GDPR and data protection

GDPR refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)

These rules contribute to the respect of the fundamental rights of individuals (private and family life, freedom of thought, conscience and religion, freedom of expression and information etc.).

GDPR and data protection

Companies and local authorities are constantly processing personal data. They are indeed essential to their functioning in the information society.

Data are qualified as personal when they allow to identify individually, directly or indirectly, natural persons. The processing of such data is therefore likely to affect the rights and freedoms of individuals, which is why such data is subject to special protection.

Entering into force on May 25, 2018, the GDPR applies to any organization, public and private, established in the territory of the European Union or whose activities target EU residents, that processes personal data.

How identify data processing?

Article 30 of the GDPR requires organizations to identify all of the personal data processing activities they carry out, both in their capacity as a controller and as a processor.

Although there are no specific formalities for recording this information, it must include at least the following information:

  • The name and contact details of the Data Controller and, if applicable, of the subcontractor, the representative of the Data Controller and the Data Protection Officer;
  • The purposes of the processing (categories of data subjects and categories of personal data) ;
  • The categories of recipients to whom the personal data have been or will be disclosed (including recipients in third countries or international organizations);
  • Where applicable, transfers of personal data to a third country or international organization, including the identification of that third country or international organization;
  • To the extent possible, the expected timeframes for the deletion of the various categories of data and a general description of the technical and organizational security measures in place.

This inventory contributes to the documentation of the organization’s compliance with the rules enshrined in the RGPD and is also an excellent management tool as it can be used to draw up action plans for compliance with the RGPD rules.

Indeed, the data processing register allows the organization to more easily study the compliance of its processing with the rules enshrined in the GDPR and thus to establish the measures to be implemented if necessary. This register allows the organizations concerned to verify that the data collected are relevant and necessary for the purpose of their processing. On this basis, the organization can then proceed to delete part of the data if it is not relevant and establish a more appropriate data processing policy.

The organization of its internal processes

Having data protection policies in place is part of documenting an organization’s compliance, as is a processing log.

The purpose of these internal processes is to guarantee the protection of the data processed by the organization adapted to the risk of infringement of the rights of individuals, and to allow for adaptation to the evolution of this risk.

They must therefore take into consideration all the events that may occur during the processing operations carried out by the organization, taking into account the state of knowledge, the costs of implementation, the context and the purpose of the processing.

The following documents may be included in this body of internal process documentation:

  • Risk Management Policy;
  • Crisis Management Policy;
  • Access and clearance management policy;
  • Trace Management Policy;
  • Vendor Management Policy;
  • Backup Policy;
  • Incident Management Policy;
  • Business continuity and recovery plans;
  • Physical and Environmental Security Policy;
  • Asset Management Policy;
  • Control program;
  • Supervision Program;
  • Archiving and destruction policy ;
  • IS Usage Policy;
  • Mobile Device and Telework Policy;
  • Job descriptions (CISO, CIO and DPO);
  • Network Partitioning Policy;
  • Cryptography Policy;
  • Interoperability framework etc…

In any case, internal policies must take into account the protection of personal data from the very beginning of the processing (minimization of data collection with regard to the purpose of the processing, duration of data retention proportionate to the purpose of the processing, information of the persons concerned, obtaining the consent of the persons concerned if necessary, security and confidentiality of the data, role and responsibility of the actors involved in the processing…).

How contractualize your data processing?

Data processing involving several actors must be contracted in accordance with the conditions set out in the GDPR.

The conditions of contractualization of processing depend on the role of the various actors operating on the processing concerned.

Thus, if an organization processes data exclusively on behalf of and on the instructions of another organization that has determined the purposes and a substantial part of the means of such processing, it will in principle be qualified as a processor of the controller.

The subcontracting organization will then have to present sufficient guarantees so that the processing meets the requirements of the RGPD and thus guarantees the protection of the rights of the persons whose data is processed.

Such processing shall be governed by a contract binding the processor to the controller, defining the purpose and duration of the processing, its nature and purpose, the type of data and the categories of data subjects, as well as the rights and obligations of the parties.

