axlaw, avocat rouen, avocat paris, Newsletter

Newsletter

Contact us

To subscribe to our newsletter enter your email address and click subscribe.


We regularly distribute a Newsletter with comments and legal notes on current topics related to the concerns of our clients.

 

Follow our latest publications on

        

 

July 2018 | Newsletter 11

EDITORIAL

Dear All,

Who among us has not already received at least 3 emails about the GDPR, whether from our bank, from our insurance company or from the most unlikely of our subscriptions ? At a time when everyone thinks with delight about the big summer break, while it is necessary to advance very quickly on the matters in progress before these few days of well-deserved rest begin, what sort of idea could bring you to a sudden interest in the GENERAL DATA PROTECTION REGULATION ?

Does it really concern us after all ? The entry into force of the GDPR on May 25, 2018 did not provoke a Big Bang, at least not any more than during the turn of the new millennium. Make no mistake about it, the subject concerns everyone, not only computer scientists but all business sectors, from human resources to sales and legal services. Sanctions, which may apply as well to documents prior to the entry into force of the law, reach new ceilings up to € 10.000.000 or 4% of the targeted company’s annual world-wide turnover, the greater figure being ultimately chosen.

The standards contained in the GDPR were subjected to a partial transposition into French Law on June 20, 2018. Meanwhile, the government has committed to complete it during the next six months by way of ordinances. As it stands, what must be retained from the applicable rules is the diversity of professions and areas of law impacted, the obligation to inform everyone when personal information is held, the obligation to protect the elements from which we can identify someone and the raising of financial penalties to exorbitant levels. 

By this period of heat wave, while the temptations of the beginning summer are multiple and that you have the laudable will to sweep everything on your desk before taking a few days of respite, we invite you to a brief session of vacation studies.

It takes the form of a synthesis about the GDPR (key concepts, control and protection systems, individual rights, sanctions and remedies), accompanied by a brief overview on the current jurisprudence in social law, business criminal law and insolvency proceedings.

 I wish you a great holiday while reminding you that our office will be naturally open all summer.

Yours truly.

 

Stéphane SELEGNY

Avocat à la Cour

 

 

 

GENERAL DATA PROTECTION REGULATION


 

On 27, April 2016, the European Parliament and the European Council adopted a new legal regime for the protection of personal data in the form of the General Data Protection Regulation (GDPR). The rules in question, which are particularly innovative, will become applicable on 25 May 2018.

 

Their transposition into French Law provokes a major overhaul of the guarantees relating to the individual information that each of us is required to provide daily for the execution of many services. This seems even more necessary and urgent as the rise of the digital economy, through the proliferation of services offered on the internet, is constantly increasing the risks of infringement on the privacy of users, that is to say ours. But what are we talking about?

 

General Presentation

 

The new instrument applies to “controllers” (Article 4.7), i.e. those who define the terms and purposes of the data processing they are responsible for, with the support of “processors” where appropriate (4.8), as long as they are each established in the European Union (hereinafter referred to as the EU) and / or they each process data belonging to individuals who are on the territory of the EU in the course of their activities (Article 3).

 

The concept of « processing » refers to operations relating to “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of any personal information (article 4.2).

 

The beneficiaries of the GDPR are all natural persons whose identity can be established directly or indirectly from the individual information they have given to a processing operator (controller or processor); information such as “a name, an identification number, location data, an online identifier or [other] factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” are among the items covered (Article 4.1).

 

European Law aims to improve the defense of ‘personal data’ by two complementary approaches:

 

  • removing the formal system of the prior declaration;
  • and creating a material device for continuous monitoring.

 

Inspired by Anglo-Saxon Law, the reform focuses on the permanent ‘empowerment’ of operators rather than the reiteration of specific commitments that can weaken over time. The basic idea is to oblige the responsible persons to establish permanent guarantee mechanisms, which must be not only efficient but effective in the long term. The design by default (Article 25) of the protection methods attached to the processing operations meets the so-called “privacy by design” or “privacy by default” principles a Canadian researcher formulated in the mid-1990s in order to improve the prevention against any violation of privacy.

 

Rights of the People Concerned

 

The individual consent is the cornerstone of the regulation insofar as most of the legal protection depends on the specific terms of its granting. Therefore, it is not surprising that the GDPR obliges the persons responsible to guarantee (Article 7) that the will of the persons concerned is “freely given, specific, informed and unambiguous” by means of a statement or a clearly defined affirmative action (Article 4.11).  

 

As regards the elements intended to clarify the fact of agreeing to give another person personal information, the European Law requires the person responsible to inform the person concerned on various topics including in particular:

 

  • the identity and the contact details of the controller”;
  • the period for which the personal data will be stored”;
  • the purposes of the processing”;
  • the recipients or categories of recipients of the personal data”;

 

As well as all the individual rights attached to the protection and their conditions of exercise throughout the duration of the processing (Article 13).

 

The individual guarantees offered by the GDPR consist, for the most part, in six major rights:

 

  • the « Right of access by the data subject » (Article 15);
  • the « Right to erasure » better known as the Right to be forgotten (Article 17);
  • the « Right to restriction of processing » (Article 18);
  • the « Right to object » (article 21);
  • the « Right to data portability » (Article 20);
  • and the « Right to rectification » (Article 16).

 

Controllers and Processors must respond to requests addressed to them in application of these individual rights within one month from the day of their receipt, a period which may be extended by two further months if necessary, « taking into account the complexity and number of the requests” (Article 12.3).

 

Controls, sanctions and remedies

 

In France, the control of the implementation of the GDPR is carried out by the Commission Nationale Informatique et Libertés (hereinafter CNIL). For the exercise of its missions of general interest, the CNIL has special prerogatives derived from the public powerness. As an Independent Administrative Authority, it can:

 

  • order the controller and the processor […] to provide any information it requires for the performance of its tasks”;
  • carry out investigations in the form of data protection audits”;
  • notify the controller or the processor of an alleged infringement”;
  • obtain, from the controller or the processor, access to all personal data and to all information necessary for the performance of its tasks”;
  • obtain access to any premises of the controller and the processor, including to any data processing equipment and means” (Article 58.1).

 

Significant breaches of the Regulation give rise to the payment of administrative fines, the ceiling of which is:

 

  • 20 000 000 EUR or, « in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher », for the most serious violations, those affecting the fundamental principles of processing or the individual rights of the identified persons (Article 83.5);

 

  • 10 000 000 EUR or, « in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher », for offenses related to specific obligations of controllers and their processors (Article 83.4).

In addition to its ceiling, the assessment of the fine must comply with an extensive list of eleven criteria, the main one being “the nature, gravity and duration of the infringement taking into account the nature scope and purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them” (Article 83.2.a).

 

As regards less serious infringements of the protection of personal data, those which do not give rise to administrative fines, the GDPR gives the national supervisory authorities the freedom to resort to other penalties, provided that they remain “effective, proportionate and dissuasive” (Article 84). The CNIL is empowered in this context to issue warnings, to order injunctions to cease the illegal treatment or to impose pecuniary sanctions up to 150 000 EUR, or 300 000 EUR in case of recidivism.

 

GDPR breaches open three different ways of complaining. The first route is for victims and consist in lodging a complaint with the supervisory authority of the place of their habitual residence, the place of their work or the place of the alleged violation (Article 77). The second route is addressed to the persons concerned by the legally binding decisions of the supervisory authorities and consists in bringing legal proceedings against them (Article 78). In France, the controllers or processors sentenced by the CNIL have a period of two months to introduce an action for annulment, reformation or replacement in front of the administrative judges of the Conseil d’Etat. Finally, the third route is for victims and consists in seeking a judicial remedy against a controller or processor (Article 79). The competent court will be either the place of establishment of the controller/processor, or the place of habitual residence of the victim.

 

The regulatory principle of ”joint responsibility” allows the victim to obtain compensation for all of his or her loss from one of the responsible persons, where the latter have “jointly determined the purposes and means” of the illicit processing (Article 26.1).

 

Processing modalities

 

The regulation organizes the prevention of personal data infringements via three innovative devices that should be mentioned briefly.

 

Processings « likely to result in a high risk to the rights and freedoms of natural persons” having regard to their nature, their scope, their context and their purposes must be subject to a “data protection impact assessment” (Article 35). Prior to sensitive processings, the assessment in question deals with specific elements aimed at detailing the operations envisaged and their purposes, highlighting their necessity and proportionality, measuring the risks they pose to the individual rights of targeted persons, and explaining the answers given to these risks.

 

When the processing is carried out by a public authority, when it requires “regular and systematic monitoring of data subjects on a large scale” on very sensitive categories of data (criminal record, medical notes and so on…), the regulation requires the appointment of a Data Protection Officer (DPO). This person is independent and responsible for ensuring the ongoing compliance with the GDPR of actions taken under the authority of the controller or the processor (Article 37). 

 

Finally, all the proceedings, whether involving confidential data or not, must be listed in a certain way and updated in a ‘record of processing activities’ to demonstrate continuously compliance with the obligations imposed by the GDPR (Article 30).

