Personal Data Security Obligation Under French Law

Under French law, companies can be held liable if they do not take steps to protect the security of their customers’ personal data. In Kitetoa vs. Ministère Public and Tati (February 13, 2002), the Criminal Court of Paris recalled this obligation, which is specified in Article 226-17 of the Penal Code. The criminal sanctions attached to this obligation should be taken into account by every website collecting and processing personal data.

The following questions have been addressed in this article:

What is the basis of the obligation to guarantee the security of personal data?
To what extent should personal data be protected in order to comply with the obligation of Article 226-17 of the Penal Code?
What are the consequences of this decision regarding the obligations of Internet security companies?


Facebook Twitter RSS