Machine Translated by Google

THE GENERAL DATA PROTECTION REGULATION

SECTION 1: FROM THE COMPUTER AND FREEDOMS LAW OF JANUARY 6 , 1978 TO THE GDPR

Personal data is the subject of multiple collection operations every day,

transfer and, more generally, treatment, whether at work, at the doctor's office,
when purchasing goods and services, by sending an SMS and, of course, on
Internet. Almost all operations are now computerized.

However, the use of these technologies, however widespread and banal it may be,
is not without risks, particularly with regard to respect for private life, which has
quickly taken into account by the French legislator (I) then by the regulations
European (II).

I – At the origins of the Data Protection Act: the need to protect privacy

A/ A fundamental right

Privacy is a fundamental right in any democratic society.

Before being recognized as such by French law, it was first established by the
international law (notably article 12 of the Universal Declaration of Human Rights
Man and Article 8 of the European Convention on Human Rights).

In French law, the consecration of the right to private life took place by a law of
July 17, 1970 which introduced into article 9 of the Civil Code the principle according to which “each
has the right to respect for his private life.

This then only had legislative value. It has not been recognized as a principle
constitutional value by the Constitutional Council only in 1995 (CC, January 18, 1995).

This recognition was a first step. The risks of breaches of privacy

have increased considerably with the development of IT, which has forced
regulations to adapt.

1
Machine Translated by Google

B/ Awareness of new risks

In the early 1970s, the objective was above all to ensure the protection of individuals
against the dangers of the use of their data by the sector
public, more than by the private sector.

Real awareness of the risks of “recording” people is

intervened following the publication, in 1974, of an article in Le Monde relating to the
implementation of an “Automated system of administrative files and directory
individuals ". This project, known as SAFARI, provided for the interconnection of
information collected on individuals by several administrative services, including the
general intelligence, the territorial security department and the judicial police.

This led to the adoption of the law of January 6, 1978 relating to computing,
files and freedoms which still constitutes today the heart of the legal system
internal and which clearly establishes a principle of protection of private life from its article
first (this article has only been marginally modified by the GDPR)

- The purpose of this law was to define the principles to be respected when
collecting, processing and storing personal data

- it recognized the rights of individuals in terms of the protection of their data

personal

- it created a supervisory authority enabling its proper application: the Commission

National Data Protection Authority (CNIL)

2
Machine Translated by Google

II – The development of supranational regulations

But the regulations had to evolve:

- due to technological advances which have created new risks

- due to the growing weight of the private sector in data processing

(gradually, public posting no longer appeared as the main threat)

- because it was necessary to find a balance between data protection and the need for
free flow of information

- due to the internationalization of trade

It was necessary to develop harmonized regulations, which proved very difficult at the time.
international level (some countries have a completely different approach to

concept of privacy).

But it was done at the level of the European Union, first with the adoption of the directive of

October 24, 1995. But the harmonization was not perfect. Moreover,

this directive very quickly showed its limits: at that date, neither Facebook nor Google

did not exist. No more than other social networks, apps, connected objects

or even big data…

Hence the adoption of Regulation No. 2016/679 of April 27, 2016, called GDPR, which

applies in all member countries since May 25, 2018.

The GDPR applies directly in French law: it replaces on many points

national law. On other points, the Data Protection Act remains in force and

complements the GDPR.

SECTION 2: THE NEW REGULATIONS FOR THE PROTECTION OF

PERSONAL DATA

The GDPR has not revolutionized everything, particularly with regard to certain

definitions which allow us to understand its scope. On the other hand, it innovates with regard

to the very logic of conformity and strengthens the rights of

people.

I – The scope of application of the GDPR

A/ Material scope: WHAT?

3
Machine Translated by Google

1) Definition of personal data

Personal data is data relating to a natural person.

which can be identified whatever the means used. It could be :

- Directly identifying data: first and last name, photo, e-mail

nominative, etc.

- Indirectly identifying data: account identifier, fingerprint

digital, telephone number, etc.
- From a cross-check of anonymous information: the baker's eldest daughter who
lives at 6 rue Jean Jaurès, etc.

The GDPR here simply clarified that certain data (IP addresses,
online identifiers, geolocation data of individuals, in particular) were
much personal data.

2) Definition of personal data processing

- Any operation involving personal data, whatever the process used: record,
organize, store, modify, reconcile with other data,
transmit, etc.

The processing can thus take very diverse forms: an Excel table, a
installation of video surveillance, a biometric recognition system, a
smartphone app, etc.

Please note: the GDPR also concerns paper files

However, the Data Protection Act does not apply to processing

concerning exclusively personal activities. (Example: directory
telephone contact staff)

B/ Organic scope: WHO?

Who is responsible under the GDPR? This is the “data controller” i.e.
the one “which determines the purpose of the processing of personal data and
the means necessary for their implementation.

4
Machine Translated by Google

Warning: do not confuse with the subcontractor, who subcontracts data

personal on behalf, on instruction and under the authority of a person responsible for
processing (e.g.: data hosts, service providers, etc.).

C/ Geographic scope: Where?

- All public/private establishments located in the European Union must comply

with the GDPR

- All establishments based outside the EU which collect, host, handle

personal data of European citizens must

For example, a company established in France, which exports all of its products
in Morocco for its Middle Eastern customers must comply with the GDPR.

Likewise, a company established in China, offering an e-commerce site in French

delivering products to France must comply with the GDPR.

II – From declaratory logic to proof logic

A/ The principle

Previously, the data controller had to declare all his processing of personal data
to the CNIL.

The GDPR offers another logic, that of accountability. Now the logic
of regulation in the field of Information Technology and Liberties is based on the
principle of responsibility, the obligation to account.

This means that the data controller must ensure the compliance of each
processing operation and provide proof.

- The consequence of this empowerment of actors is the elimination of

reporting obligations in the vast majority of cases.

B/ Accountability tools

1) Keeping a treatment register

This is a summary document of all the treatments implemented in

within the organization concerned. It specifies, for each treatment, the categories of

5
Machine Translated by Google

data processed, what this data is used for, who accesses the data and to whom it is used
are communicated, their shelf life, their security.

2) Respect for the concepts of Privacy by Design and Privacy by Default

- Privacy by Design, or data protection by design: means that the

compliance with the GDPR must be taken into account when designing projects
related to data processing (e.g. replacement of certain personal data
personal by a pseudonym).

Privacy by Default, or data protection by default: the person responsible for

processing must ensure, by default, the highest level of protection, which implies
that security and protection measures are taken systematically in
cases of processing involving personal data (e.g. minimization
data, retention period)

3) Data protection impact analyzes (or PIA, Privacy Impact

Assessment):

For all high-risk treatments, the data controller must conduct a complete impact
study, revealing the characteristics of the treatment, the
risks and the measures adopted.

Generally speaking, treatments that meet at least two of the following criteria
must be subject to an impact analysis:

- evaluation / scoring implemented in order to assign a rating to a customer (which translates

eg. the likelihood that he will respond to a commercial solicitation)

- automatic decision with legal or similar effect;

- systematic surveillance, which refers to the geolocation hypothesis

permanent;

- collection of sensitive data (health data, for example)

- large-scale collection of personal data (big data hypothesis: analysis

of mass data and creation of giant databases open to
consultation)

6
Machine Translated by Google

- data crossing, i.e. cross-checking of personal data

in order to reach the conclusions sought in relation to the person concerned;

- processing of the data of a person considered vulnerable, which is

refers to patients, elderly people, children, etc. ;

- innovative use, which refers to any hypothesis of use of a new technology.

The AIPD must be carried out before the implementation of the processing and is broken down into

Three parties :

-
A detailed description of the processing implemented, including both the
technical and operational aspects

-
The assessment, of a more legal nature, of necessity and proportionality
concerning fundamental principles and rights (purpose, data and duration of
conservation, information and rights of people, etc.);

-
The study, of a more technical nature, of data security risks
(confidentiality, integrity and availability) as well as their potential impacts on privacy,
which makes it possible to determine technical and organizational measures
necessary to protect data (e.g. encryption, logging, archiving
secure operation, fight against malware, backup of
data, maintenance, traceability, securing equipment, distancing
sources of risk, management of security incidents, etc. ).

Once completed, the AIPD is subject to evaluation by the DPD and the CISO then validated
by the data controller.

The AIPD must only be transmitted to the CNIL if it appears that the level of risk
residual remains high (case where the CNIL must be consulted) or when the national
legislation of a Member State requires it. The CNIL may then possibly oppose the
treatment.

7
Machine Translated by Google

III – Supervision of the processing of personal data

A/ The rights granted to individuals over their personal data

1) Classic rights

a) A right to information

The collection of personal data must be accompanied by clear and precise

information from individuals (on the identity of the person responsible for the processing, the pur
recipients of the data, the rights they have, etc.)

b) Consent sometimes necessary

This obligation applies in certain cases: collection of sensitive data, use

data for commercial prospecting purposes, use of photographs, etc.

But consent is only one of the six grounds for lawfulness of processing (see below).

c) A right of access, rectification and opposition

Right of access: Any person can access all the information

concerning (except exceptions, security file type)

Right of rectification: the right of rectification complements the right of access by

making it possible to rectify inaccurate information and to prevent an organization from processin
spreads false information.

Right of opposition: It is possible to object, for legitimate reasons, to appearing

in a file

Please note: the right to object does not exist for many public sector files

such as, for example, those of tax services, police services, etc.

