GDPR and data protection

Areas of expertise > GDPR and data protection

The GDPR and the protection of personal data contribute to the realization of an area of freedom, security, justice, economic and social progress, to the consolidation and convergence of economies within the European Union, and to the well-being of individuals.They contribute to the right of privacy and family life, home and communications, freedom of thought, conscience and religion, freedom of expression and information, cultural, religious and linguistic diversity, freedom of trade, the right to an effective remedy and to a fair trial.

GDPR and data protection

Personal data processing is constantly implemented by companies and local authorities. They are essential to their functioning in the context of the information society.

Personal data is information that can be used to identify individuals, directly or indirectly. They are likely to affect their rights and freedoms, requiring consequently a particular protection. In the European Union, the EU Regulation 2016/679 (known as the GDPR) frames the conditions for processing personal data and succeeds the Directive 95/46/EC in order to adapt the law to the evolutions of technologies and societies. The GDPR is a continuation of the law N°78-17 (called “Loi Informatique et Libertés”) and reinforces the control of individuals on their data.

Entering into force on May 25, 2018, the GDPR applies to any organization, public and private, that processes personal data as long as it is established in the territory of the European Union or its activity targets European residents.

How to identify its data processing?

The identification of all personal data processing activities carried out by the organization provides a macro view of its operations.
This is also an obligation under Article 30 of the GDPR for all organizations regardless of their size.
This inventory, which can be done in any form, must in any case include at least the following information:

the name and contact details of the controller and, if applicable, the joint controller, the controller’s representative and the data protection officer;

the purposes of the processing; a description of the categories of data subjects and the categories of personal data;

the categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations;

where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international                organization;

to the extent possible, the deadlines for the deletion of the various categories of data; to the extent possible, a general description of the technical and organizational security measures.

How to
count its
treatments
of data?

The identification of all personal data processing activities carried out by the organization provides a macro view of its operations.
This is also an obligation enshrined in Article 30 of the GDPR for all organizations and regardless of their size.
This census, which can be done in any form, must in any case include at least the following information:

the name and contact details of the controller and, if applicable, the joint controller, the controller’s representative and the data protection officer;

the purposes of the processing; a description of the categories of data subjects and the categories of personal data;

the categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations;

where applicable, transfers of personal data to a third country or to an international organization, including the identification of that third country or international organization;

to the extent possible, the deadlines for the deletion of the various categories of data; to the extent possible, a general description of the technical and organizational security measures.

The processing register contributes to the documentation of the organization’s compliance and is an excellent management tool as it allows the deduction of a compliance action plan.

Indeed, it allows the organization to determine whether the characteristics of certain processing operations are not compliant (for example, whether data are kept within the erasure period) and therefore the measures to be implemented.

Thus, each record in the register allows us to verify that the data are relevant and necessary for the purpose of their processing. If necessary, the organization may then proceed to delete some of the data it processes and establish a more appropriate data processing policy.

How to organize its internal processes?

The establishment and organization of data protection policies contributes to the documentation of the organization’s compliance, as does the processing log.

The purpose of these internal processes must be to guarantee the protection of the data processed by the organization adapted to the risk, and to allow for adaptation to the evolution of this risk.

They must therefore take into consideration all the events that may occur during the life of the processing operations implemented by the organization, taking into account the state of knowledge, the costs of implementation and the nature of the scope, context and purpose of these processing operations. The following documents may be included in this body of internal process documentation:

– Risk Management Policy;
– Crisis Management Policy;
– Access and clearance management policy;
– Trace Management Policy;
– Vendor Management Policy;
– Backup Policy;
– Incident Management Policy;
– Business continuity and recovery plans;
– Physical and Environmental Security Policy;
– Asset Management Policy;
– Monitoring program;
– Supervision Program;
– Archiving and destruction policy ;
– IS Usage Policy;
– Mobile Device and Telework Policy;
– Job descriptions (CISO, CIO and DPO);
– Network Partitioning Policy;

– Cryptography Policy;
– Interoperability Framework;
– Data Transfer Framework;
– Project Management Guide ;
– Subcontracting agreement template ;
– Catalog of authorized tools ;
– Authentication repository;
– WEB repository ;
– Tracks repository ;
– User charter ;
– Administrator’s Charter ;
– Charter provider ;
– Privacy Policy;
– Document Management Policy;
– WSIS Governance Policy ;

In any case, internal policies must take into account the protection of personal data from the very beginning of the processing (minimization of data collection with regard to the purpose of the processing, duration of data retention proportionate to the purpose of the processing, information of the persons concerned, obtaining the consent of the persons concerned if necessary, security and confidentiality of the data, role and responsibility of the actors involved in the processing…).

How to contractualize its data processing?

The processing of data involving several actors must be contractualized under the conditions provided under the GDPR. The conditions for contracting treatments depend on the role of the different actors in the treatment concerned.

Thus, if an organization processes data exclusively on behalf of and at the direction of another organization that has determined the purposes and a substantial part of the means of such processing, it will qualify as a processor of that second organization.

Under these conditions, the processor must provide sufficient guarantees that the processing meets the requirements of the GDPR and ensures the protection of the rights of the persons whose data is processed. Such processing shall be governed by a contract or other legal instrument binding the processor to the controller, defining the purpose and duration of the processing, its nature and purpose, the type of data and categories of data subjects, and the rights and obligations of the parties.

