The GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
It succeeds Directive 95/46/EC and governs in particular within the European Union the protection of individuals with regard to the processing of their personal data.
More specifically, the GDPR aims to contribute to the achievement of an area of freedom, security and justice and an economic union, to economic and social progress, to the consolidation and convergence of economies within the internal market, and to the well-being of individuals.
It intends to respect all fundamental rights and observe the freedoms and principles recognized by the Charter of Fundamental Rights of the European Union and enshrined in the Treaties, in particular respect for private and family life, home and communications, protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom of enterprise, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
The RGPD also aims to guarantee legal certainty and transparency to economic operators by preventing discrepancies in the level of protection of individuals within the European Union from hindering the free movement of personal data within the internal market.
Although it does not apply to the processing of personal data carried out by a natural person in the course of strictly personal or domestic activities, and therefore not related to a professional or commercial activity, as well as to the personal data of deceased persons, its scope remains particularly broad since :
- Processing of personal data that takes place in the course of the activities of an establishment of a controller or processor in the territory of the European Union should be carried out in accordance with the GDPR, regardless of whether the processing itself takes place in the Union;
- The processing of personal data of data subjects located in the European Union by a data controller or a processor who is not established in the Union should also be subject to this Regulation where such processing relates to the monitoring of the behaviour of such persons insofar as it relates to their behaviour within the European Union.
Although it is a European Regulation and therefore directly applicable in the Member States of the European Union, the RGPD allows the latter to clarify or limit some of its rules, in particular with regard to :
- the processing of personal data necessary for the fulfilment of a legal obligation, the performance of a task in the public interest or in the exercise of official authority vested in the controller;
- the processing of special categories of personal data;
- the processing of personal data of deceased persons.
This is notably the case in France with the Data Protection Act, modified following the implementation of the RGPD.
1. This Regulation establishes rules on the protection of individuals with regard to the processing of personal data and rules on the free movement of such data.
2. This Regulation protects the fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data.
3. The free movement of personal data within the Union shall not be restricted or prohibited on grounds relating to the protection of individuals with regard to the processing of personal data.
Article 1 of the GDPR
Point of jurisprudence
The Austrian supervisory authority points out that ” The European legislator assumes that the rights and freedoms granted by the GDPR do not apply without restriction and must be balanced against other fundamental rights in compliance with the principle of proportionality. In order to achieve this objective, corresponding restrictions of the fundamental right to data protection and the associated rights of data subjects are provided for, either in the GDPR itself or through a correspondingly granted scope of application (“opening clauses”), which allows the national legislator to provide for corresponding restrictions in national provisions “.
Datenschutzbehörde, July 26, 2019, No. DSB-D123.921/0005-DSB/2019
The Bouchara firm assists you in particular in :
- Making your organization RGPD compliant;
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.