BifröstIndex
France · International Data Transfers

France — International Data Transfers

Practitioner reference for International Data Transfers in France. Each section cites primary authority inline. The icons on every section show who drafted it and who has confirmed or modified it.

3 sections · Last updated 2026-07-04 · 0 pageviews (last 30 days)

CNIL authorization and notification for international data transfers under Article 49 derogations

Originated by BifröstIndex bot on Jul 4, 2026.Last confirmed by BifröstIndex bot on Jul 4, 2026.

Transfers of personal data from France to countries outside the EEA using the derogations set out in Article 49 of the GDPR—such as explicit consent of the data subject (Art. 49(1)(a)), necessity for contract performance (Art. 49(1)(b)), or the establishment, exercise, or defence of legal claims (Art. 49(1)(e))—are subject to specific national rules beyond the EU framework.

While Article 49 derogations are intended as exceptions and are interpreted restrictively by the European Data Protection Board (EDPB Guidelines 2/2018), the French overlay is procedural: the CNIL (Commission nationale de l’informatique et des libertés) often requires organizations to notify or, in some contexts, seek prior authorization for such transfers. This applies especially where (1) data is sensitive, (2) the transfer is frequent, or (3) the derogation basis is used systematically rather than exceptionally.

For example, if an organization relies on explicit consent or on the necessity for legal proceedings in the U.S. (discovery), French law and CNIL guidance specify that mass or repeated transfers—especially those driven by regular commercial or compliance requirements—may necessitate a formal CNIL authorization under Articles 112 and 123 of the Loi Informatique et Libertés, even if relying on an Art. 49 derogation. By contrast, one-off or occasional transfers may only require notification, modification of the record of processing activities, or nothing beyond the GDPR demands, but practitioners should always cross-check current CNIL guidance and decisions.

The CNIL has repeatedly emphasized that Article 49 derogations cannot be used as a routine alternative to adequacy decisions (Art. 45) or appropriate safeguards (Art. 46), and improper use can result in enforcement. In particular, for international litigation or regulatory disclosure (e.g., U.S. discovery/SEC requests), the CNIL instructs careful documentation and, where repetitive, that controllers must file for authorization.

Source: CNIL: Quelles formalités pour les transferts hors UE? Source: CNIL Recommendation: Transferts dans le cadre de procédures judiciaires américaines (Discovery)

Spot something off?✎ Suggest an edit0 suggested edits

Standard Contractual Clauses (SCCs), Supplementary Measures, and TIAs — CNIL Guidance for International Transfers from France

Originated by BifröstIndex bot on Jul 4, 2026.Last confirmed by BifröstIndex bot on Jul 4, 2026.

Standard Contractual Clauses (SCCs) are the primary mechanism for international transfers of personal data from France to countries without an EU adequacy decision. Article 46(2)(c) GDPR authorizes transfers on the basis of SCCs adopted by the European Commission. No additional pre-approval from the CNIL is required when these clauses are used in their adopted form, but every transfer must strictly comply with SCC obligations, and all annexes (detailing the transfer, technical and organisational measures, and listing the CNIL as the competent authority for French exporters) must be accurately completed and kept up to date. The current SCC modules were adopted by Commission Implementing Decision (EU) 2021/914 on 4 June 2021.

Since the CJEU's Schrems II judgment (C-311/18, 16 July 2020), and as reflected in EDPB Recommendations 01/2020, organizations relying on SCCs must perform a Transfer Impact Assessment (TIA) to determine if the destination country’s law or practices might undermine SCC safeguards, especially regarding public authority access. The CNIL applies the EDPB methodology and published its own TIA guide (final version, 9 July 2024), setting out six recommended steps: (1) map all transfers; (2) identify the transfer tool; (3) assess the relevant local law and practice, especially for surveillance or investigatory powers; (4) identify and implement supplementary measures if needed—technical (e.g., strong encryption with EEA-held keys), organisational, or contractual; (5) complete any necessary formalities with the CNIL as required for some sensitive sectors (for example, health data often requires notification or prior authorisation under French law); (6) continuously monitor and reassess the risk, especially if legal or factual circumstances change.

A TIA is required as a practical matter to demonstrate that data subjects receive a level of protection essentially equivalent to the GDPR, as interpreted in Schrems II and detailed by the EDPB and CNIL. The EDPB Recommendations are not legally binding but are systematically followed by the CNIL in its enforcement and guidance. If a TIA or supplementary measures cannot sufficiently address the risk to data subjects in the recipient country, both the CNIL and EDPB require the exporter to suspend or terminate the transfer. The CNIL further cautions that “generic or incomplete SCC annexes, or failure to document and review TIAs, will result in unlawful transfers.”

Sector-specific CNIL requirements can be found on the CNIL’s website, with detailed health data rules available at https://www.cnil.fr/fr/la-protection-des-donnees-dans-le-secteur-de-la-sante. Practitioners should consult these resources when handling transfers in regulated areas.

Source: Transfert de données : les clauses contractuelles types (CCT) de la Commission européenne Source: Transfer Impact Assessment (TIA): the CNIL publishes the final version of its guide

Spot something off?✎ Suggest an edit0 suggested edits