This article is the first of a series of 3 centered around the GDPR.
If you are curious about :
This famous acronym stands for General Data Protection Regulation (GDPR). This European text has made a lot of noise. Especially since it came into force on May 25th of 2018.
It is THE text of reference in terms of personal data protection. It replaces the Data Protection Directive of October 24, 1995, and is the result of a 4-year-long negotiation process aimed at harmonizing the European legal landscape in terms of personal data protection. Between April 27, 2016 and May 25, 2018, all private or public companies in the 28 member states of the European Union had to do everything possible to comply with this text.
At the national level, it is the law on the protection of personal data of June 20, 2018, which came to bring the french law "informatique et libertés" (ie. "computing and liberties" in english) of June 6, 1978, into compliance with the GDPR.
The GDPR aspires to guarantee more transparency during the collection of personal data as well as to ensure that their use is carried out in a more secure and respectful manner for users and to standardize European law in this area.
Who is affected by the GDPR?
It concerns both public and private organizations processing personal data on EU residents, regardless of whether it is a company, a local authority or an association. The sector of activity, the size of the organization, nor the location of the organization is of no importance. The only thing that is relevant is that personal data are being processed, which concerns individuals located in the territory of an EU country.
Definition of a data controller and data processor
In terms of personal data processing, the GDPR explicitly refers to controllers and processors.
The former is "the legal person (company, municipality, etc.) or natural person who determines the purposes and means of a processing operation, i.e. the objective and the way in which it is carried out. In practice and in general, this is the legal person embodied by its legal representative."
The second is "the natural or legal person (company or public body) that processes data on behalf of another body ("the controller"), in the context of a service or provision."
Both of these actors are therefore covered by the GDPR when they carry out processing on personal data.
What is a processing of personal data?
A processing is "any operation on personal data, regardless of the process used."
This can therefore mean collecting, modifying, storing, organizing, consulting, reconciling with other data, transmitting, making available, deleting personal data.
A processing operation is therefore not only aimed at a file, but also at operations such as video surveillance, sending promotional emails, profiling or even the management of payrolls in a company.
"In practice, the GDPR therefore applies whenever a European resident, regardless of nationality, is directly targeted by a data processing operation." It strengthens the rights of individuals, through obligations for data controllers and processors. It makes them accountable. As such, in the event that these obligations are not respected, these data controllers or processors will be sanctioned.
Any non-compliance with the GDPR leads to sanctions, issued by the CNIL, which can reach between 2 and 4% of the turnover. Hence the need for an organization processing personal data to comply.
"What are the data controllers and data processors' obligations?" is a relevant question we have answered for you in this article.