
GDPR and data protection
Areas of expertise > GDPR and data protection
The GDPR and the protection of personal data contribute to the realization of an area of freedom, security, justice, economic and social progress, to the consolidation and convergence of economies within the European Union, and to the well-being of individuals. They contribute to the right of privacy and family life, home and communications, freedom of thought, conscience and religion, freedom of expression and information, cultural, religious and linguistic diversity, freedom of trade, the right to an effective remedy and to a fair trial.
GDPR and data protection
Personal data processing is constantly implemented by companies and local authorities. They are essential to their functioning in the context of the information society.
Personal data is information that can be used to identify individuals, directly or indirectly. They are likely to affect their rights and freedoms, requiring consequently a particular protection. In the European Union, the EU Regulation 2016/679 (known as the GDPR) frames the conditions for processing personal data and succeeds the Directive 95/46/EC in order to adapt the law to the evolutions of technologies and societies. The GDPR is a continuation of the law N°78-17 (called “Loi Informatique et Libertés”) and reinforces the control of individuals on their data.
Entering into force on May 25, 2018, the GDPR applies to any organization, public and private, that processes personal data as long as it is established in the territory of the European Union or its activity targets European residents.
How to record your data processing?
Identifying all the personal data processing activities carried out by the organization provides a macro view of how it operates.
This inventory, which can be in any form, must in any case include at least all of the following information:
the name and contact details of the controller and, where applicable, the joint controller, the controller’s representative and the data protection officer;
the purposes of the processing; a description of the categories of data subjects and of the categories of personal data;
the categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organizations;
where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization;
as far as possible, the envisaged time limits for erasure of the different categories of data; as far as possible, a general description of the technical and organizational security measures.

