axlaw, avocat rouen, avocat paris, News


Contact us


Follow our latest Commercial Law publications on



July 2018 | Newsletter 11




On 27, April 2016, the European Parliament and the European Council adopted a new legal regime for the protection of personal data in the form of the General Data Protection Regulation (GDPR). The rules in question, which are particularly innovative, will become applicable on 25 May 2018.


Their transposition into French Law provokes a major overhaul of the guarantees relating to the individual information that each of us is required to provide daily for the execution of many services. This seems even more necessary and urgent as the rise of the digital economy, through the proliferation of services offered on the internet, is constantly increasing the risks of infringement on the privacy of users, that is to say ours. But what are we talking about?


General Presentation


The new instrument applies to “controllers” (Article 4.7), i.e. those who define the terms and purposes of the data processing they are responsible for, with the support of “processors” where appropriate (4.8), as long as they are each established in the European Union (hereinafter referred to as the EU) and / or they each process data belonging to individuals who are on the territory of the EU in the course of their activities (Article 3).


The concept of « processing » refers to operations relating to “collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” of any personal information (article 4.2).


The beneficiaries of the GDPR are all natural persons whose identity can be established directly or indirectly from the individual information they have given to a processing operator (controller or processor); information such as “a name, an identification number, location data, an online identifier or [other] factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” are among the items covered (Article 4.1).


European Law aims to improve the defense of ‘personal data’ by two complementary approaches:


  • removing the formal system of the prior declaration;
  • and creating a material device for continuous monitoring.


Inspired by Anglo-Saxon Law, the reform focuses on the permanent ‘empowerment’ of operators rather than the reiteration of specific commitments that can weaken over time. The basic idea is to oblige the responsible persons to establish permanent guarantee mechanisms, which must be not only efficient but effective in the long term. The design by default (Article 25) of the protection methods attached to the processing operations meets the so-called “privacy by design” or “privacy by default” principles a Canadian researcher formulated in the mid-1990s in order to improve the prevention against any violation of privacy.


Rights of the People Concerned


The individual consent is the cornerstone of the regulation insofar as most of the legal protection depends on the specific terms of its granting. Therefore, it is not surprising that the GDPR obliges the persons responsible to guarantee (Article 7) that the will of the persons concerned is “freely given, specific, informed and unambiguous” by means of a statement or a clearly defined affirmative action (Article 4.11).  


As regards the elements intended to clarify the fact of agreeing to give another person personal information, the European Law requires the person responsible to inform the person concerned on various topics including in particular:


  • the identity and the contact details of the controller”;
  • the period for which the personal data will be stored”;
  • the purposes of the processing”;
  • the recipients or categories of recipients of the personal data”;


As well as all the individual rights attached to the protection and their conditions of exercise throughout the duration of the processing (Article 13).


The individual guarantees offered by the GDPR consist, for the most part, in six major rights:


  • the « Right of access by the data subject » (Article 15);
  • the « Right to erasure » better known as the Right to be forgotten (Article 17);
  • the « Right to restriction of processing » (Article 18);
  • the « Right to object » (article 21);
  • the « Right to data portability » (Article 20);
  • and the « Right to rectification » (Article 16).


Controllers and Processors must respond to requests addressed to them in application of these individual rights within one month from the day of their receipt, a period which may be extended by two further months if necessary, « taking into account the complexity and number of the requests” (Article 12.3).


Controls, sanctions and remedies


In France, the control of the implementation of the GDPR is carried out by the Commission Nationale Informatique et Libertés (hereinafter CNIL). For the exercise of its missions of general interest, the CNIL has special prerogatives derived from the public powerness. As an Independent Administrative Authority, it can:


  • order the controller and the processor […] to provide any information it requires for the performance of its tasks”;
  • carry out investigations in the form of data protection audits”;
  • notify the controller or the processor of an alleged infringement”;
  • obtain, from the controller or the processor, access to all personal data and to all information necessary for the performance of its tasks”;
  • obtain access to any premises of the controller and the processor, including to any data processing equipment and means” (Article 58.1).


Significant breaches of the Regulation give rise to the payment of administrative fines, the ceiling of which is:


  • 20 000 000 EUR or, « in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher », for the most serious violations, those affecting the fundamental principles of processing or the individual rights of the identified persons (Article 83.5);


  • 10 000 000 EUR or, « in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher », for offenses related to specific obligations of controllers and their processors (Article 83.4).

In addition to its ceiling, the assessment of the fine must comply with an extensive list of eleven criteria, the main one being “the nature, gravity and duration of the infringement taking into account the nature scope and purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them” (Article 83.2.a).


As regards less serious infringements of the protection of personal data, those which do not give rise to administrative fines, the GDPR gives the national supervisory authorities the freedom to resort to other penalties, provided that they remain “effective, proportionate and dissuasive” (Article 84). The CNIL is empowered in this context to issue warnings, to order injunctions to cease the illegal treatment or to impose pecuniary sanctions up to 150 000 EUR, or 300 000 EUR in case of recidivism.


