Selecting a language will automatically trigger the translation of the page content.

Computer files and personal data

Verified 17 mars 2021 - Legal and Administrative Information Directorate (Prime Minister)

Different organisms use your personal data : administration, company, social network, website, association... You have the right to be informed and to control how your data is used. For example, you can obtain and correct information that an organisation has about you, or object to being in a file. In case of difficulties, you can make a complaint to the Cnil.

An organisation that collects your personal data directly with you should provide you with the following information:

  • Identity and contact details of the data controller and, if necessary, of the data controller's representative
  • Contact Information Data Protection Officer (DPD) if a DPD has been designated
  • Processing purposes (for example, pay management)
  • Legal basis of processing (e.g. performance of contract or compliance with legal obligation)
  • If necessary, legitimate interests of the controller justifying the collection of your personal data (for example, conducting commercial prospecting)
  • Data Recipients
  • Intent to transfer data to a non-country European and the existence or absence of a European Commission adequacy decision or safeguards put in place to govern data transfer (e.g. standard contractual clauses)
  • Retention period of data or criteria used to determine this duration
  • Existence of your rights (right to access, rectify, erase, limit or oppose your processing, right to portability and right to set guidelines on the fate of your personal data after your death)
  • Right to withdraw your agreement if processing is based on your agreement
  • Right to make a complaint to the Cnil
  • Information on whether the provision of your personal data is of a regulatory or contractual nature, whether the provision of your data is conditional on the conclusion of a contract, and the possible consequences of not providing your data
  • Existence of automated decision-making, including profiling, and information about the impact of this treatment on you
  • If necessary, information on other purposes envisaged for this treatment

If the controller does not collect your personal data directly from you, he or she must tell you where it came from and what categories are collected.

You must easily to this information.

This information must be provided to you in a language clear and simple.

Example :

Page accessible from the home page of the organisation's website. The page title should be clear: privacy policy, privacy page or personal data.

You should stay well informed about the use of your data.

Thus, the organisation must inform you in case of violation of your personal data, if there is a high risk for your rights and freedoms.

Example :

Unauthorised disclosure of your data

The right of access is used to determine whether your data are processed by an organisation, and if they are processed, obtain a copy of your data in plain language.

The organisation must also provide you with the following information:

  • Why your data is being used
  • Which categories of data are used
  • Who are the recipients of your data?
  • How long your data is kept
  • What rights do you have?
  • What is the origin of your data when it has not been collected directly from you?
  • Whether there is automated decision-making, including profiling, and what is the impact of this treatment on you.

When personal data is transferred to a non-country European or an international organisation, you must be informed of the guarantees for their transfer.

When you send a request by email, you must receive the information by email. However, you may request that the information be communicated to you in another way. For example, by mail.

  Please note : the right to obtain a copy of personal data must not infringe the rights and freedoms of another person.

Direct access

In practice, consult the website of the organisation concerned for contact information contact person .

The request can be made by online form, by email, by mail...

If there is reasonable doubt about your identity, the organisation may ask you for information to confirm it. For example, to avoid identity theft.

The gait is free.

However, the organisation may ask you to pay reasonable fees. For example, if you request an additional copy.

Mail templates are available on the Cnil.

Send mail to an organisation that holds your personal data

National Commission on Informatics and Freedoms (Cnil)

Keep a copy of your complaint if necessary.

When the organisation receives your application, it has 1 month to answer.

If the organisation needs an additional time, it must inform you within one month of receiving your request. In total, response time cannot exceed 3 months.

In the absence of a response or in the event of an unsatisfactory response, you can make a complaint to the Cnil.

Submit an online complaint to the Cnil

National Commission on Informatics and Freedoms (Cnil)

  FYI : some files have different rules. For example, a court police file such as prior conviction (Taj) or bank account file (Ficoba).

Indirect Access

Some files are particularly framed, such as police files or files concerning State security. For example, Schengen file.

Access to these files is done indirectly through the Cnil.

You must specify the file in your mail and include a copy of your ID.

In case of refusal of communication, Cnil provide you with the means of appeal to challenge this decision.

Who shall I contact
  • National Commission on Informatics and Freedoms (Cnil)

    By mail

    3 Place de Fontenoy

    TSA 80715

    75334 Paris cedex 07

    The CNIL does not receive the public and does not provide information on the spot.

    Phone

    +33 1 53 73 22 22

    Telephone reception open Monday to Friday from 9am to 6.30pm (6pm on Friday)

    Legal information open Monday, Tuesday, Thursday and Friday from 10am to noon and 2pm to 4pm

    By Email

    Access contact form

The right of rectification allows you to request correction of inaccurate or incomplete information about you.