The processing register contributes to the documentation of the organization’s compliance and is an excellent management tool as it allows the deduction of a compliance action plan.
Indeed, it allows the organization to determine whether the characteristics of certain processing operations are not compliant (for example, whether data are kept within the erasure period) and therefore the measures to be implemented.
Thus, each record in the register allows us to verify that the data are relevant and necessary for the purpose of their processing. If necessary, the organization may then proceed to delete some of the data it processes and establish a more appropriate data processing policy.
How to organize its internal processes?
The establishment and organization of data protection policies contributes to the documentation of the organization’s compliance, as does the processing log.
The purpose of these internal processes must be to guarantee the protection of the data processed by the organization adapted to the risk, and to allow for adaptation to the evolution of this risk.
They must therefore take into consideration all the events that may occur during the life of the processing operations implemented by the organization, taking into account the state of knowledge, the costs of implementation and the nature of the scope, context and purpose of these processing operations. The following documents may be included in this body of internal process documentation:
– Risk Management Policy;
– Crisis Management Policy;
– Access and clearance management policy;
– Trace Management Policy;
– Vendor Management Policy;
– Backup Policy;
– Incident Management Policy;
– Business continuity and recovery plans;
– Physical and Environmental Security Policy;
– Asset Management Policy;
– Monitoring program;
– Supervision Program;
– Archiving and destruction policy ;
– IS Usage Policy;
– Mobile Device and Telework Policy;
– Job descriptions (CISO, CIO and DPO);
– Network Partitioning Policy;
– Cryptography Policy;
– Interoperability Framework;
– Data Transfer Framework;
– Project Management Guide ;
– Subcontracting agreement template ;
– Catalog of authorized tools ;
– Authentication repository;
– WEB repository ;
– Tracks repository ;
– User charter ;
– Administrator’s Charter ;
– Charter provider ;
– Privacy Policy;
– Document Management Policy;
– WSIS Governance Policy ;
In any case, internal policies must take into account the protection of personal data from the very beginning of the processing (minimization of data collection with regard to the purpose of the processing, duration of data retention proportionate to the purpose of the processing, information of the persons concerned, obtaining the consent of the persons concerned if necessary, security and confidentiality of the data, role and responsibility of the actors involved in the processing…).
How can I formalize my data processing agreements?
Data processing involving several parties must be contractually agreed under the conditions provided for by the GDPR. The conditions for contractual processing depend on the role of the various parties in the processing concerned.
Thus, if an organization processes data exclusively on behalf of and on the instructions of another organization that has determined the purposes and a substantial part of the means of such processing, it will be qualified as a processor of this second organization.
Under these conditions, the subcontracting organization must provide sufficient guarantees that the processing meets the requirements of the GDPR and guarantees the protection of the rights of the persons whose data are processed. This processing will be governed by a contract or other legal act binding the processor to the controller, defining the subject and duration of the processing, its nature and purpose, the type of data and the categories of data subjects, as well as the rights and obligations of the parties.
As a matter of principle, this subcontracting contract must at least stipulate that the subcontractor:
Only processes the data on the instructions of the data controller;
Ensures that its staff undertake to respect the confidentiality of the data;
Takes all appropriate technical and organizational measures to guarantee a level of data security appropriate to the risk;
Not recruit another subcontractor without the authorization of the data controller, and act as guarantor before the data controller for the other subcontractor’s fulfillment of its obligations;
Help the data controller to respond to requests from data subjects to exercise their rights over the data concerning them;
Assists the data controller in guaranteeing its obligations with regard to data security, notifying the CNIL of a data breach, communicating a data breach to the data subject, conducting a data protection impact assessment and consulting the CNIL in advance when the impact assessment indicates that the processing would present a high risk;
Depending on the choice of the data controller, deletes all data or returns it to the data controller at the end of the service, and destroys existing copies;
Provides the data controller with all the information necessary to demonstrate compliance with their obligations and to allow audits to be carried out.
When several parties jointly determine all or part of the purposes and means of processing, they will be qualified as joint controllers.
In these circumstances, they must define their respective obligations by means of an agreement and in a transparent manner. The main points of this agreement must be made available to the persons concerned, for example on the website of the organizations concerned.
Finally, when several parties alone determine the purposes and means of the processing, they will be qualified as separate controllers. However, if this processing requires the transmission of data from one controller to another, this transmission must also be supervised, in particular to guarantee its lawfulness (information of the persons concerned, obtaining their consent where necessary, etc.).
Particular attention must be paid to the supervision of data transfers outside the European Union, requiring a systematic analysis of their lawfulness, and as necessary the use of standard contractual clauses, binding corporate rules or certifications.
Appoint a Data Protection Officer
The Data Protection Officer (DPO) is the successor to the Data Protection Correspondent since the GDPR came into force. Its mission is to inform and advise organizations processing data on their obligations under the GDPR and the Data Protection Act.
The DPO is the privileged point of contact between the organization that appointed him and the persons whose data are processed by this organization, as well as the CNIL, in particular within the framework of its controls, concerning all questions relating to data protection within the organization.
Its designation is mandatory when the data processing activities :
– Are carried out by a public authority or public body; or
– Consist of regular and systematic monitoring of individuals on a large scale; or
– Consist of large-scale processing of special categories of data or data relating to criminal convictions and offences.
In any case, the nomination of a DPO is recommended for all organizations in order to have permanent support in data protection, and thus facilitate the organization’s compliance with the GDPR (updating of the register of processing, contractualization of processing, advice on data protection by default and by design, management of breaches …)
Indeed, the delegate must be appointed on the basis of his professional qualities and, in particular, his specialized knowledge of data protection law and practices. Its ability to perform its duties independently and confidentially, while reporting directly to the highest level of its management is essential.
For this reason, the DPO may be a member of the staff of the organization that appointed him or her or perform his or her duties on the basis of a service contract (lawyer or consultant) in order to guarantee his or her independence.
Our services
Bouchara & Avocats will assist and advise you in order to bring your organization into compliance with the GDPR and the laws of the European Union member states relating to data protection, and to maintain this compliance over time.
Advice and assistance
– Audit of the compliance of organizations, websites and applications with the GDPR and the laws of the European Union member states relating to data protection,
– Validation of personal data processing projects,
– Personal data breaches (risk assessments for the rights and freedoms of data subjects, notifications to the supervisory authorities of EU member states, communications to data subjects),
– Controls by the authorities of the EU Member States (representation, supervision, response to formal notices),
– Formalization of internal processes (Privacy Policy, IT Charter, Access Management Policy, Backup Policy, Business Continuity and Recovery Plan, etc.),
– Realization and update of the treatment registers,
– Responding to requests for the exercise of rights and complaints from data subjects,
– Data protection impact assessments and prior consultations with the supervisory authorities of the EU Member States,
– Certifications and labels.

Negotiation and writing
Negotiation and drafting of :
– Data Protection Agreement (DPA),
– Binding Corporate Rules (BCR),
– Codes of conduct.

Representation
Appeals against guidelines, recommendations and sanctions of the supervisory authorities of the EU Member States, Proceedings against data controllers and processors on behalf of data subjects whose rights and freedoms have not been respected, Liability for breach of subcontracting or joint liability agreements; We also represent organizations that are not established in the European Union

Training and awareness
We offer data protection training.