GDPR breaches open three different ways of complaining. The first route is for victims and consist in lodging a complaint with the supervisory authority of the place of their habitual residence, the place of their work or the place of the alleged violation (Article 77). The second route is addressed to the persons concerned by the legally binding decisions of the supervisory authorities and consists in bringing legal proceedings against them (Article 78). In France, the controllers or processors sentenced by the CNIL have a period of two months to introduce an action for annulment, reformation or replacement in front of the administrative judges of the Conseil d’Etat. Finally, the third route is for victims and consists in seeking a judicial remedy against a controller or processor (Article 79). The competent court will be either the place of establishment of the controller/processor, or the place of habitual residence of the victim.


The regulatory principle of ”joint responsibility” allows the victim to obtain compensation for all of his or her loss from one of the responsible persons, where the latter have “jointly determined the purposes and means” of the illicit processing (Article 26.1).


Processing modalities


The regulation organizes the prevention of personal data infringements via three innovative devices that should be mentioned briefly.


Processings « likely to result in a high risk to the rights and freedoms of natural persons” having regard to their nature, their scope, their context and their purposes must be subject to a “data protection impact assessment” (Article 35). Prior to sensitive processings, the assessment in question deals with specific elements aimed at detailing the operations envisaged and their purposes, highlighting their necessity and proportionality, measuring the risks they pose to the individual rights of targeted persons, and explaining the answers given to these risks.


When the processing is carried out by a public authority, when it requires “regular and systematic monitoring of data subjects on a large scale” on very sensitive categories of data (criminal record, medical notes and so on…), the regulation requires the appointment of a Data Protection Officer (DPO). This person is independent and responsible for ensuring the ongoing compliance with the GDPR of actions taken under the authority of the controller or the processor (Article 37). 


Finally, all the proceedings, whether involving confidential data or not, must be listed in a certain way and updated in a ‘record of processing activities’ to demonstrate continuously compliance with the obligations imposed by the GDPR (Article 30).




More news


June 2018 | Newsletter 10




The refusal for one of the members of a management board to make the transition after a restructuring that does not meet his expectations of being appointed chairman of a French Société anonyme (SA) cannot serve as a valid reason for his dismissal – In this case, the individual in question was convinced to succeed sooner or later to the President of the defendant SA. Contrary to this individual ambition to preside over the company, the supervisory board began to merge with a competing company. Determined to leave the executive board following the total disappointment of his legitimate beliefs, the plaintiff refused the offer of an amicable departure which enjoined him to stay in place while restructuring the management of the company. His refusal would have motivated the decision of the members of the supervisory board to dismiss him on the spot.


Considering by a judgement of December 7, 2017 (n° 16/01013) that the dismissal did not contain correct grounds, the Paris Court of Appeal ordered the SA to pay him a compensation for injury of 1.6 million euros on the basis of article L225-61, paragraph 1 of the French Code of Commercial Law.


The judges found that the disappointed expectations of the former board member were based on unfulfilled promises of the incumbent President. The willingness to negotiate his departure was justified by the circumstances, as were the claims made to compensate him, as these were consistent with the prior commitments of the SA to him.


In the end, the decision to dismiss him did not follow the decision of the injured member to leave the company without a transitional period, but the refusal of the supervisory board to honor the contractual terms of a dismissal without just cause.



The triennial prescription of the action seeking responsibility of the corporate leader starts from the day of the harmful event, or from the day of its finding in case of dissimulation – The date of the placement in legal redress of a company seeking to engage the responsibility of a director for misconduct committed in the execution of its mandate as an administrator does not mark the default launching point of the limitation period for the action. This is the position the judges of the French Cour d’appel of Bourges held on May 7, 2015, before the commercial chamber of the Court of cassation censored them pursuant to articles L225-254 and L227-8 of the French Code of Commercial Law by a judgement of December 20, 2017 (n° 15-23.218).


In this case, the director of a French Société par actions simplifiée (SAS) which was in legal redress since November 2, 2011 was receiving a monthly remuneration for the fulfillment of his corporate mandate. On March 21, 2013, he assigned the SAS in payment of an amount equal to an unpaid portion of his remuneration. In response, the defendant field a damage counterclaim for misconduct by the plaintiff in the performance of his duties as an administrator.


The judges of the merits dismissed the director before condemning him to the payment of damages up to the extent of his wrongful behavior. According to them, the responsibility of the director was not yet prescribed on the day the SAS filed its conclusions for responsibility, since a period of less than 3 years separated that date, which was prior to the judgement of May 6, 2014, from the opening of the collective insolvency proceedings on November 2, 2011. 


The judges of cassation reject this reasoning on the ground that it starts the period of the triennial prescription on the day of the launching of the collective procedure without having verified that it was indeed the legal starting point of the commission or the revelation (after concealment) of the harmful facts.




More news