Computer files and personal data
Verified 17 March 2021 - Directorate for Legal and Administrative Information (Prime Minister)
Different organizations use your personal data : administration, company, social network, website, association... You have the right to be informed and to control how your data is used. For example, you can obtain and correct the information an organization holds about you, or object to being included in a file. In case of difficulties, you can make a complaint to the Cnil: titleContent.
An organization that collects your personal data directly from you should provide you with the following information:
- Identity and contact details of the data controller and, if necessary, of the data controller's representative
- Contact details for Data Protection Officer (DPO) if a DPO has been designated
- Purposes of processing (e.g. payroll management)
- Legal basis for processing (e.g. performance of a contract or fulfillment of a legal obligation)
- If necessary, legitimate interests of the controller justifying the collection of your personal data (e.g. doing business prospecting)
- Data Recipients
- Intent to transfer data to a non-EU country European and existence or absence of an adequacy decision by the European Commission or safeguards put in place to govern the transfer of data (e.g. standard contractual clauses)
- Retention period of data or criteria used to determine this period
- Existence of your rights (right to access, rectify, erase, limit or object to the processing of your data, right to portability and right to define guidelines on the fate of your personal data after your death)
- Right to withdraw your agreement if the processing is based on your agreement
- Right to lodge a complaint with the Cnil: titleContent
- Information on whether the provision of your personal data is of a regulatory or contractual nature, whether the provision of your data is a condition for the conclusion of a contract, and the possible consequences of not providing your data
- Existence of automated decision-making, including profiling, and information about the impact of this processing on you
- If necessary, information on the other purposes envisaged for this treatment
If the controller does not collect your personal data directly from you, it must tell you where it comes from and what categories are collected.
You must be able easily accessible to this information.
This information must be provided to you in a language clear and simple.
Example :
Page accessible from the home page of the organization's website. The title of the page should be clear: privacy policy, privacy page or personal data.
You need to be well informed about how your data is being used.
Thus, the organization must inform you in case of violation of your personal data, if there is a high risk for your rights and freedoms.
Example :
Unauthorized disclosure of your data
The right of access is used to determine if your data are processed by an organization, and if they are, to obtain a copy of your data in plain language.
The organization must also provide you with the following information:
- Why your data is being used
- What categories of data are used
- Who are the recipients of your data
- How long your data is kept
- What are your rights?
- What is the origin of your data when it has not been collected directly from you?
- If there is automated decision-making, including profiling, and what is the impact of this treatment on you.
Where personal data are transferred to a non-EU country European or to an international organization, you must be informed of the guarantees governing their transfer.
When you send a request by email, you must receive the information by email. However, you may request that the information be communicated to you in another way. For example, by mail.
Please note
the right to obtain a copy of personal data must not prejudice the rights and freedoms of another person.
Direct access
In practice, consult the website of the organization concerned for the contact details of the contact person.
The request can be made by online form, by mail, by post...
If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.
The procedure is free of charge.
However, the organization may ask you to pay a reasonable fee. For example, if you request an additional copy.
Mail templates are available on the Cnil: titleContent.
Send a letter to an organization that holds your personal data
Keep a copy of your application so that you can make a complaint if necessary.
When the organization receives your application, it will 1 month to answer you.
If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.
In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.
Submit a complaint online to the Cnil
FYI
different rules apply to certain files. For example, a judicial police file such as the prior criminal record (prior art) or the bank account file (Ficoba).
Indirect access
Some files are particularly framed, such as police files or files that relate to state security. For example, the Schengen file.
These files are accessed indirectly through the Cnil: titleContent.
You must specify the file in your email and attach a copy of your ID.
In the event of refusal of communication, the Cnil: titleContent will provide you with the means of appeal to challenge this decision.
Who shall I contact
National Commission for Informatics and Freedoms (Cnil)
By mail
3 Place de Fontenoy
TSA 80715
75334 Paris cedex 07
The CNIL does not receive the public or provide any information on the spot.