 

 

 

 

RECENT CASE LAW

Suicide occurring as a result of work but outside the workplace constitutes an accident at work that must be proven by the party representing the employee victim. In a Judgement of April 11, 2018 (n° 16/06201 - Lexbase : A7109XKI), the Cour d’Appel de Rouen clarified the regime of the accident at work in the context of an employee’s (Mr. Z) suicide that intervened as a result of his work, although outside his place of work. The widow of the victim (Mrs. Z) asked the company which employed her husband to declare his death as an accident at work. The employer complied while considering that Mr. Z’s suicide was not related to his work. After investigation, the Caisse Primaire d’Assurance Maladie (Sickness Insurance Primary Fund) – CPAM - refused to cover the death of the employee. Mrs. Z unsuccessfully filed an « amicable » appeal against this decision before the CPAM Protest Committee. After another failure, she lodged a contentious appeal before the Tribunal des Affaires de la Sécurité Sociale (Court of Social Security), which was right in judging that the suicide of her husband was indeed an accident at work. The CPAM and the employer of Mr. Z challenged this Judgement in vain before the Court of Appeal of Rouen. The Judges of the Social Chamber recalled the legal definition of an accident at work according to Article L411-1 of the French Code de la Sécurité Sociale before continuing with the presumption of liability regime associated with it. In principle, the CPAM or the employer has to demonstrate the absence of a causal link between the accident and the employee’s working conditions. However, this only applies if the accident in question occurred at the workingplace and on the workingtime. In cases where the accident occurs outside the place and/or time of work, the burden of proof is reversed. Then, it is up to the representative of the employee to demonstrate the causal link mentioned above. The Court of Appeal held that Mrs. Z had succeeded in demonstrating a series of factors that established the professional motives leading her husband to commit suicide. Since it is established that M. Z’s suicide occurred as a result of his work, the qualification of this dramatic event as an accident at work by the Court of Social Security was fully justified.

 


 

The dismissal for willful misconduct of the employee does not involve – not any more at least - the loss of pay in lieu of vacation, including for the proceedings running on March 2, 2016, date of which the French Conseil Constitutionnel declared as being unconstitutional the opposite solution that prevailed until then. An employee (Mr. X) had been dismissed for willful misconduct following a physical assault on his employer (Mr. Y). The incident involved a headbutt, 7 stiches and a 15-day temporary interruption of work. Mr. X had challenged an appeal decision rendered by the Fort-de-France Appeal Judges which had dismissed all of his claims aiming to declare his dismissal without real and serious cause. If the materiality of the violence committed was not disputed, the employee challenged the subjective element associated with his act, that is to say, the intention to harm his employer which permitted Justice to hold against him the existence of a willful fault rather than a (less) gross fault. Deprived of any indemnity, Mr. X appealed on reasons identical to those he had invoked on Appeal. In a judgment of March 28, 2018 (n° 16-26013), the Social Chamber of the Cour de cassation confirmed the qualification of the employee’s gesture as a gross negligence while restoring his right to pay in lieu of vacation. On the qualification itself, the trial Judges shad been able to demonstrate the intentional nature of the aggression committed on the basis of evidence proving its voluntary and premeditated nature. On the compensation consequences of this qualification, the trial Judges shad thought fit to apply Article L3141-26 of the French Code du travail (in its wording on November, 13, 2015, the day of the appeal judgment), which excluded in its second paragraph the pay in lieu of vacation in case of a willful fault. This was without counting on the censorship of this provision by the Constitutional Council  (decision rendered on March 2, 2016, n° 2015-523 QPC) while the cassation complaint of Mr. X was still in progress. The declaration of unconstitutionality specified that it was of immediate application, including for the proceedings pending on the day of its publication, so that the Court of Cassation could not do otherwise than restore immediately the right of Mr. X to a pay in lieu of vacation, even though the law applicable at the time of the Appeal decision provided for the opposite solution.

 

More news about Labour Law

 

RECENT CASE LAW

The order dismissing an application to erase the registration in the Interior Ministry Automated Fingerprint File of a person accused of slanderous denunciation constitutes an excess of power for the President of the competent Instruction Chamber, as long as this decision is based on grounds not provided for in the applicable law, namely Article 7-1 III of Decree n° 87-249 enacted on April 8, 1987. The Criminal Chamber of the French Cour de cassation indicates in a judgment of April 10, 2018 (n° 17-84674-PB) that it belongs to the competent Judges :

 

  • to check whether the registration of fingerprints complies with the regulatory conditions in force;

 

  • and to assess the need for their retention according to the purpose of the file, which depends in particular on the circumstances of the offense and the personality of the person concerned.

