GDPR and data protection

Areas of expertise >     GDPR and data protection

The GDPR and the protection of personal data contribute to the creation of an area of freedom, security, justice, economic and social progress, to the consolidation and convergence of economies within the European Union, as well as to the well-being of natural persons. They contribute to respect for private and family life, home and communications, freedom of thought, conscience and religion, freedom of expression and information , cultural, religious and linguistic diversity, freedom of enterprise, the right to an effective remedy and to have access to an impartial tribunal.

GDPR and data protection

Processing of personal data is constantly carried out by companies and local authorities. They are essential to their functioning in the context of the information society.

However, personal data is information allowing the individual identification, directly or indirectly, of natural persons. They are likely to affect their rights and freedoms, therefore requiring special protection. Within the European Union, EU Regulation 2016/679 (known as GDPR) governs the conditions for the processing of personal data and success in Directive 95/46/EC in order to adapt the law to developments in technologies and technologies. companies. The GDPR is a continuation of Law No. 78-17 (known as the Data Protection Act) and strengthens control by individuals over their data.

Entered into force on May 25, 2018, the GDPR applies to any organization, public and private, which processes personal data as soon as it is established on the territory of the European Union or that its activity targets residents. Europeans.

How identify its data processing?

The identification of all personal data processing activities implemented by the organization provides a macro view of its operation.
It is also an obligation enshrined in Article 30 of the GDPR for all organizations, regardless of their size.
This census, the form of which is free, must in any case include at least all of the following information:

the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

the purposes of the processing; a description of the categories of data subjects and the categories of personal data;

the categories of recipients to whom the personal data have been or will be communicated, including recipients in third countries or international organisations;

where applicable, transfers of personal data to a third country or to an international organisation, including the identification of this third country or this international organisation;

as far as possible, the deadlines provided for the erasure of the different categories of data; as far as possible, a general description of the technical and organizational security measures.

How
list its
treatments
of data ?

The identification of all personal data processing activities implemented by the organization provides a macro view of its operation.
It is also an obligation enshrined in Article 30 of the GDPR for all organizations, regardless of their size.
This census, the form of which is free, must in any case include at least all of the following information:

the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer;

the purposes of the processing; a description of the categories of data subjects and the categories of personal data;

the categories of recipients to whom the personal data have been or will be communicated, including recipients in third countries or international organisations;

where applicable, transfers of personal data to a third country or to an international organisation, including the identification of this third country or this international organisation;

as far as possible, the deadlines provided for the erasure of the different categories of data; as far as possible, a general description of the technical and organizational security measures.

It participates in the documentation of the organization's compliance and is an excellent management tool since it makes it possible to deduce a compliance action plan.

Indeed, the processing register allows the organization to determine if the characteristics of certain processing operations are not compliant (for example if the data is kept within the erasure period) and therefore the measures to be implemented.

Thus, each record in the register makes it possible in particular to verify that the data are indeed relevant and necessary for the purpose of their processing. If necessary, the organization can then delete part of the data it processes and establish a more appropriate data processing policy.

How organize its internal processes?

The establishment and organization of policies relating to data protection contributes to the documentation of the organization's compliance, in the same way as the processing register.

These internal processes must have the purpose of guaranteeing the protection of the data processed by the organization adapted to the risk, and allowing adaptation to the evolution of this risk.

They must therefore take into account all the events that may occur during the life of the processing implemented by the organization, taking into account the state of knowledge, the costs of implementation and the nature of the scope, context and purpose of such processing. The following documents can participate in this documentary corpus of internal processes:

– Risk management policy;
– Crisis management policy;
– Access and authorization management policy;
– Log management policy;
– Supplier management policy;
– Backup policy;
– Incident management policy;
– Business continuity and recovery plans;
– Physical and environmental security policy;
– Asset management policy;
– Control program;
– Supervisory program;
– Archiving and destruction policy;
– IS usage policy;
– Mobile terminals and telework policy;
– Job descriptions (RSSI, DSI and DPO);
– Network partitioning policy;

– Cryptography policy;
– Interoperability framework;
– Data transfer framework;
– Project management guide;
– Model subcontracting contract;
– Catalog of authorized tools;
– Authentication repository;
– WEB repository;
– Trace repository;
– User charter;
– Administrator charter;
– Service provider charter;
- Privacy Policy ;
– Document management policy;
– ISMS governance policy;

In any event, internal policies must take into account the protection of personal data from the design of processing (minimization of data collection with regard to the purpose of the processing, duration of conservation of data proportionate with regard to the purpose of the processing, information of the persons concerned, obtaining the consent of the persons concerned if necessary, security and confidentiality of the data, role and responsibility of the actors involved in the processing, etc.).

How contractualize its data processing?

Data processing involving several actors must be contractualized under the conditions provided for in the GDPR. The conditions for contracting processing depend on the role of the various actors in the processing concerned.

Thus, if an organization processes the data exclusively on behalf of and on the instructions of another organization which has determined the purposes and a substantial part of the means of this processing, it will be qualified as a subcontractor of this second organization.

Under these conditions, the subcontracting organization must present sufficient guarantees so that the processing meets the requirements of the GDPR and guarantees the protection of the rights of the persons whose data are processed. This processing will necessarily be governed by a contract or another legal act binding the subcontractor with regard to the controller, defining the object and duration of the processing, its nature and purpose, the type of data and the categories of data subjects, as well as the rights and obligations of the parties.