By telephone
+33 1 53 73 22 22
Telephone reception open Monday to Friday from 9:30 am to 5 pm.
Legal information open on Monday, Tuesday, Thursday and Friday from 10am to 12pm.
By email
Access to contact form
The right of rectification allows you to request correction of inaccurate or incomplete information about yourself.
For example, an error in your address.
In practice, consult the website of the organization concerned for the contact details of the contact person.
The request can be made by online form, by mail, by post...
If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.
The procedure is free of charge.
Mail templates are available on the Cnil: titleContent.
Send a letter to an organization that holds your personal data
Keep a copy of your application so that you can make a complaint if necessary.
When the organization receives your response, it has 1 month to answer you.
If the organization needs more time, it must inform you within one month of receiving your request.
In total, the response time cannot exceed 3 months.
During this period, you can request that your data is no longer used by the organization.
This is the right to restriction of processing.
For example, an e-commerce site should stop using your data while it checks it.
In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.
Submit a complaint online to the Cnil
FYI
different rules apply to certain files. For example, a judicial police file such as the prior criminal record (prior art) or the bank account file (Ficoba).
The right to erasure (right to be forgotten) allows you to request the removal of personal data about you.
For example, an inconvenient photo on a website.
You must be in one of the following situations:
- Your data is no longer necessary for the purposes for which it was collected or processed
- You withdraw your consent to the use of your data and there is no other legal basis for their processing
- You object to the processing of your data and this processing does not meet an overriding legitimate reason
- You object to your data being used for commercial prospecting
- Your data has been processed unlawfully. For example, your data has been hacked and published
- Your data must be erased in order to comply with a legal obligation
- Your data was collected when you were a minor (blog, forum, social network, website...)
If an organization has made your personal data public and needs to erase it, it must inform the other organizations that process your data of your request for erasure. For example, deleting any link to your data or deleting any copy or reproduction of your data.
In practice, consult the website of the organization concerned for the contact details of the contact person.
The request can be made by online form, by mail, by post...
Specify precisely which data you want to delete and the reasons for deleting it.
For example, if you request the erasure of a photo on a site, only the photo will be erased, not your account on that site.
If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.
The procedure is free of charge.
Mail templates are available on the Cnil: titleContent.
Send a letter to an organization that holds your personal data
Keep a copy of your application so that you can make a complaint if necessary.
When the organization receives your request, it must respond as soon as possible, and at the latest within the1 month.
If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.
In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.
Submit a complaint online to the Cnil
Please note
the organization may refuse your request in limited cases. For example, if erasure prevents the exercise of the right to freedom of expression and information.
The right to dereferencing allows you to have a search engine delete a search result associated with your first and last names.
For example, by typing your name in the search engine, an old resume appears.
The deletion only concerns the association of a result of your name and your first name. The information is not deleted from the source website.
In practice, contact the search engine by mail or via the dedicated form (most search engines offer an online form).
Specify in your request the web address (URL) of the result to be deleted and explain why you would like to delete it.
If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.
The procedure is free of charge.
Keep a copy of your application so that you can make a complaint if necessary.
When the organization receives your response, it has 1 month to answer you.
If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.
In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.
Submit a complaint online to the Cnil
Please note
the search engine may refuse your request if, for example, it proves that the information concerned must be communicated to the public.
Répondez aux questions successives et les réponses s’afficheront automatiquement
General case
The right of opposition allows you to object to the inclusion of personal information in a file for reasons related to your particular situation.
In practice, consult the website of the organization concerned for the contact details of the contact person.
The request can be made by online form, online account, email, mail...
Specify in your request the data to be deleted and explain the reasons for your particular situation.
If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.
The procedure is free of charge.
Mail templates are available on the Cnil: titleContent.
Send a letter to an organization that holds your personal data
Keep a copy of your application so that you can make a complaint if necessary.
When the organization receives your response, it has 1 month to answer you.
If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.