 

In this case, the President of the Instruction Chamber’s refusal to erase the applicant’s fingerprints was based on non-regulatory grounds of inadmissibility. The former opposed to the latter the fact that his request for deletion was not based on one of the grounds provided for in Article 7-1 III of the abovementioned decree and that the precise conduct of the initial registration procedure had not been reported to the Court.

 

In view of these elements, the Judges of the Criminal Chamber decided to quash the rejection order submitted to them.

 


 

The fact that a maintenance agent did not use a delegation of authority to secure the work facilities and not to have committed in person (directly) the manslaughter of an agent « fatally wounded » by the explosion of a machine rendered insecure by abnormal conditions of use is not sufficient to exclude the criminal liability of the legal person concerned from the moment when the offense actually (even indirectly) takes place by an organ or a representative having acted on behalf of it. In this case, a maintenance operator died as a result of an accident during the repair of an oil extraction pump. An investigation revealed that the equipment had exploded due to a lack of normal maintenance. The operators responsible for maintaining it did not have the information necessary for the normal performance of their task.

 

The Appeal Judges dismissed the criminal liability of the company concerned on the grounds that its manager, who was the only body or representative likely to act on its behalf in the absence of a delegation of his powers in security matters, was absent from the scene of the tragedy at the time of its realization and could not have contributed to it by direct and personal acts.

 

The Court of Cassation invalidated this argument considering the deficiencies found in the training of the personnel to the normal maintenance of the work equipment and to the means of protection constituted a violation by the manager of his security obligations pursuant to Articles R4322-1 and R4323-1 of the French Code du travail.

 

Since the explosion in question was the result of the fault of an organ or a representative acting on behalf of the enterprise concerned, the criminal liability of this last should have been incurred under Article 121-2 of the French Code penal – judgement of October 31, 2017 (n° 16-83683).

 

 

More news about Business Criminal Law

 

RECENT CASE LAW

 

Only the liquidator has the power to act in fixing how much the partners of a company in liquidation contributed to its social loss according to Article 1832 paragraph 3 of the French Code civil. In a judgment of May 3, 2018 (n° 15-20348), the Commercial Chamber of the French Cour de cassation censored the admissibility on appeal of a request made by two partners on the basis of Article 1832 of the Civil Code, which was intended to condemn two other partners for their share of the social loss endured by a Société Civile d’Exploitation Agricole (civil farming company) – SCEA -  in liquidation.

 

The company in difficulty had two partner couples, the consorts Y, of which Mr. was the manager, and the consorts Z. The economic and financial problems faced by these four people led to the liquidation of the SCEA.

 

Believing that the associates Y had committed several management mistakes, the partners Z sought to engage their responsibility in the collapse of the company. By way of counterclaim, the partners Y sought the conviction of the partners Z for their contribution to the losses of the company in proportion to their shares. 

 

The Nîmes Court of Appeal allowed the counterclaim of the spouses Y condemning Mr. And Mrs. Z to pay them various sums of money pursuant to Article 1832 paragraph 3 of the Civil Code, while this application should have been automatically declared inadmissible. That is the reason justifying the partial cassation of the appeal judgment.

 

 


 

 

Trial Judges assess the amount for a condemnation of several managers, one of whom is the subject of a collective action in her personal capacity for the exercise of another professional activity, to the extent of their individual liability for insufficient assets. In this case, the legal redress and liquidation of a transport company had resulted in the appointment of a liquidator, who had decided to sue this company managers, Mr. and Mrs. X, in liability for insufficiency of assets. Mrs. X being in legal redress for another professional activity, the liquidator assigned her legal representative in forced intervention.

 

On September 15, 2016, the Nîmes Court of Appeal condemned the spouses X on the basis of Article L651-2 of the French Code de commerce to repay in solidum 70% of the amount equivalent to the asset insufficiency to which both of them had contributed by various management mistakes. The two managers challenged the commission of the said faults on the occasion of a cassation complaint.

 

The Commercial Chamber of the French Cour de cassation dismissed their appeal in a judgment of May 9, 2018 (n° 16-26684), which recalls the sovereign power of assessment enjoyed by the trial Judges in assessing the amount of the manager contributions to the asset insufficiency of a company in liquidation.

 

The cassation Judges state furthermore that it is not for them to check the proportionality of this amount and that the placement in legal redress of Mrs. X in the exercise of another professional activity does not affect in any way the application of the Article L651-2 of the Commercial Code.

 

More news about Insolvency Proceedings

 

 

printable version of the Newsletter (pdf)