The acronym GDPR stands for « General Data Protection Regulation« . It provides a framework for the processing and circulation of personal data within the territory of the European Union. This European regulation, which actually dates from April 27, 2016, entered into force in all Member States on May 25, 2018. It is directly applicable and binding since that date. The GDPR was born out of the European desire to create a unified legal framework, in order to face the major challenges of the processing of personal data.
Who is concerned?
The GDPR applies to any organization, regardless of its size, processing personal data on its behalf or not, as long as it is established in the territory of the European Union or its activity directly targets European residents. The scope of the GDPR is therefore extremely wide since all companies are in fact affected regardless of their size or workforce. The responsibility for the implementation of data protection rests with the employer, the latter being considered as the controller, i.e. the person responsible for verifying the compliance of the data processing with the GDPR. . Thus, the employer must exercise extreme vigilance with regard to this compliance
What is a personal data?
The notion of personal data is extremely broad since it is defined by the CNIL as « any information relating to an identified or identifiable natural person ». Identification can be done directly (last name, first name, postal address) or indirectly (physical elements, identifier, IP address, number). In addition, personal data are also considered to be personal data which, by combining several pieces of information (date of birth, sex, city, diploma, etc.) or the use of various technical means, allow a person to be identified.
What are the obligations of companies?
According to article 5.1 of the GDPR, personal data must be: • Processed lawfully, fairly and transparently; • Collected for specific, explicit and legitimate purposes; • Adequate, relevant and limited; • Accurate and kept up to date; • Kept for a reasonable period of time; • Processed in such a way as to guarantee their protection. In order to comply with the GDPR and comply with the six essential obligations set out above, the CNIL recommends that companies take six actions:
1- Designate a pilot
The CNIL strongly recommends that all companies designate a person responsible for ensuring compliance with the GDPR. This player will allow dialogue with the data protection authorities and thus reduce the risk of litigation. Some companies that process so-called « sensitive » data have the obligation to appoint a data protection officer. This designation is also mandatory for public bodies and companies whose activity requires regular monitoring of large-scale people such as a person’s political, philosophical or religious opinions.
2- List the files
Companies with more than 250 employees are required to set up a data processing register. This consists of identifying the main activities of the company requiring the collection and processing of personal data. For each activity, companies must then list the controller, the objective pursued, the category of data used, the persons having access to it and the retention period of said data. The CNIL offers a model of this register on its website: https://www.cnil.fr/fr/RGDP-le-registre-des-activites-de-traitement
3- Identify risquy treatment
The controller has the obligation to be able to prove at all times that the processing operations he manages comply with the GDPR. Companies are therefore advised to sort their data to verify that each backup is necessary and relevant. In addition, the CNIL warns companies against certain treatments requiring special vigilance. This concerns in particular the processing of data relating to vulnerable persons, the systematic surveillance of persons, the crossing of data sets or the processing of so-called « sensitive » data. Indeed, if the data processing concerned meets at least two of the criteria provided for by the GDPR, an impact analysis on data protection will have to be carried out.
4- Respect the rights of individuals
Companies have an obligation to provide their employees with information relating to the collection and processing of their data. This information must be provided as soon as the data is collected or within one month of this collection when the elements are collected indirectly. It can be carried out on paper or electronically allowing data collection. It may also be the subject of a memo, posting or dissemination on the company’s intranet, when a monitoring system is put in place. In addition, companies have an obligation to guarantee the rights of the persons whose data is processed by allowing the effective implementation of these rights. It is therefore recommended that companies provide the persons concerned with material resources, such as a telephone number, an e-mail address or a form in paper or electronic format. v Secure data:
5- How to act in the event of a security breach?
In the event of a personal data breach, a double notification obligation is imposed on the employer; to the CNIL, within 72 hours and to the person concerned, as soon as possible. According to the CNIL, such a violation can be analyzed as “accidentally or unlawfully leading to the destruction, loss, alteration or unauthorized disclosure of personal data transmitted, stored or processed in any other way, or unauthorized access to such data ”.
6- What are the penalties?
In France, only the CNIL has the capacity to sanction companies in the event of disregard of the provisions of the regulation. The CNIL can thus pronounce several administrative sanctions: warning, formal notice, injunction to cease processing, suspension of data flows, order to satisfy requests for the exercise of the rights of individuals or to rectify, limit or erase data. In addition, administrative fines can be pronounced and amount, depending on the category of the offense, to 10 or 20 million euros, or to 2% up to 4% of the worldwide annual turnover of the company, whichever is greater.