For example, an error in your address.

In practice, consult the website of the organisation concerned for contact information contact person .

The request can be made by online form, by email, by mail...

If there is reasonable doubt about your identity, the organisation may ask you for information to confirm it. For example, to avoid identity theft.

The gait is free.

Mail templates are available on the Cnil.

Send mail to an organisation that holds your personal data

National Commission on Informatics and Freedoms (Cnil)

Keep a copy of your complaint if necessary.

When the organisation receives your response, it has 1 month to answer.

If the organisation needs an additional time, it must inform you within one month of receiving your request.

In total, response time cannot exceed 3 months.

During this time, you can request that your data not be used by the organisation.

This is the right to limitation of treatment .

For example, an online commerce site should stop using your data while checking it.

In the absence of a response or in the event of an unsatisfactory response, you can make a complaint to the Cnil.

Submit an online complaint to the Cnil

National Commission on Informatics and Freedoms (Cnil)

  FYI : some files have different rules. For example, a court police file such as prior conviction (Taj) or bank account file (Ficoba).

The right to erase (right to be forgotten) allows you to request the deletion of your personal data in certain situations.

For example, an inconvenient picture on a website.

You must be in one of the following situations:

  • Your data is no longer necessary in view of the purposes for which it was collected or processed
  • You withdraw your consent to the use of your data and there is no other legal basis for their processing
  • You oppose the processing of your data and this processing does not meet a compelling legitimate reason
  • You object to your data being used for commercial prospecting
  • Your data has been processed illegally. For example, your data has been hacked and published
  • Your data must be erased to meet a legal obligation
  • Your data was collected when you were a minor (blog, forum, social network, website...)

If an organisation has made your personal data public and needs to erase it, it must inform the other organisations that process your data of your erasure request. For example, erasing any links to your data or erasing any copies or reproductions of your data.

In practice, consult the website of the organisation concerned for contact information contact person .

The request can be made by online form, by email, by mail...

Specify exactly what data you want to erase and why it should be erased.

For example, if you request the erasure of a photo on a site, only the photo will be erased, not your account on this site.

If there is reasonable doubt about your identity, the organisation may ask you for information to confirm it. For example, to avoid identity theft.

The gait is free.

Mail templates are available on the Cnil.

Send mail to an organisation that holds your personal data

National Commission on Informatics and Freedoms (Cnil)

Keep a copy of your complaint if necessary.

When the organisation receives your request, it must respond as soon as possible and no later than1 month.

If the organisation needs an additional time, it must inform you within one month of receiving your request. In total, response time cannot exceed 3 months.

In the absence of a response or in the event of an unsatisfactory response, you can make a complaint to the Cnil.

Submit an online complaint to the Cnil

National Commission on Informatics and Freedoms (Cnil)

  Please note : the organisation may refuse your application in limited cases. For example, if the deletion prevents the exercise of the right to freedom of expression and information.

The right of dereference allows you to ask a search engine to delete a search result associated with your first and last names.

For example, by typing your name in the search engine, an old CV appears.

The deletion only concerns the association of a result of your name and your first name. The information is not deleted from the source website.

In practice, contact the search engine by mail or via the dedicated form (most search engines offer an online form).

Specify in your request the web address (URL) of the result you want to delete and explain why you want it deleted.

If there is reasonable doubt about your identity, the organisation may ask you for information to confirm it. For example, to avoid identity theft.

The gait is free.

Keep a copy of your complaint if necessary.

When the organisation receives your response, it has 1 month to answer.

If the organisation needs an additional time, it must inform you within one month of receiving your request. In total, response time cannot exceed 3 months.

In the absence of a response or in the event of an unsatisfactory response, you can make a complaint to the Cnil.

Submit an online complaint to the Cnil

National Commission on Informatics and Freedoms (Cnil)

  Please note : the search engine may refuse your request if, for example, it proves that the information in question must be disclosed to the public.

General case

The right of objection allows you to object to personal information in a file for reasons related to your particular situation.

In practice, consult the website of the organisation concerned for contact information contact person .

The request can be made by online form, online account, email, mail...

Specify in your application the data to be deleted and explain the reasons for your particular situation.

If there is reasonable doubt about your identity, the organisation may ask you for information to confirm it. For example, to avoid identity theft.

The gait is free.

Mail templates are available on the Cnil.

Send mail to an organisation that holds your personal data

National Commission on Informatics and Freedoms (Cnil)

Keep a copy of your complaint if necessary.

