What you need to know about the RGPD
The DMPP or The European General Regulation on the Protection of Personal Data is currently in force as it comes into force on 25 May 2018. All member countries of the European Union are concerned by this text.
Companies are obliged to comply with this Regulation before it is applied. Some are apprehensive about it, whereas these provisions bring benefits.
What is meant by
RGPD ? What are its objectives and main measures? How to comply with this regulation?
What's the RGPD?
This text, adopted on 27 April 2016, protects the personal data, and thus the privacy of European Internet users. It enables them to control their private information. It has an impact on EU professionals collecting personal data. In France, it is the CNIL that will ensure the proper implementation of the
RGPDThis is done, inter alia, through checks on companies.
Who's involved?
All organisations, in the broadest sense, are concerned by the RGPD, as long as they process personal data: from the public limited company to the micro-entrepreneur, the one-man limited liability company, the public body or even the association.
Personal data, what is it?
Data are said to be personal when they allow the direct or indirect identification of an individual. Personal data are therefore the following information: surname, first name, address, email, telephone number, IP address of the computer, profiling data...
The three objectives of the DPGR
The
RGPD has a triple purpose:
- Strengthening the rights of all citizens over their personal data ;
- Intensify the control of private information and the structures collecting it, as well as the implementation of sanctions in the European Union ;
- Making companies collecting personal data responsible.
The five key measures of the DPGR
The European Regulation includes five main measures:
Securing the processing of personal data
Companies must guarantee and be able to prove that data processing is secure and compliant with the
RGPD at any given moment. Traceability of data processing must be feasible in order to assess companies' good practices regarding the use of personal information.
The mandatory declaration of data processing files to the CNIL will no longer exist in the future: this makes data processors responsible, who now have an obligation to comply.
Making the processing of personal information transparent
The collection and processing of data must be transparent: the data subject must be able to give his or her consent, be aware of the objectives pursued and the length of time the data will be kept. The structure must keep this information in order to keep proof of it in case of control by the CNIL.
And, of course, any person can request the rectification, portability or deletion of his or her data at any time, with clear information on the procedure for making such a request.
Inform the CNIL of any flaws that endanger the respect of privacy
A company finding a flaw in its information system (an external hacking, for example), which is likely to infringe on the privacy of the people whose data has been collected, must inform the CNIL within 2 days of the discovery of the flaw.
Extending obligations to subcontractors
Subcontractors working for organisations carrying out data processing must comply with the
RGPD. Consequently, companies are obliged to select a service provider that complies with the provisions of the Regulation.
To give a simple example, an entrepreneur who collects personal data on his website via a contact form, must ensure that the host of his website, through which this data transits, is itself in compliance with the DPMR.
Conferring new rights on citizens
The Regulation provides rights related to the use and processing of personal data:
- Thanks to the right to oblivionIf a person requests the permanent deletion of his personal data, he can ask for it to be deleted;
- Via the right to data portabilityIn addition, individuals have the possibility to request personal data that they have provided to an organisation, which will be transmitted to it in an intelligible and easily reusable format;
- According to the law on the protection of data of minors, minors under 16 years of age (15 years of age in France) cannot themselves give their consent to the collection of personal data concerning them. The consent of their legal representative is required.
The five steps to bring a company into compliance with the DP Regs
For the CNIL, these phases allow companies to comply with the Regulation in May 2018, or at least to be on track to compliance :
- The RGPD invites you to choose a Data Protection Officer (DPO). This appointment is mandatory for public bodies, bodies working with data on a large scale and bodies collecting sensitive health and legal data in particular.
The DPO ensures compliance with the DPMR and monitors the work done on data protection. As the DPO must be independent, he or she cannot be the chief executive. Therefore, in small structures, it is not mandatory, and can also be outsourced (several small structures can share a DPO in order to reduce costs);
- Identify the various personal data processing operations carried out in the company, as well as their purposes (this makes it possible to delete data for which the purpose has been achieved, or to limit certain collections to data strictly necessary for the fulfilment of the purpose). These processing operations must be recorded in a specific register;
- Carry out an analysis of the impact on the privacy of the persons concerned by the processing operations carried out by the company. The CNIL has developed a open source software allowing the impact study to be carried out according to its method.
- Securing personal data internally (secure servers, encryption of certain data, passwords to access equipment that allows data to be consulted such as PC, telephone..., tracing connections...).
- The CNIL recommends keeping proof of compliance to prove the company's good faith.
This very well done graphic gives general information on the RGPD, as well as many useful links:
see the video.
Overall, most of the answers to the questions asked by companies can be found on the
CNILwhich provides tools, file or clause templates to comply with the DPMR.
In order to be ready on time, companies can also get closer to a
Industrial Property Attorney to take stock of the various elements that need to be improved for compliance.
You may also like
A groundbreaking case recently pitted Hermès against an American artist, Mason Rothschild. The artist had marketed NFTs depicting Hermès bags. In order to render its decision, the American courts had to rule on the legal regime applicable to NFTs. Uncertainty over the legal status of NFTs
Read More
For over 70 years, the Adidas 3-Stripes have been a very important marketing tool for the famous sports equipment manufacturer. The company has registered several trademarks incorporating the 3 stripes around the world. Adidas actively monitors and defends its trademarks (opposition, infringement action, unfair competition action...). Today we come back to a
Read More