France
Answer ... Data protection rules applicable in France arise from the General Data Protection Regulation (2016/679) (GDPR), which is directly applicable in France. The GDPR regulates the collection and processing of personal data, and specifies the rights of persons whose data is collected.
The key principles of the GDPR are as follows:
- Personal data may be collected only with the agreement of the persons whose data is collected or if its collection is necessary for the performance of a contract or compliance with a legal obligation;
- The amount of data collected should be reduced to a minimum when possible and stored for a reasonable duration;
- The data must be accessible only by company employees whose functions require such access;
- The persons whose data is collected have the right to access, rectify and erase their data; and
- The company collecting personal data must implement adequate security measures.
The GDPR also regulates cross-borders transfers of data. Generally speaking, personal data shall not be transferred to non-EU countries unless the third country is considered by the European Commission to offer the same degree of protection or adequate guarantees are implemented.
Although the GDPR is directly applicable, French law provides for some additional rules and procedures. The Commission Nationale de l'Informatique et des Libertés (National Commission on Informatics and Liberty) is the national authority which monitors data privacy issues and may impose sanctions on non-compliant entities.
France
Answer ... The regulation of cybersecurity arises from the transposition of the Network and Information Security Directive (2016/1148). The key obligation is the duty of entities designated as ‘operators of essential services’ to notify the Agence nationale de la sécurité des systèmes d'information (National Cybersecurity Agency of France) of any security breach or incident.
Most regulated financial and banking institutions are considered as operators of essential services, which means that fintech companies that provide regulated services will normally be regarded as operators of essential services under this regulation.