Lexicon > Data Protection Act

IT Glossary

Data Protection Act

The law n°78-17 of January 6, 1978 relating to data processing, files and freedoms, known as the “data processing and freedoms law” is the reference text regulating the protection of personal data in France.

The law on data processing and liberties is one of the first in the world to protect individuals with regard to the automated processing of data concerning them.

By adopting it, the French legislator aimed to control the development of information technology by putting it at the service of the citizen, and by protecting the rights and freedoms of the latter in the face of possible abuses of information technology by the administration or private organizations.

The law is intended to apply to the processing of personal data, whether automated or not, carried out in the course of the activities of a controller or processor established on French territory, whether or not the processing takes place in France.

It also applies when the data subject resides in France, including when the controller or processor is not established in France.

As early as 1978, the law created the National Commission for Information Technology and Civil Liberties, a French supervisory authority that is responsible for ensuring the application of the law on information technology and civil liberties.

The law on data processing and liberties was subsequently modified in depth on several occasions, notably by :

  • The law n°2004-801 of August 6, 2004 transposing into French law the European directive 95/46 ;
  • Law No. 2018-493 of June 20, 2018 appropriating the leeway left by the GDPR.

The Data Protection Act has been interpreted and applied since 2018 in combination with the GDPR, which is directly applicable and does not need to be transposed into domestic law, unlike previously the European Directive 95/46.

Initially comprising 48 articles, the law on data processing and liberties has been progressively expanded to include 128 articles to date.

Point of legislation

“IT must be at the service of every citizen.

Its development must take place within the framework of international cooperation. It must not infringe on human identity, human rights, privacy, or individual or public freedoms.

Article 1 of the law n°78-17 (data-processing law and freedoms)

Point of jurisprudence

The CNIL recalled that “ without prejudice, as regards processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, to the criteria provided for in Article 3 of that Regulation, all the provisions of the present law (i.e. the Data Protection Act) shall apply to the processing of personal data carried out in the context of the activities of an establishment of a controller […] on French territory, whether or not the processing takes place in France”.

CNIL, December 31, 2021, N°SAN-2021-023

The Bouchara Law firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.