In principle, this subcontracting contract must at least provide that the subcontractor:

Only processes the data on instructions from the controller;

Ensures that its staff undertakes to respect the confidentiality of the data;

Takes all appropriate technical and organizational measures to guarantee a level of data security appropriate to the risk;

Does not recruit another sub-processor without the authorization of the data controller, and vouches before the data controller for the performance by the other sub-processor of its obligations;

Helps the data controller to respond to requests made by data subjects in order to exercise their rights over the data concerning them;

Helps the data controller to guarantee his obligations in terms of data security, notification to the CNIL of a data breach, communication to the data subject of a data breach, impact analysis relating to data protection and prior consultation with the CNIL when the impact analysis indicates that the processing would present a high risk;

At the choice of the data controller, delete all data or references to the data controller at the end of the service, and destroy the existing copies;

Provides the controller with all the information necessary to demonstrate compliance with its obligations, and to enable audits to be carried out.

Only processes the data on instructions from the controller;

Ensures that its staff undertakes to respect the confidentiality of the data;

Takes all appropriate technical and organizational measures to guarantee a level of data security appropriate to the risk;

Does not recruit another sub-processor without the authorization of the data controller, and vouches before the data controller for the performance by the other sub-processor of its obligations;

Helps the data controller to respond to requests made by data subjects in order to exercise their rights over the data concerning them;

Helps the data controller to guarantee his obligations in terms of data security, notification to the CNIL of a data breach, communication to the data subject of a data breach, impact analysis relating to data protection and prior consultation with the CNIL when the impact analysis indicates that the processing would present a high risk;

At the choice of the data controller, delete all data or references to the data controller at the end of the service, and destroy the existing copies;

Provides the controller with all the information necessary to demonstrate compliance with its obligations, and to enable audits to be carried out.

When several actors jointly determine all or part of the purposes and means of processing, they will be qualified as joint controllers.

Under these conditions, they must define by agreement and in a transparent manner their respective obligations. The main lines of this agreement must be made available to the persons concerned, for example on the website of the organizations concerned.

Finally, when several actors alone determine the purposes and means of the processing, they will be qualified as separate controllers. However, if this processing requires the transmission of data from one data controller to another, this transmission must also be supervised, in particular in order to guarantee its legality (information of the persons concerned, obtaining their consent if necessary, etc.).

Particular attention must be paid to the supervision of data transfers outside the European Union, requiring a systematic analysis of their legality, and as necessary the use of standard contractual clauses, binding corporate rules or certificates.

Appoint a Data Protection Officer

The Data Protection Officer (or Data Protection Officer, DPO, DPD) has succeeded the Data Protection Correspondent since the entry into force of the GDPR. Its mission is to inform and advise organizations processing data on their obligations under the GDPR and the Data Protection Act.

The DPO is the main point of contact between the body that appointed him and the people whose data is processed by this body, as well as the CNIL, in particular within the framework of its controls, concerning all questions relating to the protection of data within the organization.

Its designation is mandatory when the data processing activities:
– Are carried out by a public authority or a public body; Where
– Consist of regular and systematic monitoring of people on a large scale; Where
– Consist of large-scale processing of special categories of data or relating to criminal convictions and offences.

In any event, the appointment of a DPO is recommended for all organizations in order to have permanent support in data protection, and thus facilitate the organization's maintenance of GDPR compliance (updating of the register processing, contracting of processing, advice on data protection by default and from the design stage, management of breaches, etc.)

Indeed, the delegate is necessarily appointed on the basis of his professional qualities and in particular, his specialized knowledge of data protection law and practices. Its ability to carry out its missions independently and confidentially, while reporting directly to the highest level of its management, is essential.

For this reason, the DPO may be a staff member of the organization that has designated him or her to carry out his duties on the basis of a service contract (lawyer or consultant) in order to guarantee his independence.

Our services

Cabinet Bouchara & Avocats supports and advises you in order to bring your organization into compliance with the GDPR and the laws of the Member States of the European Union relating to data protection, and to maintain this compliance over time.

Advice and assistance

We support and advise you on: - Auditing the compliance of organisations, websites and applications with the GDPR and the laws of the Member States of the European Union relating to data protection,

– Validation of personal data processing projects,
– Personal data breaches (assessments of the risk to the rights and freedoms of data subjects, notifications to the supervisory authorities of EU Member States, communications to data subjects),
– Controls by the authorities of EU Member States (representation, supervision, response to formal notices),
– Formalization of internal processes (Privacy Policy, IT Charter, Access Management Policy, Backup Policy, Business Continuity and Recovery Plan, etc.),
– Creation and updating of processing registers,
– Response to requests for the exercise of rights and complaints from the persons concerned,
– Impact assessments relating to data protection and prior consultations with the supervisory authorities of EU Member States,
– Certifications and labels.

Negotiation and drafting

Negotiation and drafting of:
– Data processing agreements (Data Protection Agreement / DPA),
– Binding Corporate Rules (BCR),
– Codes of conduct.

Representation

We represent you in the context of litigation relating to the protection of personal data and in particular:

Recourse against the guidelines, recommendations and sanctions of the supervisory authorities of EU Member States, Proceedings against data controllers and processors on behalf of data subjects whose rights and freedoms have not been respected, Liability related to non-compliance with subcontracting or joint responsibility agreements; We also represent organizations that are not established in the European Union.

Training and awareness

We offer training in the protection of personal data.

Team  personal data and digital law

Team  personal data and digital law