Following the adoption of GDPR, France started to transpose this new European regulatory framework regarding data protection within its legal system. France thus made a first step in this process, as Parliament adopted the Law n° 2018-493 which modifies the Law of 1978 regarding personal data.
The Decree n° 2018-687 adopted on August 1st is the last step for the complete transposition of the GDPR within the French national legislation. Therefore, this Decree modified some provisions of Decree n° 2005-1309 of October 20th, 2005, regarding the following aspects:
- It sets up rules on delegation of signature among CNIL’s staff and also modifies provisions regarding procedure related to claims;
- It details code of conducts release, such documents being useful to make a better application of GDPR, according to article 40 of the latter Regulation. It also deals with BCR (Binding Corporate Rules) as per article 47 of the GDPR;
- It defines under which conditions the CNIL or a certification body can provide compliance certification to GDRP as per article 47 of the latter Regulation;
- It introduces several provisions regarding health data, especially related to the organization and processes of the comité d’audit du système national de santé i.e. the administrative body in charge of health-related data management;
- It details the role of DPOs (Data Protection Officer);
- It sets up derogations for the data processing for scientific, historical or statistical purposes;
- It deals with data transfers to non-EU countries;
- It also treats some aspects of the contractual relation between data processors and processors as well as rules applicable to joint controllers.