ARTICLE
18 October 2013

French Data Protection Authority CNIL Announces New Online Notification Procedure For Reporting Data Breaches

RS
Reed Smith (Worldwide)

Contributor

Reed Smith (Worldwide) logo
Reed Smith is a dynamic international law firm helping clients move their businesses forward. By delivering smart, creative legal services, we enrich clients' experiences with us and support achievement of their business goals. Our longstanding relationships and collaborative structure enable the speedy resolution of complex disputes, transactions, and regulatory matters.
France’s data protection authority, the Commission Nationale De L’informatique et Des Libertés (CNIL), released a new mandatory online notification procedure for French electronic communications service providers (Providers) to rapidly report data breaches to CNIL in compliance with new EC Regulation (No.611/2013) (the Regulation).
France Privacy
To print this article, all you need is to be registered or login on Mondaq.com.

France's data protection authority, the Commission Nationale De L'informatique et Des Libertés (CNIL), released a new mandatory online notification procedure for French electronic communications service providers (Providers) to rapidly report data breaches to CNIL in compliance with new EC Regulation (No.611/2013) (the Regulation).

Any data breach must be reported to CNIL via a new standardized online notification form in accordance with Article 2(4) of the Regulation. The notification must include all details set out in Annex I of the Regulation and be made no later than 24 hours after the detection of the breach. Where full details cannot be provided, organisations must make an initial notification with additional information provided no later than 3 days after the date of the breach. Such additional notification must also be provided to the individual whose data was adversely affected by the breach.

Individuals need not be notified if the Provider can demonstrate that it has implemented security measures rendering that data unintelligible. The CNIL has two months to check the adequacy of any security measures, which may include encryption or data hashing/masking. Under existing French Law, Providers must maintain a registry of data breaches which CNIL is entitled to audit. The CNIL may issue penalties of up to 300,000 euros and there is the potential for up to five years imprisonment for failing to comply with the data breach notification requirement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More