GDPR - General Data Protection Regulation - EU Rule 2016 / 679

RULE (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND THE COUNCIL OF 27th April 2016

Relative to the protection of physical persons with regard to processing of data of a personal nature and to the free circulation of such data, and abrogating directive 95/46/CE

 

The main data protection regulation, GDPR, adopted on 27 April 2016 is principally aimed at strengthening the level of protection of personal data by increasing the accountability of data collectors.

This regulation will apply throughout the European Union from May 25, 2018. Also, treatments already implemented will, by that time, have to comply with the provisions of the regulation.

Some of the provisions of the GDPR regulation are actually already effective in French law since the adoption of Law No. 2016-1321 for the Digital Republic of October 7, 2016, which reformed the Data Protection Act of January 6, 1978.

Regardless of their business sector, companies must be mindful of the responsibility created by the regulation and autonomous compliance, upstream and throughout the life of treatments, and thus review their internal processes in this regard.

 

1. Organizational and institutional matters

• Companies will be in contact with a "one-stop shop" - the data protection authority of the Member State where their "main establishment" (the "lead" authority) is located. In France, it is the CNIL.
• The national protection authorities will be grouped together in a European Data Protection Committee (EDPC), which will ensure the uniform application of the GDPR law and thus replace the current G29¹: companies will thus benefit from a single point of contact for the European Union when they implement transnational treatment.

 

2. Enhanced consent and transparency required

The consent of the user whose data are collected is at the heart of the regulation: users must be informed of the use of their data and must agree to the processing of their data, or be able to oppose it. The materialization of this consent must be clear.

The burden of proof of consent lies with the data controller.

 

3. New rights :

   The right to the portability of data: anyone can retrieve the data they have provided in a reusable form and then transfer it to a third party. People must be able to regain control of their data.

   Right of action for associations : associations will now have the possibility to introduce collective actions in the field of personal data protection.

   A right to repair damage : Anyone who has suffered damage as a result of the violation of the Regulations, may request the Controller or the Subcontractor for compensation for the damage suffered.

4. Reduced red tape and accountability of stakeholders

In order to ensure optimal protection of the personal data they process, Process Managers and Subcontractors will have to put in place appropriate data protection measures and demonstrate this compliance at all times ("accountability").

Consequences :

• Elimination of reporting obligations as long as the treatments do not pose a risk to the privacy of individuals.
• With regard to treatments currently subject to authorization, the authorization regime may be maintained by national law (for example in the field of health) or will be replaced by a new procedure centered on the privacy impact assessment.

Also, appearance of new compliance tools:

• keeping a record of the treatments implemented
• notification of security breaches (to the authorities and persons concerned)
• certification of treatments
• adherence to codes of conduct
• the Data Protection Officer (DPO)
• Privacy Impact Assessment (PIA)

4.1 Privacy Impact Assessment (PIA)

For all treatments at risk, the Treatment Manager must conduct a full impact study, showing the characteristics of the treatment, the risks and the measures adopted. 

• In particular, this concerns the processing of sensitive data (data revealing racial or ethnic origin, political, philosophical or religious opinions, trade union membership, data concerning health or sexual orientation, but also, newly, genetic or biometric data) and treatments based on "the systematic and thorough evaluation of personal aspects of natural persons", that is to say including

4.2 Changes concerning non-EU data transfers

Processors and Subcontractors can transfer data outside the EU as long as they manage these transfers with tools ensuring a sufficient and appropriate level of protection for individuals.

In addition, data transferred outside the Union will be subject to Union law not only for their transfer but also for any further processing and transfer.

Thus, and apart from transfers based on a European Commission adequacy decision, Process Managers and Subcontractors can set up:

• binding corporate rules (BCR);
• standard contractual clauses approved by the European Commission;
• contractual clauses adopted by an authority and approved by the European Commission.

New tools are also planned:

• for Subcontractors: the possibility of setting up binding corporate rules;
• for public authorities: the use of binding agreements;
• for Process Managers and Subcontractors: adherence to codes of conduct or a certification mechanism. Both tools must contain binding commitments.

Finally, a specific authorization from the CNIL is no longer required.

 

5. The appointment of a sometimes mandatory delegate

Processors and Subcontractors will be required to designate a delegate:

• if they belong to the public sector,
• if their main activities lead them to carry out regular and systematic monitoring of people on a large scale,

if their main activities lead them to process (still on a large scale) so-called "sensitive" data, or data relating to criminal convictions and offenses

Apart from these cases, the appointment of a data protection officer will also be possible (shared or external).

The delegate is responsible for: 

• informing and advising the Controller or the Subcontractor, as well as his employees;
• monitoring compliance with the European regulation and national data protection law;
• advising the organization on conducting an impact assessment (PIA) and verifying its implementation;

cooperating with the supervisory authority and being its point of contact.

 

6. Principle of so-called "minimization" under the responsibility of the controllers

Process managers (organizations that determine the purposes and methods of processing personal data) must implement all the technical and organizational measures necessary to respect the protection of personal data, both from the design of the product or service and by default.

They will have to take care to limit the amount of data processed from the beginning ("minimization" principle)

 

7. Obligations specific to subcontractors

These obligations apply to all organizations that process personal data on behalf of another organization as part of a service or service. In particular:

• IT service providers (hosting, maintenance, etc.),
• software integrators,
• computer security companies,
• Digital service companies or formerly Computer Service and Engineering Companies (CSECs) that have access to the data,
• marketing or communication agencies that process personal data on behalf of their clients.

These subcontractors:

• must take into account the protection of data from the design of the service or product and by default, and put in place measures to ensure optimal data protection,
• are required to comply with specific obligations regarding security, confidentiality and accountability,
• In particular, they have an obligation to advise the Controller for compliance with certain obligations of the Regulation (EIVP, faults, security, destruction of data, contribution to audits),
• must keep a record of the processing activities performed on behalf of their clients and designate a DPO under the same conditions as a controller.

 

8. Enhanced sanctions

The administrative fines are more severe: they may be, according to the category of the offense, 10 or 20 million euros, or, in the case of a company, 2% to 4% of the annual total turnover, the highest amount being withheld.

In this respect, Processors and Subcontractors may be subject to significant administrative penalties in the event of a breach of the provisions of the Regulation.

 

The business line should therefore be: to ensure that they have the tools and documentation that will allow them to integrate the new logic of their accountability and respect the new rights of the users whose data are collected and treated.

Their duties are therefore:

• to verify that their processing activities are subject to the provisions of the Regulation,
• to audit their current data protection process,
• to manage in writing their relations with their business partners and / or the companies of the group,
• to appoint, if necessary, a Data Protection Officer,

and to put in place - if necessary - a register of data processing.

 

Gwendal Barbaut and Anne Rossoux

Court Advocates at IPSIDE AVOCAT