Personal data is any information relating to an identified or identifiable natural person, also known as a data subject.
By “identifiable natural person”, the GDPR refers to any natural person who can be identified, directly or indirectly, in particular by reference to an identifier.
It can therefore be particularly varied information, such as a name, an identification number, GPS information, a license plate, a blood type, a shoe size, a bank account, a genome…
The personal data may relate to physical, physiological, genetic, psychological, economic, cultural or social identity.
The notion of personal data is not restricted to sensitive or private information, but potentially includes all kinds of information, both objective and subjective in the form of opinions or assessments, provided that they “concern” the person in question.
Thus, data that is publicly accessible, for example on the Internet or in mailboxes, can be qualified as personal data.
Subject to the application of the GDPR, personal data must be:
- Processed in a lawful, fair and transparent manner with regard to the data subject;
- Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes;
- Adequate, relevant and limited to what is necessary for the purposes for which they are processed;
- Accurate and, if necessary, kept up to date;
- Kept in a form that permits identification of the data subjects for no longer than is necessary for the purposes for which they are processed;
- Processed in such a way as to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
The processing of special categories of data, which deserve a higher level of protection, is subject to a more restrictive framework.
“The rapid evolution of technology and globalization have created new challenges for the protection of personal data. The scope of personal data collection and sharing has increased significantly. Technologies allow both private companies and public authorities to use personal data as never before in their activities. Increasingly, individuals are making information about themselves publicly available on a global level. Technology has transformed both the economy and social relations, and should further facilitate the free flow of personal data within the Union and their transfer to third countries and international organizations, while ensuring a high level of protection of personal data“.
Recital 6 of the GDPR
Point of jurisprudence
As the Court of Cassation has pointed out, ” IP addresses, which make it possible to indirectly identify a natural person, are personal data, so that their collection constitutes processing of personal data and must be subject to a prior declaration to the CNIL, the Court of Appeal violated the above-mentioned texts “
Court of Cassation, Civil, Civil Division 1, November 3, 2016, No. 15-22.595
The Bouchara firm assists you in particular in :
- Making your organization RGPD compliant;
- Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
- Obtaining certifications and adhering to codes of conduct;
- The study of the legal feasibility of the implementation of a new personal data processing;
- The drafting and transmission of your codes of conduct to the CNIL for approval;
- Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
- Drafting and negotiating your data processing agreements (DPA);
- Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
- Training and awareness of your employees.