You cannot trade a customer file which does not comply with the French Data Protection Act


On June 25, 2013, the French Supreme Court rendered a corner-stone decision for all agreements dealing with personal data.

In 2008, a company sold its electronic customer file to its successor in business. It quickly came to light that most of the information was outdated or irrelevant and that the file had not been notified to the CNIL (the French data protection authority). The buyer then sued the seller for cancelling the sale, on the grounds that the file did not comply with the agreement, and that the purpose of the sale was unlawful.

The French Supreme Court decided that the sale must be cancelled and that the price paid be reimbursed, in light of the following considerations:

  1. Any electronic file of personal data must be notified to, or authorized by, the CNIL in compliance with Act n°78-17 of January 6, 1978 relating to Data Protection (the "French Data Protection Act");
  2. Non-compliance with the French Data Protection Act implies that the file falls outside the remit of “objects which can be traded” and may not be subject to a legal transaction, as provided for by article 1128 of the French civil code (thereby applying to a non-registered file the same legal regime as for the human body!);
  3. The purpose of the sale was therefore unlawful, rendering the sale null and void, although such nullity is not expressly provided for in the French Data Protection Act.

In recent years, compliance with the French Data Protection Act has mainly been enforced in the areas of administrative sanctions by the CNIL and in that of the value of evidence gathered through electronic means in employment-related disputes. The result of this recent decision is to bring to light an additional legal tool enforcing the French Data Protection Act.

This decision demonstrates the significant risk incurred when entering into agreements which deal with personal data whose compliance with the French Data Protection Act has not been fully assessed. When the validity of the agreement is faced with such risk, taking measures to ensure compliance and performing due diligence becomes mandatory. In addition, this risk needs to be addressed not only for sales of customer files, but more importantly in our data-centric world, in any agreements involving the processing of personal data such as sourcing and outsourcing arrangements as well as most M&A transactions.

Download PDF in French here.

Topics:  CNIL, Compliance, Data Protection, Due Diligence, Electronically Stored Information

Published In: General Business Updates, International Trade Updates, Mergers & Acquisitions Updates, Privacy Updates, Science, Computers & Technology Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© White & Case LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »