Professional Documents
Culture Documents
SECTION 1: FROM THE COMPUTER AND FREEDOMS LAW OF JANUARY 6 , 1978 TO THE GDPR
However, the use of these technologies, however widespread and banal it may be,
is not without risks, particularly with regard to respect for private life, which has
quickly taken into account by the French legislator (I) then by the regulations
European (II).
I – At the origins of the Data Protection Act: the need to protect privacy
A/ A fundamental right
In French law, the consecration of the right to private life took place by a law of
July 17, 1970 which introduced into article 9 of the Civil Code the principle according to which “each
has the right to respect for his private life.
This then only had legislative value. It has not been recognized as a principle
constitutional value by the Constitutional Council only in 1995 (CC, January 18, 1995).
1
Machine Translated by Google
In the early 1970s, the objective was above all to ensure the protection of individuals
against the dangers of the use of their data by the sector
public, more than by the private sector.
This led to the adoption of the law of January 6, 1978 relating to computing,
files and freedoms which still constitutes today the heart of the legal system
internal and which clearly establishes a principle of protection of private life from its article
first (this article has only been marginally modified by the GDPR)
- The purpose of this law was to define the principles to be respected when
collecting, processing and storing personal data
2
Machine Translated by Google
- because it was necessary to find a balance between data protection and the need for
free flow of information
It was necessary to develop harmonized regulations, which proved very difficult at the time.
international level (some countries have a completely different approach to
concept of privacy).
But it was done at the level of the European Union, first with the adoption of the directive of
October 24, 1995. But the harmonization was not perfect. Moreover,
this directive very quickly showed its limits: at that date, neither Facebook nor Google
did not exist. No more than other social networks, apps, connected objects
Hence the adoption of Regulation No. 2016/679 of April 27, 2016, called GDPR, which
national law. On other points, the Data Protection Act remains in force and
PERSONAL DATA
The GDPR has not revolutionized everything, particularly with regard to certain
definitions which allow us to understand its scope. On the other hand, it innovates with regard
people.
3
Machine Translated by Google
The GDPR here simply clarified that certain data (IP addresses,
online identifiers, geolocation data of individuals, in particular) were
much personal data.
- Any operation involving personal data, whatever the process used: record,
organize, store, modify, reconcile with other data,
transmit, etc.
The processing can thus take very diverse forms: an Excel table, a
installation of video surveillance, a biometric recognition system, a
smartphone app, etc.
Who is responsible under the GDPR? This is the “data controller” i.e.
the one “which determines the purpose of the processing of personal data and
the means necessary for their implementation.
4
Machine Translated by Google
For example, a company established in France, which exports all of its products
in Morocco for its Middle Eastern customers must comply with the GDPR.
A/ The principle
Previously, the data controller had to declare all his processing of personal data
to the CNIL.
The GDPR offers another logic, that of accountability. Now the logic
of regulation in the field of Information Technology and Liberties is based on the
principle of responsibility, the obligation to account.
This means that the data controller must ensure the compliance of each
processing operation and provide proof.
B/ Accountability tools
5
Machine Translated by Google
data processed, what this data is used for, who accesses the data and to whom it is used
are communicated, their shelf life, their security.
For all high-risk treatments, the data controller must conduct a complete impact
study, revealing the characteristics of the treatment, the
risks and the measures adopted.
Generally speaking, treatments that meet at least two of the following criteria
must be subject to an impact analysis:
6
Machine Translated by Google
The AIPD must be carried out before the implementation of the processing and is broken down into
Three parties :
-
A detailed description of the processing implemented, including both the
technical and operational aspects
-
The assessment, of a more legal nature, of necessity and proportionality
concerning fundamental principles and rights (purpose, data and duration of
conservation, information and rights of people, etc.);
-
The study, of a more technical nature, of data security risks
(confidentiality, integrity and availability) as well as their potential impacts on privacy,
which makes it possible to determine technical and organizational measures
necessary to protect data (e.g. encryption, logging, archiving
secure operation, fight against malware, backup of
data, maintenance, traceability, securing equipment, distancing
sources of risk, management of security incidents, etc. ).
Once completed, the AIPD is subject to evaluation by the DPD and the CISO then validated
by the data controller.
The AIPD must only be transmitted to the CNIL if it appears that the level of risk
residual remains high (case where the CNIL must be consulted) or when the national
legislation of a Member State requires it. The CNIL may then possibly oppose the
treatment.
7
Machine Translated by Google
1) Classic rights
a) A right to information
But consent is only one of the six grounds for lawfulness of processing (see below).
Please note: the right to object does not exist for many public sector files
such as, for example, those of tax services, police services, etc.
a) Right to erasure,
It is recognized for certain reasons (data are not or no longer necessary with regard to the
purposes for which they were initially collected or processed; withdrawal of the
b) Right to delisting
8
Machine Translated by Google
c) Right to portability
It allows you to obtain a copy of this data and have it transferred to another
data controller.
To be valid, processing of personal data must be lawful, which means that it must be
based on one of the six bases set out in Article 6 of the
GDPR:
- either the processing is necessary to safeguard the vital interests of the person
concerned or another natural person;
- either the processing is necessary for the execution of a mission of public interest
-either the processing is necessary for the purposes of the legitimate interests of the controller
treatment.
The data controller must question the purposes of the processing, i.e.
state its objectives, in order to only collect and process the data essential to achieving
them.
The GDPR establishes the principle according to which the retention of personal data
personal must be limited and proportionate to the purposes of the processing
9
Machine Translated by Google
If the CNIL considers that the country of destination concerned ensures a level of protection
adequate with regard to the GDPR (= adequacy decision), the transfer of data is
free, no formalities need to be completed.
Examples:
Independent administrative authority created by the law of January 6, 1978, the Commission
is made up of 18 elected members. They are appointed for 5 years, renewable once.
times
B/ Diversified missions
1) Information mission
10
Machine Translated by Google
The CNIL informs individuals and professionals and responds to their requests.
Anyone can contact the CNIL in the event of difficulty in carrying out their duties.
rights.
This implies, for example, that the Commission makes its opinions available to the public,
decisions and recommendations.
2) Consultation mission
In this context, the CNIL can give its opinion on its own initiative. She is loaded
to respond to any request for advice from public authorities.
As such, the government is required to consult the Commission for any bill relating to
the processing of personal data.
Through its power of recommendation, the CNIL determines the conditions for
implementing processing on specific points (e.g. on geolocation, voting
electronic, cookies, etc.)
- Sanctions: they are graduated and can range from a call to order to
the administrative fine (which can reach 20,000,000 euros or 4% of turnover
overall annual turnover of the company).
In the event of a serious and immediate violation of rights and freedoms, the president of the CNIL may
11
Machine Translated by Google
- if their main activities lead them to carry out regular and systematic monitoring
people on a large scale,
- Monitor compliance with the GDPR regarding the protection of personal data
staff ;
- Responsibility
- Technical and organizational measures for data security with regard to risks
12