Who is affected by the General Data Protection Regulation?

The cabinet FELLOUS AVOCADOS assists companies in bringing their activity into compliance with European data protection rules. In fact, the collecting And the processing of personal data by companies are subject to obligations designed to protect the privacy and individual freedoms of the persons whose data is collected.

The General Data Protection Regulation No. 2016/679 or GPDR (General Data Protection Regulation) came into force in France on May 25, 2018 after several years of negotiations in the European Parliament.

This regulation has profoundly modified the current French regulations resulting from the The so-called “Informatique & Libertés” law of 6 January 1978, and in particular the 1995 Personal Data Protection Directive.

THEObjective of the GDPR is to strengthen both the rights of the people whose data are collected, and the responsibility of the actors in charge of their processing, while avoiding the excesses of an application specific to each country.

Who is affected by the General Data Protection Regulation?

Regarding the Material field of application, the RGPD is aimed at any private or public structure that collects and/or processes data, regardless of its sector of activity and size.

It also concerns subcontractors, that is, any structure that would process or collect personal data on behalf of another entity.

As far as the territorial field of application, the regulation applies to all organizations established on the territory of the European Union, but also to any organization based outside the EU but whose business directly targets European residents.

Who is responsible for monitoring the obligations arising from the GDPR?

It's the National Commission for Informatics and Freedoms (CNIL) which is responsible for controlling structures subject to the RGPD and issuing sanctions against them in the event of breaches found.

‍

What are the penalties for non-compliance with GDPR obligations?

Sanctions are a deterrent in case of non-compliance with GDPR obligations since the owner of the website or the mobile application incurs administrative sanctions imposed by the CNIL in the form of a fine of up to 20 million euros for a natural person or up to 4% of global turnover for a company or an administration.

‍

How can you have better control over the collection and processing of personal data within your company?

It is possible to designate a Data Protection Officer (DPO) or Data Protection Officer (DPO) which accompanies and advises persons responsible for processing personal data in their efforts to comply with the texts in force.

‍

Is it mandatory to appoint a data protection officer?

The designation of a Data Protection Officer (DPO) is optional with the exception of the following three hypotheses:

• when the processing is carried out by a public authority or body
• when the basic activities of the data controller or subcontractor consist of processing operations that require regular and systematic monitoring on a large scale of the persons concerned
• when the basic activities of the controller or subcontractor consist in the large-scale processing of sensitive data or personal data relating to criminal convictions and offences (Rule. EU 2016/679 of 27 April 2019, arts. 9 and 10)

Except in these specific cases, however, the appointment of a data protection officer remains Highly recommended by the Commission Nationale de l'Informatique et des Libertés (CNIL) and the European Data Protection Board (EDPS).

A data controller or a subcontractor who does not designate a DPO should document this choice. This documentation may be required by the supervisory authority.

How do I appoint a data protection officer?

The choice of the data protection officer is unhindered.

This may be an external personality acting on the basis of a service contract or an employee of the data controller or subcontractor.

A group of companies can designate a single DPO as long as he is easily reachable from each place of establishment. The designated person must present the professional qualities required to carry out the missions assigned to him and must in particular have specialized knowledge of data protection law and practices.

Certification procedures carried out by approved organizations in accordance with a standard adopted by the CNIL now make it possible to ensure the skills of a data protection officer (CNIL, Ddélib no. 2018-318 of September 20, 2018).

These organizations are themselves subject to certain criteria established by the CNIL (CNIL, Ddélib. no. 2018-317 of September 20, 2018).

In any case, he must be a professional who is able to perform his function independently.

Should the appointment of a data protection officer be the subject of special publicity?

It is the responsibility of the data controller or the subcontractor to publish the contact details of the data protection officer and to communicate them to the CNIL as well as to the persons concerned.

‍

How is this function performed?

The data controller or subcontractor must involve the data protection officer in advance in all matters relating to the protection of personal data.

They must also provide it with the necessary resources to carry out its missions as well as access to personal data and processing mechanisms.

They help him learn by allowing him to maintain his specialized knowledge.

They are required to ensure that the missions entrusted to DPOs do not place the DPOs in a conflict of interest.

As part of his duties, the data protection officer is subject to the professional secrecy as well as to a duty of confidentiality.

The data protection officer exercises his office in full statehood.

He reports on his work at the highest level of the hierarchy and cannot receive instructions or be sanctioned by the data controller or the subcontractor when acting within the framework of his missions.

However, he remains responsible for his professional faults or other serious misconduct under common law.

The data protection officer is not personally responsible for the body's non-compliance with data protection regulations.

Only the data controller or the subcontractor can be held liable (Rule. EU 2016/679 of 27 April 2016, art. 24, § 1 and art. 28).

What are its missions?

The data protection officer informs the data controller or subcontractor as well as the staff members in charge of processing of their rights and data protection obligations.

It answers any questions they may have in this area.

When an impact assessment is carried out, he is responsible for advise the organization who appointed him.

It is also the responsibility of the data protection officer, whose contact details are public, to answer the questions of the persons concerned with regard to the processing of their data and to inform them of their rights in this area.

The data protection officer checks the compliance, by the data controller or the subcontractor, with Union law and domestic data protection law.

It ensures the compliance of treatments with the RGPD, applicable national legislation and internal rules.

Once the data protection officer is appointed, he becomes the privileged contact of the CNIL in terms of data protection.

It also consults this authority when necessary and in particular when an impact assessment reveals that a treatment presents a high risk.

The data protection officer advises the data controller on the need to carry out an impact assessment and verifies the correct execution of it.

The European supervisory authority has specified some points on which the data controller must consult the DPO.

The data protection officer has the obligation to prioritize his activities to give priority to those that present a significant risk taking into account the nature, scope, context and purposes of the treatment.

The list of missions established by the RGPD is not exhaustive (Rule. EU 2016/679 of 27 April 2019, art. 39).

Therefore, the EDPS concluded, in its guidelines, that there is nothing to prevent the controller or the processor from entrusting the protection officer with the maintenance of the register of processing operations (Guidelines WP 243 rev.01).

To summarize what the DPO is, and is not...

“Is the delegate responsible in the event of a breach of the GDPR”? Wrong

The person responsible for complying with the legal framework is not the delegate but the “data controller” (primarily the organization), who determines their objectives and conditions of implementation.

Thus, the personal responsibility of the delegate can only be incurred if he intentionally breaches (or facilitates an informed breach) of obligations relating to the protection of personal data.

“Can a person be delegated on a part-time basis”? True.

The head of the organization may choose to designate a full-time or part-time delegate.

This will be the case whenever the designated person is a staff member performing other duties in parallel.

Attention, these other activities must not interfere with its ability to carry out its DPO missions successfully.

“The delegate must have legal and technical skills”? True.

The DPO must necessarily have knowledge and understanding of the rules and techniques for the protection of personal data in order to be operational.

However, its level of expertise may vary depending on the “Informatics and Freedoms” challenges associated with the organization's activities (volume, complexity, sensitivity of the treatments implemented).

In addition, its skills are intended to be complemented by other internal expertise and will be able to develop over time, practice and the support of the organization.

“The delegate must be a certified person”? Wrong

There are many certifications for delegates but it is not necessary to be certified to be appointed to this position.