Getting The Deal Through logo
Getting The Deal Through

    Expand All / Collapse All

  • 1.

    Legislative framework
    Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

  • 2.

    Data protection authority
    Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

  • 3.

    Legal obligations of data protection authority
    Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

  • 4.

    Breaches of data protection
    Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

  • 5.

    Exempt sectors and institutions
    Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

  • 6.

    Communications, marketing and surveillance laws
    Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

  • 7.

    Other laws
    Identify any further laws or regulations that provide specific data protection rules for related areas.

  • 8.

    PII formats
    What forms of PII are covered by the law?

  • 9.

    Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

  • 10.

    Covered uses of PII
    Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

  • 11.

    Legitimate processing - grounds
    Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

  • 12.

    Legitimate processing - types of PII
    Does the law impose more stringent rules for specific types of PII?

  • 13.

    Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

  • 14.

    Exemption from notification
    When is notice not required?

  • 15.

    Control of use
    Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

  • 16.

    Data accuracy
    Does the law impose standards in relation to the quality, currency and accuracy of PII?

  • 17.

    Amount and duration of data holding
    Does the law restrict the amount of PII that may be held or the length of time it may be held?

  • 18.

    Finality principle
    Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

  • 19.

    Use for new purposes
    If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

  • 20.

    Security obligations
    What security obligations are imposed on PII owners and service providers that process PII on their behalf?

  • 21.

    Notification of data breach
    Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

  • 22.

    Data protection officer
    Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

  • 23.

    Record keeping
    Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

  • 24.

    New processing regulations
    Are there any obligations in relation to new processing operations?

  • 25.

    Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

  • 26.

    What are the formalities for registration?

  • 27.

    What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

  • 28.

    Refusal of registration
    On what grounds may the supervisory authority refuse to allow an entry on the register?

  • 29.

    Public access
    Is the register publicly available? How can it be accessed?

  • 30.

    Effect of registration
    Does an entry on the register have any specific legal effect?

  • 31.

    Other transparency duties
    Are there any other public transparency duties?

  • 32.

    Transfer of PII
    How does the law regulate the transfer of PII to entities that provide outsourced processing services?

  • 33.

    Restrictions on disclosure
    Describe any specific restrictions on the disclosure of PII to other recipients.

  • 34.

    Cross-border transfer
    Is the transfer of PII outside the jurisdiction restricted?

  • 35.

    Notification of cross-border transfer
    Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

  • 36.

    Further transfer
    If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

  • 37.

    Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

  • 38.

    Other rights
    Do individuals have other substantive rights?

  • 39.

    Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

  • 40.

    Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

  • 41.

    Further exemptions and restrictions
    Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

  • 42.

    Judicial review
    Can PII owners appeal against orders of the supervisory authority to the courts?

  • 43.

    Internet use
    Describe any rules on the use of ‘cookies’ or equivalent technology.

  • 44.

    Electronic communications marketing
    Describe any rules on marketing by email, fax or telephone.

  • 45.

    Cloud services
    Describe any rules or regulator guidance on the use of cloud computing services.

  • Updates and trends

View profile

Aramis is a French full-service law firm located in Paris, composed of eight partners and their respective teams. Most of the lawyers have been trained by the most famous international firms and they are all able to work both in French and in English (and also in German or Italian, for some of them).

View more information about Aramis

9 rue Scribe
T: +33 1 53 30 77 00
F: +33 1 53 30 77 01


Briefing Signup

Sent approximately once a month, the free GTDT Briefing service alerts you of the latest titles to be published on GTDT Online.

Sign up to be notified of new content


Follow Getting the Deal Through for the latest updates on law and regulation worldwide

Follow us on LinkedIn