When the organisation receives your response, it has 1 month to answer.

If the organisation needs an additional time, it must inform you within one month of receiving your request. In total, response time cannot exceed 3 months.

During this time, you can request that your data not be used. This is the right to limitation of treatment .

In the absence of a response or in the event of an unsatisfactory response, you can make a complaint to the Cnil.

Submit an online complaint to the Cnil

National Commission on Informatics and Freedoms (Cnil)

Business Prospecting Base

The right of objection allows you to object to your personal data being used to send you marketing information.

For example, you can refuse to be in a prospecting database so that you don't receive any more advertisements on your personal email.

Once you exercise your right of objection, the organisation no longer has to process your data for commercial prospecting.

In practice, each solicitation must specify the identity of the advertiser and contain a simple means of opposing the receipt of new solicitations.

You can also visit the website of the organisation concerned for contact information contact person .

The request can be made by online form, online account, email, mail...

If there is reasonable doubt about your identity, the organisation may ask you for information to confirm it. For example, to avoid identity theft.

The gait is free.

Mail templates are available on the Cnil.

Send mail to an organisation that holds your personal data

National Commission on Informatics and Freedoms (Cnil)

Keep a copy of your complaint if necessary.

When the organisation receives your response, it must remove your personal data from its prospecting database as soon as possible.

In the absence of a response or in the event of an unsatisfactory response, you can make a complaint to the Cnil.

Submit an online complaint to the Cnil

National Commission on Informatics and Freedoms (Cnil)

  FYI : multiple are also at your disposal to protect you against abusive telephone solicitation, voice or SMS spam.

  Please note : the organisation may refuse your request. For example, a legal obligation or legitimate and compelling reasons require it to continue processing your data, or your data is necessary to establish, exercise or defend legal rights.

The profiling is to use your personal data to evaluate certain personal aspects of you for the purpose of analysing or predicting certain elements.

For example, to predict your job performance, your economic situation, your health, your personal preferences, your travel...

You have the right to refuse to be subject to a fully automated decision, often based on your profiling, which would have legal effects or impact your daily life.

For example, an automated decision may make access to a credit card impossible.

An organisation can automate the following decisions:

  • Decision authorised by specific legal provisions
  • Decision necessary to conclude or fulfil a contract you have with the organisation
  • Decision made with your consent

However, when the decision is necessary to a contract or is made with your consent, you have the right to have a human being intervene and review the decision. You can also express your views and challenge the decision.

In practice, consult the website of the organisation concerned for contact information contact person .

The request can be made by online form, online account, email, mail...

If there is reasonable doubt about your identity, the organisation may ask you for information to confirm it. For example, to avoid identity theft.

The gait is free.

Mail templates are available on the Cnil.

Send mail to an organisation that holds your personal data

National Commission on Informatics and Freedoms (Cnil)

Keep a copy of your complaint if necessary.

When the organisation receives your response, it has 1 month to answer.

If the organisation needs an additional time, it must inform you within one month of receiving your request. In total, response time cannot exceed 3 months.

During this time, you can request that your data not be used. This is the right to limitation of treatment .

In the absence of a response or in the event of an unsatisfactory response, you can make a complaint to the Cnil.

Submit an online complaint to the Cnil

National Commission on Informatics and Freedoms (Cnil)

The right of portability concerns the control of your personal data: it allows you to retrieve data you have communicated to the body in a machine-readable format.

For example, your contact information, your purchase history.

You can have your data transferred directly from one organisation to another when technically possible.

For example, changing your social network while keeping your data history, retrieving your emails from a provider so that they can be used by another service provider.

This right applies only to automated computer files created with your consent or on the basis of a contract.

In practice, consult the organisation's digital platform to learn how to exercise your right to portability.

For example, after you authenticate to your customer account, you have access to a button to upload your data.

In case of difficulties, consult the website of the organisation concerned for contact details contact person .

The request can be made by online form, by email, by mail...

If there is reasonable doubt about your identity, the organisation may ask you for information to confirm it. For example, to avoid identity theft.

The gait is free.

Keep a copy of your complaint if necessary.

When the organisation receives your response, it has 1 month to answer.

If the organisation needs an additional time, it must inform you within one month of receiving your request. In total, response time cannot exceed 3 months.

In the absence of a response or in the event of an unsatisfactory response, you can make a complaint to the Cnil.

Submit an online complaint to the Cnil

National Commission on Informatics and Freedoms (Cnil)

  FYI : the exercise of the right to portability must not infringe the rights and freedoms of other persons. It shall not apply to treatments necessary for the performance of a public interest task.