GDPR practical guide in 10 key points

This is the European regulation n ° 2016/679 of April 27, 2016 relating to the protection of personal data (RGPD) which entered into force on May 25, 2018.

The GDPR applies to all structures (companies, administrations or public bodies) of any size when they are established in one of the member countries of the European Union or when they process personal data relating to residents of the European Union.

Personal data is defined as “any information relating to an identified or identifiable natural person”.

An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier, an identification number, location data or to one or more specific elements specific to his physical, physiological, genetic, psychological, economic, cultural or social.

On June 21, 2018, a new Data Protection Act came into effect. Its purpose is to concretely implement the GDPR and the so-called “police justice” directive.

The provisions of the GDPR and Directive 2016/680 have been codified by ordinance and incorporated into the Data Protection Act so that the structure of this text has been retained.

With the entry into force of the GDPR, the formalities to be carried out with the CNIL have almost all disappeared. Thus, it is no longer necessary to make a normal declaration, simplified declaration or authorization request. These texts will soon be transformed by the CNIL into "references" to guide professionals wishing to comply with the regulations.

Notable exception: requests for authorization in medical matters remain applicable.

Schematically, this is the person responsible for implementing the GDPR within the company.

In particular, it has the role of:

• Raise the awareness of the employees of the organization that appoints him of compliance with the GDPR;
• Implement and supervise internal audits in the organization on compliance with the GDPR;
• Advise the organization on whether to carry out an impact analysis and, if so, supervise the execution;
• Receive and respond to any questions relating to data protection;
• Manage the organization's relations with the CNIL.

The DPO can be an employee of the organization that appoints him but also an external service provider (for example, a lawyer). In order to carry out his mission effectively, a DPO must have a good knowledge of the GDPR but an in-depth knowledge of the sector of activity of the organization which appoints him. Finally, he must not have any conflicts of interest with his other missions and must be able to carry out his duties as DPO in complete independence.

In practice, this is often the IT manager or the legal manager.

The appointment of a DPO is mandatory for public bodies or companies whose basic activity leads them to carry out regular and systematic monitoring of people on a large scale, or to process so-called "sensitive" data or data on a large scale. to criminal convictions and offences.

In other cases, the appointment of a DPO is optional but is encouraged by the CNIL.

Offenders incur a fine of up to 4% of their worldwide annual turnover.

For an effective implementation of the GDPR, it is essential to map the data processing implemented within the organization and to carry out a compliance audit of its information system.

We are naturally at your disposal to support you in this context and refer you to our corresponding offer.