As a matter of principle, this subcontract must at least provide that the subcontractor :

Processes data only on the instructions of the controller;

Ensures that its staff is committed to respecting the confidentiality of data;

Takes all appropriate technical and organizational measures to ensure a level of data security appropriate to the risk;

Does not hire another processor without the permission of the controller, and vouches to the controller for the other processor’s performance of its obligations;

Assists the data controller in responding to requests from data subjects to exercise their rights regarding their data;

Assists the data controller in meeting its obligations regarding data security, notification to the CNIL of a data breach, communication to the data subject of a data breach, data protection impact assessment and prior consultation of the CNIL when the impact assessment indicates that the processing would present a high risk;

Depending on the choice of the controller, deletes all data or returns them to the controller at the end of the service, and destroys existing copies;

Provides the data controller with all the information necessary to demonstrate compliance with its obligations and to allow audits to be carried out.

Processes data only on the instructions of the controller;

Ensures that its staff is committed to respecting the confidentiality of data;

Takes all appropriate technical and organizational measures to ensure a level of data security appropriate to the risk;

Does not hire another processor without the permission of the controller, and vouches to the controller for the other processor’s performance of its obligations;

Assists the data controller in responding to requests from data subjects to exercise their rights regarding their data;

Assists the data controller in meeting its obligations regarding data security, notification to the CNIL of a data breach, communication to the data subject of a data breach, data protection impact assessment and prior consultation of the CNIL when the impact assessment indicates that the processing would present a high risk;

Depending on the choice of the controller, deletes all data or returns them to the controller at the end of the service, and destroys existing copies;

Provides the data controller with all the information necessary to demonstrate compliance with its obligations and to allow audits to be carried out.

When several actors jointly determine all or part of the purposes and means of the processing, they will be qualified as joint controllers.

Under these conditions, they must define their respective obligations by agreement and in a transparent manner. The broad outlines of this agreement must be made available to the persons concerned, for example on the websites of the organizations concerned.

Finally, when several actors determine by their own the purposes and means of the processing, they will be qualified as separate data controllers. However, if this processing requires the transmission of data from one data controller to another, this transmission must also be regulated, especially in order to guarantee its lawfulness (information of the data subjects, obtaining their consent if necessary, etc.).

Particular attention must be paid to the supervision of data transfers outside the European Union, requiring a systematic analysis of their lawfulness and, where necessary, the use of standard contractual clauses, binding company rules or certifications.

Appoint a Data Protection Officer

The Data Protection Officer (DPO) is the successor to the Data Protection Correspondent since the GDPR came into force. Its mission is to inform and advise organizations processing data on their obligations under the GDPR and the Data Protection Act.

The DPO is the privileged point of contact between the organization that appointed him and the persons whose data are processed by this organization, as well as the CNIL, in particular within the framework of its controls, concerning all questions relating to data protection within the organization.

Its designation is mandatory when the data processing activities :
– Are carried out by a public authority or public body; or
– Consist of regular and systematic monitoring of individuals on a large scale; or
– Consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.

In any case, the nomination of a DPO is recommended for all organizations in order to have permanent support in data protection, and thus facilitate the organization’s compliance with the GDPR (updating of the register of processing, contractualization of processing, advice on data protection by default and by design, management of breaches …)

Indeed, the delegate must be appointed on the basis of his professional qualities and, in particular, his specialized knowledge of data protection law and practices. Its ability to perform its duties independently and confidentially, while reporting directly to the highest level of its management is essential.

For this reason, the DPO may be a member of the staff of the organization that appointed him or her or perform his or her duties on the basis of a service contract (lawyer or consultant) in order to guarantee his or her independence.

Our services

Bouchara & Avocats will assist and advise you in order to bring your organization into compliance with the GDPR and the laws of the European Union member states relating to data protection, and to maintain this compliance over time.

Advice and assistance

We assist and advise you in matters of : - Audit of the compliance of organizations, websites and applications with the GDPR and the laws of the European Union member states relating to data protection,

– Validation of personal data processing projects,
– Personal data breaches (risk assessments for the rights and freedoms of data subjects, notifications to the supervisory authorities of EU member states, communications to data subjects),
– Controls by the authorities of the EU Member States (representation, supervision, response to formal notices),
– Formalization of internal processes (Privacy Policy, IT Charter, Access Management Policy, Backup Policy, Business Continuity and Recovery Plan, etc.),
– Realization and update of the treatment registers,
– Responding to requests for the exercise of rights and complaints from data subjects,
– Data protection impact assessments and prior consultations with the supervisory authorities of the EU Member States,
– Certifications and labels.

Negotiation and writing

Negotiation and drafting of :
– Data Protection Agreement (DPA),
– Binding Corporate Rules (BCR),
– Codes of conduct.

Representation

We represent you in litigation relating to the protection of personal data and in particular :

Appeals against guidelines, recommendations and sanctions of the supervisory authorities of the EU Member States, Proceedings against data controllers and processors on behalf of data subjects whose rights and freedoms have not been respected, Liability for breach of subcontracting or joint liability agreements; We also represent organizations that are not established in the European Union

Training and awareness

We offer data protection training.

Personal data and digital law team

Personal data and digital law team