GDPR and data protection

Areas of expertise > GDPR and data protection

The GDPR and the protection of personal data contribute to the realization of an area of freedom, security, justice, economic and social progress, to the consolidation and convergence of economies within the European Union, and to the well-being of individuals.They contribute to the right of privacy and family life, home and communications, freedom of thought, conscience and religion, freedom of expression and information, cultural, religious and linguistic diversity, freedom of trade, the right to an effective remedy and to a fair trial.

GDPR and data protection

The processing register contributes to the documentation of the organization’s compliance and is an excellent management tool as it allows the deduction of a compliance action plan.

Indeed, it allows the organization to determine whether the characteristics of certain processing operations are not compliant (for example, whether data are kept within the erasure period) and therefore the measures to be implemented.

Thus, each record in the register allows us to verify that the data are relevant and necessary for the purpose of their processing. If necessary, the organization may then proceed to delete some of the data it processes and establish a more appropriate data processing policy.

How to organize its internal processes?

The establishment and organization of data protection policies contributes to the documentation of the organization’s compliance, as does the processing log.

The purpose of these internal processes must be to guarantee the protection of the data processed by the organization adapted to the risk, and to allow for adaptation to the evolution of this risk.

They must therefore take into consideration all the events that may occur during the life of the processing operations implemented by the organization, taking into account the state of knowledge, the costs of implementation and the nature of the scope, context and purpose of these processing operations. The following documents may be included in this body of internal process documentation:

– Cryptography Policy;
– Interoperability Framework;
– Data Transfer Framework;
– Project Management Guide ;
– Subcontracting agreement template ;
– Catalog of authorized tools ;
– Authentication repository;
– WEB repository ;
– Tracks repository ;
– User charter ;
– Administrator’s Charter ;
– Charter provider ;
– Privacy Policy;
– Document Management Policy;
– WSIS Governance Policy ;

In any case, internal policies must take into account the protection of personal data from the very beginning of the processing (minimization of data collection with regard to the purpose of the processing, duration of data retention proportionate to the purpose of the processing, information of the persons concerned, obtaining the consent of the persons concerned if necessary, security and confidentiality of the data, role and responsibility of the actors involved in the processing…).

How to contractualize its data processing?

The processing of data involving several actors must be contractualized under the conditions provided under the GDPR. The conditions for contracting treatments depend on the role of the different actors in the treatment concerned.

Thus, if an organization processes data exclusively on behalf of and at the direction of another organization that has determined the purposes and a substantial part of the means of such processing, it will qualify as a processor of that second organization.

Under these conditions, the processor must provide sufficient guarantees that the processing meets the requirements of the GDPR and ensures the protection of the rights of the persons whose data is processed. Such processing shall be governed by a contract or other legal instrument binding the processor to the controller, defining the purpose and duration of the processing, its nature and purpose, the type of data and categories of data subjects, and the rights and obligations of the parties.

As a matter of principle, this subcontract must at least provide that the subcontractor :

Processes data only on the instructions of the controller;

Ensures that its staff is committed to respecting the confidentiality of data;

Takes all appropriate technical and organizational measures to ensure a level of data security appropriate to the risk;

Does not hire another processor without the permission of the controller, and vouches to the controller for the other processor’s performance of its obligations;

Assists the data controller in responding to requests from data subjects to exercise their rights regarding their data;

Assists the data controller in meeting its obligations regarding data security, notification to the CNIL of a data breach, communication to the data subject of a data breach, data protection impact assessment and prior consultation of the CNIL when the impact assessment indicates that the processing would present a high risk;

Depending on the choice of the controller, deletes all data or returns them to the controller at the end of the service, and destroys existing copies;

Provides the data controller with all the information necessary to demonstrate compliance with its obligations and to allow audits to be carried out.

Ensures that its staff is committed to respecting the confidentiality of data;

Takes all appropriate technical and organizational measures to ensure a level of data security appropriate to the risk;

Does not hire another processor without the permission of the controller, and vouches to the controller for the other processor’s performance of its obligations;

Assists the data controller in responding to requests from data subjects to exercise their rights regarding their data;

Assists the data controller in meeting its obligations regarding data security, notification to the CNIL of a data breach, communication to the data subject of a data breach, data protection impact assessment and prior consultation of the CNIL when the impact assessment indicates that the processing would present a high risk;

Depending on the choice of the controller, deletes all data or returns them to the controller at the end of the service, and destroys existing copies;

Provides the data controller with all the information necessary to demonstrate compliance with its obligations and to allow audits to be carried out.

When several actors jointly determine all or part of the purposes and means of the processing, they will be qualified as joint controllers.

Under these conditions, they must define their respective obligations by agreement and in a transparent manner. The broad outlines of this agreement must be made available to the persons concerned, for example on the websites of the organizations concerned.

Finally, when several actors determine by their own the purposes and means of the processing, they will be qualified as separate data controllers. However, if this processing requires the transmission of data from one data controller to another, this transmission must also be regulated, especially in order to guarantee its lawfulness (information of the data subjects, obtaining their consent if necessary, etc.).

Particular attention must be paid to the supervision of data transfers outside the European Union, requiring a systematic analysis of their lawfulness and, where necessary, the use of standard contractual clauses, binding company rules or certifications.

Appoint a Data Protection Officer

The Data Protection Officer (DPO) is the successor to the Data Protection Correspondent since the GDPR came into force. Its mission is to inform and advise organizations processing data on their obligations under the GDPR and the Data Protection Act.

The DPO is the privileged point of contact between the organization that appointed him and the persons whose data are processed by this organization, as well as the CNIL, in particular within the framework of its controls, concerning all questions relating to data protection within the organization.

Its designation is mandatory when the data processing activities :
– Are carried out by a public authority or public body; or
– Consist of regular and systematic monitoring of individuals on a large scale; or
– Consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

In any case, the nomination of a DPO is recommended for all organizations in order to have permanent support in data protection, and thus facilitate the organization’s compliance with the GDPR (updating of the register of processing, contractualization of processing, advice on data protection by default and by design, management of breaches …)

Indeed, the delegate must be appointed on the basis of his professional qualities and, in particular, his specialized knowledge of data protection law and practices. Its ability to perform its duties independently and confidentially, while reporting directly to the highest level of its management is essential.

For this reason, the DPO may be a member of the staff of the organization that appointed him or her or perform his or her duties on the basis of a service contract (lawyer or consultant) in order to guarantee his or her independence.

Our services

Bouchara & Avocats will assist and advise you in order to bring your organization into compliance with the GDPR and the laws of the European Union member states relating to data protection, and to maintain this compliance over time.

Personal data and digital law team

Personal data and digital law team

Areas of focus