What are companies' obligations?
In order to reinforce the rights of European citizens the GDPR has defined and redefined data controllers and data processors' obligations.
Image illustrating the article What are companies' obligations?

The RGPD is the reference text in terms of personal data protection. It aims at reinforcing the rights of European citizens but also at making the actors processing personal data more responsible. Here's an overview of the obligations aimed at those actors.

The obligation of information and transparency

The reinforcement of users' rights translates first of all into an obligation of transparency and information for data controllers. Thus, the information transmitted to the user must be clear and easily accessible and understandable. This information allows the persons concerned to be fully aware of the processing of their data and to have a better control of their data by facilitating the exercise of their rights.

The obligation of security and confidentiality

The data controller is subject to an obligation of security of the information systems, in order to guarantee the protection of the personal data he processes. He must implement all technical and organizational measures to limit the risks to the rights and freedoms of individuals. In the event of a breach, the processor must inform the CNIL within 72 hours, and even the concerned person if the breach involves sensitive data.

The obligation to build a contractual framework with the data processor

The data controller must contractually regulate data transfers with data processors, providing for security and confidentiality guarantees imposed on the latter and limiting its ability to hand over activities to another data processor without prior agreement. It is important that the data controller ensures that they work with a data processor that complies with the GDPR.

Guaranteeing the rights of individuals

The data controller must implement the necessary means to respond to requests to exercise the rights of individuals within one month. Whether it is the right to erasure, limitation of processing, access, portability, opposition or rectification.

Establish a processing record and conduct an impact assessment

Data controllers and processors must provide a processing recor for each processing of personal data and conduct an impact assessment if the processing poses a high risk to individuals' data. The impact assessment documents the security measures that are required of the controller in relation with the risks for users' personal data.

Appointing a DPO

In some cases, the data controller must appoint a DPO, who will be in charge of controlling the legal compliance of the processing. This appointment is only mandatory in certain cases defined by the CNIL.

The obligations of the subcontractors

Concerning the data processors, they are initially subject to an obligation to advise their clients. Thus, they must assist the data controller in the implementation of certain of its obligations.
However, they are not exempt from complying themselves with specific obligations regarding security, confidentiality and documentation of their activity. This implies, in particular, taking into account the protection of personal data when designing their products or providing their services.
They must ensure that they are compliant with the GDPR at all times.

The non-respect of those obligations can cost a lot to data controllers and processors. The price to pay being the one decided by data protection authorities, and the wound on the company's reputation. Being compliant is an obligation but also an opportunity for companies to stand out by showing their good faith. Here is a related article detailing how to be compliant.

Stéphanie Exposito-Rosso

Tue Oct 26 2021