2) New rights developed by the GDPR

a) Right to erasure,

It is recognized for certain reasons (data are not or no longer necessary with regard to the

purposes for which they were initially collected or processed; withdrawal of the

consent to use of data).

b) Right to delisting

8
Machine Translated by Google

It allows you to ask a search engine to remove certain results from

search associated with first and last names.

c) Right to portability

It allows you to obtain a copy of this data and have it transferred to another
data controller.

B/ Definition of obligations for data controllers

1) The lawfulness of the processing

To be valid, processing of personal data must be lawful, which means that it must be
based on one of the six bases set out in Article 6 of the
GDPR:

- Either the data subject has consented to the processing

- either the processing is necessary for the performance of a contract

- either the processing is necessary to comply with a legal obligation

- either the processing is necessary to safeguard the vital interests of the person
concerned or another natural person;

- either the processing is necessary for the execution of a mission of public interest

-either the processing is necessary for the purposes of the legitimate interests of the controller
treatment.

2) The principle of data minimization

The data controller must question the purposes of the processing, i.e.
state its objectives, in order to only collect and process the data essential to achieving
them.

3) The duration of data retention

The GDPR establishes the principle according to which the retention of personal data
personal must be limited and proportionate to the purposes of the processing

4) Transfers outside the EU

9
Machine Translated by Google

If the CNIL considers that the country of destination concerned ensures a level of protection
adequate with regard to the GDPR (= adequacy decision), the transfer of data is
free, no formalities need to be completed.

Conversely, in the absence of an adequacy decision, the transfer of data is prohibited

unless the recipient of the data implements appropriate guarantees, for example
through contractual clauses.

5) Obligation to secure data

Examples:

- measures to guarantee the confidentiality, integrity, availability of

personal data (pseudonymization, antivirus, submission on platforms
secure, etc.)
- measures to restore data availability in the event of an incident
(logging, data backup, etc.)

SECTION 3: REGULATORY SUPERVISION

I - The National Commission for Information Technology and Liberties

A/ An independent administrative authority

Independent administrative authority created by the law of January 6, 1978, the Commission
is made up of 18 elected members. They are appointed for 5 years, renewable once.
times

Its guarantees of independence:

- These members do not receive instructions from any authority;

- it is impossible to revoke them;

- the function of advisor is incompatible with most political functions and

any other professional activity or even any public employment.

- The CNIL is autonomous in budgetary matters.

B/ Diversified missions

1) Information mission

10
Machine Translated by Google

The CNIL informs individuals and professionals and responds to their requests.
Anyone can contact the CNIL in the event of difficulty in carrying out their duties.
rights.

This implies, for example, that the Commission makes its opinions available to the public,
decisions and recommendations.

2) Consultation mission

In this context, the CNIL can give its opinion on its own initiative. She is loaded
to respond to any request for advice from public authorities.

As such, the government is required to consult the Commission for any bill relating to
the processing of personal data.

3) Power of recommendation and decision

Through its power of recommendation, the CNIL determines the conditions for
implementing processing on specific points (e.g. on geolocation, voting
electronic, cookies, etc.)

Through its decision-making power, it sets in particular reference methodologies,

which govern the implementation of certain treatments (e.g. for research in
health)

4) Control and sanction mission

- Control following a complaint or by self-referral: this allows the CNIL to verify

on site the concrete implementation of the law and issue warnings.

- Sanctions: they are graduated and can range from a call to order to
the administrative fine (which can reach 20,000,000 euros or 4% of turnover
overall annual turnover of the company).

In the event of a serious and immediate violation of rights and freedoms, the president of the CNIL may

also contact the Public Prosecutor.

II - The Data Protection Officer

A/ Mandatory designation in certain cases (article 37 GDPR)

11
Machine Translated by Google

Data controllers and subcontractors must designate

a delegate :

- if they belong to the public sector,

- if their main activities lead them to carry out regular and systematic monitoring
people on a large scale,

- if their main activities lead them to process (always on a large scale)

so-called sensitive data.

The organization can choose to appoint an internal DPO or call on a

External DPD.

B/ Missions of the DPD

Its missions are as follows:

- Inform and advise the data controller and staff;

- Monitor compliance with the GDPR regarding the protection of personal data
staff ;

- Advise on the creation of AIPDs

- Exercise the relay function with the CNIL;

- Ensure proper maintenance of the treatment register.

Please note: certification, delivered by organizations approved by the CNIL, can be

obtained (certification is not mandatory to exercise the functions of DPD and
nor is it a necessary prerequisite for its designation).

The certification covers three areas:

- General data protection regulations and measures taken

for compliance

- Responsibility

- Technical and organizational measures for data security with regard to risks

12