Publication
Publication
Contacts
Linklaters LLP
Sonia Cissé
Tel: +(33) 1 56 43 57 29
www.linklaters.com
Supervisory Authority
Commission Nationale de l’Informatique et des Libertés
National Legislation
(Please note these links are provided for information only. Any translations may not be accurate and the text may not include amendments to that legislation).
Last updated May 2026
General | Data Protection Laws
National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement
ePrivacy | Marketing and cookies
National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone
General data protection laws
The General Data Protection Regulation (EU) (2016/679) (“GDPR”).
The EU is currently considering the Digital Omnibus (2025/0360 (COD)). This proposes a number of amendments to the GDPR including: (a) protection from abusive subject access requests; (b) extending the deadline to notify breaches to a supervisory authority to 96 hours and only applying that notification to high risk breaches; (c) codifying the “relative” approach to the concept of personal data; (d) ensuring a consistent approach to DPIAs; and (e) providing an express legal basis for the training of AI systems. However, some changes are controversial, and it is not clear if they will all be adopted.
Law n° 2018-493 of 20 June 2018 “relating to personal data protection” incorporates the GDPR provisions in existing French Law n° 78-17 of 6 January 1978.
For greater clarity, the law has been rewritten via Ordinance n° 2018-1125 of 12 December 2018, which took effect on 1 June 2019 (altogether the “revised French DPA”).
Entry into force
The GDPR has applied since 25 May 2018.
The revised French DPA has retrospective effect and applies from 25 May 2018.
Details of the competent national supervisory authority
The CNIL acts as the supervisory authority in France.
Commission Nationale de l’Informatique et des Libertés (the “CNIL”)
3 Place de Fontenoy
TSA 80715
75334 Paris
Cedex 07
France
Tel: 00 33 1 53 73 22 22
The CNIL represents France on the European Data Protection Board.
Notification or registration scheme and timing
There is no obligation to notify regulators of any processing under the GDPR. However, controllers and processors must keep a record of their processing and make it available to their supervisory authority on request (subject to limited exemptions).
The revised French DPA requires certain types of processing relating to health data to be notified to the CNIL (see below).
Exemptions to notification
Not applicable.
What is the territorial scope of application?
The GDPR applies to the processing of personal data in the context of the establishment of a controller or processor in the EU.
It also contains express extra-territorial provisions and applies to controllers or processors based outside the EU that: (i) offer goods or services to individuals in the EU; or (ii) monitor individuals within the EU. Controllers and processors caught by these provisions will need to appoint a representative in the EU, subject to certain limited exemptions.
The European Data Protection Board has issued Guidelines on the territorial scope of the GDPR (3/2018).
Without prejudice of the above, the revised French DPA applies to processing of personal data carried out in the context of the activities of an establishment of a controller or a processor on French territory, whether or not the processing takes place in France.
Moreover, since May 2024, the revised French DPA also applies to processing of personal data of individuals who are present in France by a controller or a processor not established in the EU, where such processing is linked to the monitoring of the behaviour of those individuals within the EU, in particular by collecting their personal data with a view to correlating it with data relating to their online activity.
In addition, where the GDPR permits national variations, those variations will apply where the data subject resides in France regardless of whether or not the controller is established in France.
Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)
Professionals wishing to engage in direct marketing by phone must inform consumers that: (i) their personal data will be used for direct marketing calls; and (ii) they have the right to register with Bloctel, a direct marketing opposition list.
Professionals cannot call consumers who have registered on Bloctel save where: (i) there is a pre-existing contractual relationship and call is in relation with the corresponding contract; or (ii) the call is to offer subscriptions to newspapers, journals and magazines.
In all cases, the professional must identify themselves on request and allow the individual subscriber to object to further calls. Direct marketing calls cannot be made to individual subscribers who have previously objected.
Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)
It is not permitted to make direct marketing calls to corporate subscribers who have previously objected to such calls.
Exemptions and other issues
None.
Contents