The legal context is adapting to keep up with changes in technology and society (increased use of digital technology, development of online commerce, etc.). The RGPD provides a framework for the processing of personal data in the European Union.
European Union.
What is the definition of RGPD?
GDPR stands for General Data Protection Regulation. It provides a legal framework for processing and securing personal data throughout the European Union. Whether that data is in digital form or not.
In concrete terms, what is the purpose of the RGPD?
The RGPD serves concretely to make companies more responsible for the collection, use and processing of personal data they obtain from their customers, but also from their employees, their suppliers...
It has often been noted that these data are generally too easily accessible by possibly malicious persons.
What is personal data for the RGPD?
Personal data in the sense of the RGPD is to be understood in the broadest possible sense. According to the CNIL, personal data is "any information relating to an identified or identifiable natural person".
A person can be identified directly: name, first name
Or indirectly: phone number, biometric data, several elements specific to his identity...
Who is affected by the RGPD?
Any company, association or public body based in the European Union that collects personal data. Companies located outside the EU and processing data of European citizens are also concerned.
Of course, websites that collect your information, your energy providers, telecom companies, banks... but also governmental services come to mind.
What comes to mind less is your pizza delivery man, your yoga teacher or your sports club who have your name and/or phone number, address...: they have to take care to protect this data.
Even the baker who writes down his orders on his paper agenda with your name and phone number in front of the birthday cake of the youngest is concerned!
What are the 4 main actions to implement for the RGPD?
For websites everyone may have noticed the little windows that ask you if we agree to be tracked, to allow or refuse certain cookies, this is just a small aspect of the obligations arising from the GDPR.
1/Collect only necessary data.
The RGPD is there to remind us that we must limit the data collected to the strict necessary: What's the point of having your phone number or home address to receive an email newsletter?
One should not collect data "just in case".
2/Secure that data
Companies and other organizations must secure the data they have. They must also designate a person responsible for implementing this regulation.
To secure digital data they can use encryption software, protections for their computer systems such as firewalls or antivirus software.
For physical data such as a notebook with names, phone numbers, pay slips they can simply use a safe or a locked cabinet!
All its actions must be able to be explained and documented in case of control by the CNIL.
3/Be transparent and facilitate access to this data by the persons concerned
A data can not be collected without the knowledge of a person (cookies on a site ...), consent must be requested.
In addition, this person must be informed of his rights regarding his personal data: consultation, rectification, opposition or even deletion.
4/Fixing retention periods
Personal data should only be present in a database for the time necessary for its effective use.
Afterwards, they must be destroyed, made anonymous or archived in compliance with very specific obligations.
What are the penalties for non-compliance with the GDPR?
It all depends on the breaches observed. The CNIL has a vast arsenal of sanctions, ranging from a simple call to order to financial penalties that can reach several million euros.
How can I find out what data a company keeps on me and have it corrected or deleted?
Each organization must appoint a person responsible for implementing the GDPR. This person is usually referred to as the DPO (Data Protection Officer).
Most of the time, this person can be contacted by email with an address such as dpo@organisme.fr, this address must appear in the legal notice.
It can also be the usual contact address of the company, association or organization concerned.
It is with this person that you can exercise your rights.
You can refer to the CNIL in case of difficulty.