Rights and obligations

29 December 2015

Right of access, right to object and the right to correct

  • Any person can see all the data that affects him/her in a file by making direct contact with those who are holding, and by obtaining a copy of it at a cost that is no greater than the cost of copying it.
  • Any person is able to object, for legitimate reasons, to the data appearing in the file. 
  • The person may refuse, without having to give any explanations, the use of the data, which affects him/her, for canvassing purposes.
  • Any person can correct, supplement, update, block or erase data affecting him or her when errors, inaccurate information or data, the collection, use, transfer, keeping of which is forbidden, have been detected. 

Data protection rights

  • Every person may contact an organisation directly to find out if he is listed or notby that organisation.
  • Every person may, on simple request addressed to the organisation in question, have free access to all the information concerning him in clear language (any codes must be explained) and obtain a copy against payment of a fee, fixed by the State, of 3 € for the public sector and 4,6 € for the private sector.
  • Every person may directly require from an organisation holding information about him that the data be corrected (if they are wrong), completed or clarified (if they are incomplete or equivocal), or erased (if this information could not legally be collected).
  • Every person may oppose that information about him is used for advertising purposes or for commercial purposes;

he may also oppose to information concerning him being disclosed to a third party for such purposes. The persons concerned should have the possibility of exercising their right to oppose the disclosure of their data to a third party at the moment the data is collected. The use of automatic calling machines or faxes for advertising purposes is prohibited unless the person has given his prior consent.

  • Every person may ask the CNIL to proceed with checks of the information concerning him

which may possibly be recorded in files concerning security of the State, defence, or public security (right of indirect access). The CNIL verifies the relevance, the accuracy and the updating of this information and can demand that it should be rectified or deleted...

  • Every person may contact the CNIL to receive assistance

in the exercise of his rights (particularly if his right of access has been denied).

Data controllers' obligations

  • Notify the file and its characteristics to the CNIL, except when exempted by law or by the CNIL
  • Ensure that citizens are in a position to exercise their rights through 
    information. 
  • Ensure data security and confidentiality, to protect them from distortion 
    or disclosure to unauthorised third parties 
  • Accept on-site inspections by the CNIL, and reply to any request 
    for information.

The French Data Protection Officer (DPO)

The "Correspondant Informatique et Libertés" (or CIL),  

From now on, local authorities, public services and associations are allowed to appoint a "Correspondant Informatique et Libertés" (CIL). It is a major innovation in the application of the law, as prior pedagogy and advice are emphasized. Indeed, the data controller which appoints a CIL is exempted, in most cases, from the notification process to the CNIL. The CIL has the duty to ascertain that the information system of the organization will expand without harming the rights of the users, clients and employees.


Privacy seals

The CNIL can deliver privacy seals “to products or procedures”. For organisations, this seal is a competitive advantage. For organisations’ clients, it is a confidence indicator allowing users to identify and favour those who assure a high level of protection of their personal data. 

Find out more