Lexicon > VPN (Virtual Private Network)

IT Glossary

VPN (Virtual Private Network)

A VPN is a private communication channel that most often uses the Internet infrastructure to transmit data that is generally protected by encryption techniques.

It allows two physical networks to be connected by a virtual tunnel. Only the computers on the local networks on both sides of the VPN can exchange, see each other and access shared data.

VPNs often have a gateway to change the source IP address, making it more difficult to identify and locate the user.

The use of VPNs also makes it possible to bypass the geographical restrictions of certain services or their administrative blocking implemented in certain countries.

These virtual private networks are not expressly prohibited by French law, but their use is often carried out for illicit purposes: downloading works protected by copyright, selling counterfeit products, cyber harassment, swindling, piracy…

Thus, it is not so much the tool but rather the purpose of its use by the Internet user that may be prohibited by French law.

In some countries, and in particular in the United Arab Emirates, the use of a VPN for fraudulent or criminal purposes is heavily punishable as such.

GDPR focus

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, varying in probability and severity, to the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, inter alia, as necessary:

  1. a) Pseudonymization and encryption of personal data;
  2. (b) means to ensure the continued confidentiality, integrity, availability, and resilience of processing systems and services;
  3. (c) means to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
  4. d) a procedure to regularly test, analyze and evaluate the effectiveness of the technical and organizational measures to ensure the security of the processing.

Article 32(1) of the GDPR

Case law focus

The Norwegian regulator notes that “it will often be difficult to determine the location of an IP address with certainty, especially if a cell phone and a VPN (Virtual Private Network) are used.

Datatilsynet, June 22, 2021, N°PVN-2021-06

The Bouchara firm assists you in particular in :

  • Making your organization GDPR compliant;
  • The drafting of data protection policies (privacy policy, computer charter …);
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • The drafting and transmission of your codes of conduct to the CNIL for approval;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;
  • Drafting and negotiating your data processing agreements (DPA);
  • Drafting your Binding Corporate Rules (BCR) and Codes of Conduct;
  • Training and awareness of your employees.

We are also the external Data Protection Officer of many data processors and subcontractors.