Privacy Advisor

Global Privacy Dispatches - France on storing personal data

May 1, 2009
Shops and stores: simplification of formalities

According to the French Data Protection Act, the processing of personal data relating to offences is subject to prior authorization by the CNIL since such data is considered sensitive.

As a consequence, business victims of offences such as fraud or theft can collect and process data about offenders only after having obtained authorization from CNIL, which can be a lengthy process.

The CNIL has decided to simplify this process for shops and stores by issuing a so-called “Unique Authorization.” By acknowledging on the CNIL Web site that they comply with the data processing conditions set by the authority, applicants are automatically authorized to launch their processing.

Several conditions must be met to benefit from this simplified procedure:

  • the commission of the offence can be recorded only if it took place inside a store;
  • the processing should target only the management of dispute or litigation; data must be limited to identification data, contact details, and information about prior claims, which means that sensitive data (such as ethnic and racial origin, political opinions, religion beliefs, etc.) cannot be collected;
  • the information should be kept only as appropriate under French law (i.e. applicable statute of limitation or the end of court proceedings); the deletion of data beyond this period guaranteeing a "right to oblivion;"
  • the recipients of the data processing are also restricted: legal services and security services of the company, as well as judicial authorities;
  • other “usual” data protection obligations must be complied with, such as the notice to data subjects, security and confidentiality of data, mechanism to exercise rights of access and rectification.


Where the Unique Authorization conditions are not met, the data controller will have to provide a detailed description of the system in its request for CNIL prior authorization.