exemption covers only specific categories of personal data that are data collected out of France, and that are used for the purposes above. The exemption applies only when data are returned to the data controller, or other specified recipient and the transfer to these third parties is for the benefit of the data subject and in connection with the purposes listed above (payroll, workforce management, etc.).
The exemption is very narrow and very limited. Only the requirement for declaration or request for authorization is lifted. The remainder of the obligations remains. In particular, the Declaration stresses that there must be a written agreement between the foreign data controller and the French based data processor to ensure security and confidentiality of the data, and require the processor not to use data other than as requested by the data controller.
Click here for the text of the Deliberation as published in the Journal Officiel (pdf).