< Back

Share |

Subject access rights and their use in France

November 2013

In Brief

The access right, as set out in section 39 of the French Data Protection Act (Act), is the right for an individual to ask whether an organisation holds and/or processes personal data relating to the individual and if so, enables the individual to obtain a copy of such personal data.

An individual may request the following information:

  • a description of the personal data being processed;
  • the reasons for the processing of such personal data; and
  • the source and recipients of the data, and whether there is a transfer of that data outside the EU.

LaptopThe access right enables individuals to check the accuracy of the data collected by the organisation and, if necessary, allows an individual to have their data corrected, completed or deleted.

A subject access request (SAR) can be made in writing or ‘on site’ at the premises of the organisation collecting the individual's personal data. In addition, no fee can be charged for submitting a subject access request other than the cost of copying the data.

Methods for requesting access

There are two methods by which an individual can make a SAR. One method would be for an individual to make a request in writing. In order for a written request to be valid, it must be sent by mail (a registered letter is recommended) to the organisation and addressed to the department in charge of  SARs if any. The individual must sign the request and attach a copy of his or her identification card. The request letter must also specify the address where the response can be sent. Interactive template forms are available on the CNIL’s website that can be filled in online and printed by the individual.

A second method would be for the individual to make an 'on site' request at the organisation’s premises. Should an individual decide to follow this method, they must provide identification on arrival at the premises. The individual must be allowed to view and receive a copy of its personal data and all information requested. However, when such a request cannot be met straight away, a paper acknowledgement of the visit must be provided to the individual.

In addition to the above direct access right, the Act also provides a specific procedure for individuals to access certain ‘sensitive’ data, such as data regarding national security, defence, taxation and criminal records. If such a request is made, the access right will be granted by the CNIL itself.

Enforcing the right of subject access: the key role of the CNIL

When a SAR is not satisfied, it is possible to report the organisation to the CNIL and obtain guidance.

The CNIL can take action against the organisation in the following cases:

  • where the organisation failed to respond to a written request within two months from the receipt of the request;
  • where the organisation declined the individual’s right to access ‘on site’; or
  • where the information provided in response to a request was incomplete.

Euro noteThe CNIL has a statutory power to impose a financial penalty on an organisation if it is satisfied that the organisation has committed a serious breach of the Act.  For instance, in June 2011 the French company EQUIPEMENTS NORD PICARDIE was given a €10,000 fine by the CNIL for not enabling an employee to access and obtain a copy of geo-location data of the car he was using for professional purposes. This is just one example highlighting the CNIL's position in supporting access rights for employees in relation to data collected by employers.

The data subject may also file a complaint before a criminal court in order to obtain indemnification or may apply for a court order requiring the organisation to comply with a request when it is a matter of urgency.

Restrictions to the subject access right

The Act does not limit the number of SARs an individual can make to any organisation, however, an organisation is not required to respond to requests that are obviously unreasonable. Despite not being required to provide information to the data subject, organisations should note that if a matter is brought before the courts, the organisation would have to demonstrate why the request was unreasonable.

To conclude

The Act provides a powerful tool for individuals to safeguard their personal data by way of SARs. This can be implemented effectively particularly in the case of employer-employee relationships. However, in practice, only 30% of respondents provide a response which is compliant with the Act's requirements.  With so few compliant responses, it is hardly surprising that over 6000 complaints were filed with the CNIL in  relation to subject access rights in 2012.

Check listBusinesses should adopt a proactive approach when dealing with SARs by ensuring that practical measures are in place to comply with the Act's requirements. This could involve checklists or guidelines for customer relations teams to follow in order to ensure that the correct level of information is being provided to the individual making the SAR. This would reduce the risk of a complaint to the CNIL and enable businesses to avoid expensive fines and associated bad publicity.  

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

France flag
Diane Carpentier

Diane
Carpentier
   

Myriam Bouchrara

Myriam
Bouchrara      





Diane and Myriam look at the role of subject access rights under the French Data Protection law and the use of access rights in France.

"The number of complaints filed with the CNIL in relation to subject access rights increased to 6,017 in 2012."