As a matter of principle, this subcontract must at least provide for the following obligations on the part of the subcontractor:

  • Process data only on the instructions of the controller;
  • Ensure that its staff is committed to data confidentiality;
  • Take all appropriate technical and organizational measures to ensure a level of data security appropriate to the risk;
  • Not to hire another processor without the permission of the controller, and to vouch to the controller for the other processor’s performance of its obligations, if any;
  • Assist the data controller in responding to requests from data subjects to exercise their rights with respect to their data;
  • Helping the data controller to meet its data security obligations (notification to the CNIL of a data breach, communication to the data subject of a data breach, data protection impact assessment and prior consultation of the CNIL when the impact assessment indicates that the processing would present a high risk);
  • At the option of the controller, delete all data or return it to the controller at the end of the service, and destroy existing copies;
  • To provide the data controller with all the information necessary to demonstrate compliance with its obligations, and to allow audits to be carried out.

If several actors jointly determine all or part of the purposes and means of the processing, they will in principle be qualified as joint controllers.

In such cases, the joint managers must formally and transparently define their respective obligations. The broad outlines of this agreement must be made available to the persons concerned (e.g. on the website of the organizations concerned).

Finally, when several actors alone determine the purposes and means of the processing, they will in principle be qualified as separate data controllers.

However, if this processing requires the transmission of data from a separate controller to another separate controller, this transmission must also be regulated, in particular in order to guarantee its lawfulness (information of the data subjects, obtaining their consent if necessary, etc.).

Particular attention must be paid to the supervision of data transfers outside the European Union, requiring a systematic analysis of their lawfulness, and where necessary the use of standard contractual clauses, binding company rules or certifications, as well as, where necessary, additional technical and organizational security measures.

Appoint a Data Protection Officer

The Data Protection Officer (DPO) replaced the Data Protection Correspondent when the RGPD came into force.

The Data Protection Officer is at the heart of the compliance framework enshrined in the GDPR and facilitates organizations’ compliance with the GDPR.

It is one of the cornerstones of the responsible for the treatment and the subcontractor, and provides a competitive advantage by promoting compliance with the RGPD and by acting as an intermediary between the actors concerned (control authorities, data subjects, subcontractors…) and privileged contact point for data subjects.

Its designation is mandatory when:

  • The processing is carried out by a public authority or public body;
  • The core activities of the controller or processor consist of processing operations which, by virtue of their nature, scope and/or purposes, require regular and systematic large-scale monitoring of data subjects;
  • The core activities of the controller or processor consist of large-scale processing of special categories of data and personal data relating to criminal convictions and offences.

In any case, the appointment of a DPO is recommended for all organizations in order to have a permanent support in terms of data protection, and thus facilitate the maintenance of the organization’s compliance with the RGPD over time (updating of the register of processing, contractualization of processing, advice on data protection by default and by design, management of breaches …)

Indeed, the delegate must be appointed on the basis of his professional qualities and, in particular, his specialized knowledge of data protection law and practices.

Its ability to perform its duties independently and confidentially, while reporting directly to the highest level of its management is essential.

For this reason, the DPO may be a member of the staff of the organization that appointed him or her or perform his or her duties on the basis of a service contract (lawyer or consultant) in order to guarantee his or her independence.

Our services

Bouchara can assist you in making your organization and your personal data processing processes compliant with the GDPR and other applicable data protection legislation.

Advice and assistance

The Bouchara firm assists you in particular for :

  • Conducting audits of the compliance of organizations, websites and applications with the GDPR and the data protection laws of the European Union member states;
  • Documentation of your processing (register of processing activities, register of violations, privacy impact analysis, prior consultation…);
  • Obtaining certifications and adhering to codes of conduct;
  • The study of the legal feasibility of the implementation of a new personal data processing;
  • Legal analysis of the compliance of your data processing, including data transfers outside the European Economic Area;

Negotiation and writing

The Bouchara Law Firm assists you in the negotiation and drafting of :

  • Data Protection Agreement (DPA);
  • Binding Corporate Rules (BCR);
  • Data protection policies (privacy policy, IT charter…) ;
  • Drafting of your Binding Corporate Rules (BCR) and Codes of Conduct.


The Bouchara Law Firm represents your interests as plaintiff and defendant in litigation relating to personal data and in particular in the following proceedings

  • Appeals against the guidelines, recommendations and sanctions of the supervisory authorities of the Member States of the European Union;
  • Proceedings against data controllers and processors on behalf of data subjects whose rights and freedoms have not been respected;
  • Liability actions related to the breach of subcontracts or joint liability.

We are also the external Data Protection Officer of many data processors and subcontractors.

Training and awareness

We offer training and workshops to make your employees aware of data protection issues.

Personal data and digital law team

Personal data and digital law team

Areas of expertise

Bouchara's team will assist you in intellectual property law.