All about GDPR

General guidelines

The tone is set in Article 5 of the Regulation. This article, entitled “Principles relating to processing of personal data”, brings together the general guidelines applicable to the processing of personal data.

Thus, it is explicitly stated that:

• The processing of personal data shall be lawful, fair and transparent. In other words, data subjects must be expressly informed of the purpose for which their data are processed.
• The processing shall have a specific, explicit and legitimate purpose. It is therefore up to the data controller to specify the intended purpose when setting up the processing. Thus, it is not possible to use the data collected for the purpose of participating in a contest to send advertising.

• Data collection shall be minimized. The data collected shall therefore be strictly limited to what is necessary. For example, it is not permitted to collect the national insurance number for the purpose of delivering orders.
• The data collected shall be accurate. Therefore, data must be kept up to date, which requires rectification and deletion if necessary.
• Data shall be collected for a strictly limited period. It is, therefore, not possible to keep your customers’ data forever.
• Data shall be processed securely. As the guarantor of the integrity and confidentiality of the data entrusted to it, the data controller – by which we mean the person who decides to process the data – must process it in such a way that it guarantees its security.

People’s rights strengthened

The GDPR devotes no less than 13 articles to the rights of individuals, which proves their importance.

Thus, any person whose personal data you process – whether it is your customers, prospects, suppliers or even your employees – is entitled to contact you in order to find out to what extent their data is being processed (right of access), to have it corrected (right to rectification) or simply, especially for processing based on consent, to have it deleted (right to erasure).

In a few cases – 4 to be precise – provided for by the GDPR, the person whose data is processed also has a right to restrict the processing of his or her personal data. In practice, this means that the data controller may no longer process the data, but must still retain it.

This right should not be confused with the right granted to the person whose data are processed to object at any time to processing based either on a task of public interest or on the legitimate interest of the controller or whose purpose is commercial prospecting (right of objection). In this case, the processing of the data will no longer be authorized, although their erasure will not be required.

Furthermore, for any processing based on consent or on the performance of a contract or pre-contractual measures and when the processing is carried out by means of automated processes, the person whose data are processed has a right to the portability of the processing. He or she is thus entitled to request access to his or her data so that they can be transmitted – sometimes even directly by the data controller – to a third party.

The range of people’s rights has therefore expanded considerably with the arrival of the GDPR.

An imperative for compliance

The entry into force of the GDPR has also forced entities processing personal data to take responsibility for their practices by forcing them to question their own practices and to document their own compliance with the regulation.

This means that prior declarations to the CNIL are no longer necessary. From now, each company must ensure the conformity of the processing implemented and be able to justify the legality of the processing in the event of an inspection by CNIL officials.

Thus, it is up to the data controllers to keep a record in which all the processing operations carried out are compiled and described.

Given the importance of the processing of personal data, the GDPR also requires that a written contract be concluded with each person who processes personal data on behalf of the data controller, whose identity must also appear in a specific record known as the “register of sub-processors”.

In order to ensure compliance with good practice in the processing of personal data on a daily basis, the GDPR also provides for the appointment of a Data Protection Officer (DPO).

This designation is inter alia mandatory for public bodies and authorities, for entities carrying out regular and systematic monitoring of people on a large scale and for those processing sensitive data or data relating to criminal convictions on a large scale.

Keeping records, contractualization, answering to requests from data subjects to exercise their rights, security obligations and other impact analyses… these are the obligations that now weigh on each entity processing personal data.

Linkea’s legal advisors may support you to understand the many requirements of the GDPR.