During this period, you can request that your data is no longer used. This is the right to restriction of processing.
In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.
Commercial prospecting basis
The right of opposition allows you to object to your personal data being used to send you commercial prospecting.
For example, you can refuse to appear in a prospecting database in order to no longer receive advertising emails on your personal mailbox.
Once you have exercised your right to object, the organization must no longer process your data to conduct commercial prospecting.
In practice, each solicitation must specify the identity of the advertiser and contain a simple means of opposing the receipt of new solicitations.
You can also consult the website of the organization concerned for the contact details of the contact person.
The request can be made by online form, online account, email, mail...
If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.
The procedure is free of charge.
Mail templates are available on the Cnil: titleContent.
Send a letter to an organization that holds your personal data
Keep a copy of your application so that you can make a complaint if necessary.
When the organization receives your response, it must delete your personal data from its prospecting database as soon as possible.
In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.
Submit a complaint online to the Cnil
FYI
multiple devices are also at your disposal to protect you against abusive telephone solicitation, voice or SMS spam.
Please note
the organization may refuse your request. For example, a legal obligation or compelling legitimate grounds require it to continue processing your data, or your data are necessary to establish, exercise or defend legal claims.
The profiling is to use your personal data to evaluate certain personal aspects concerning you for the purpose of analyzing or predicting certain elements.
For example, to predict your work performance, your economic situation, your health, your personal preferences, your travel...
You have the right to refuse to be subject to a fully automated decision, often based on your profiling, that would have legal effects or impact your daily life.
For example, an automated decision can make it impossible to access a credit card.
An organization may automate the following decisions:
- Decision authorized by specific legal provisions
- Decision necessary for the conclusion or performance of a contract you have concluded with the organization
- Decision made with your consent
However, when the decision is necessary for a contract or is made with your consent, you have the right to have a human being intervene and review the decision. You can also express your point of view and challenge the decision.
In practice, consult the website of the organization concerned for the contact details of the contact person.
The request can be made by online form, online account, email, mail...
If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.
The procedure is free of charge.
Mail templates are available on the Cnil: titleContent.
Send a letter to an organization that holds your personal data
Keep a copy of your application so that you can make a complaint if necessary.
When the organization receives your response, it has 1 month to answer you.
If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.
During this period, you can request that your data is no longer used. This is the right to restriction of processing.
In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.
The right to portability is about controlling your personal data: it allows you to retrieve the data you have communicated to the organization in a machine-readable format.
For example, your contact information, your purchase history.
You can obtain that your data is transmitted directly from one organization to another when technically possible.
For example, changing social networks while keeping the history of your data, retrieving your emails from one provider to be able to use them with another service provider.
This right applies only to automated computer files created with your consent or on the basis of a contract.
In practice, consult the organization's digital platform to learn how to exercise your right to portability.
For example, after you have authenticated to your customer account, you have access to a button to download your data.
In case of difficulties, consult the website of the organization concerned for the contact details of the contact person.
The request can be made by online form, by mail, by post...
If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.
The procedure is free of charge.
Keep a copy of your application so that you can make a complaint if necessary.
When the organization receives your response, it has 1 month to answer you.
If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.
In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.
Submit a complaint online to the Cnil
FYI
the exercise of the right to portability shall not prejudice the rights and freedoms of other persons. It shall not apply to processing operations necessary for the performance of a task carried out in the public interest.
Invasion of privacy: sanctions
Human rights abuses resulting from computer files or processing
Document template
Online service
FAQ
Service-Public.fr
Service-Public.fr
Service-Public.fr
Service-Public.fr
Service-Public.fr
Service-Public.fr
Service-Public.fr
Service-Public.fr
National Commission for Informatics and Freedoms (Cnil)
National Commission for Informatics and Freedoms (Cnil)
National Commission for Informatics and Freedoms (Cnil)
National Commission for Informatics and Freedoms (Cnil)
National Commission for Informatics and Freedoms (Cnil)