Welcome
>
blog
>
Data security

RGPD definitions and principles

The RGPD is a European regulation that brings together all the rules relating to the protection of personal data.

It was created by the European Union with the aim of harmonizing all legal provisions relating to the confidentiality and processing of personal data of European nationals.

Article 8 of the Charter of Fundamental Rights of the European Union states that:

“1. Everyone has the right to the protection of personal data concerning them.

2. This data must be processed fairly, for specific purposes and on the basis of the consent of the person concerned or on the basis of another legitimate basis provided for by law. Anyone has the right to access the data collected concerning them and to obtain their correction.

3. Compliance with these rules is subject to the supervision of an independent authority.”

In other words, the GDPR was created to change the way businesses and other organizations handle the personal data of their users and at the same time, improve the way people access information about them by limiting the rights of organizations and businesses to use personal data.

The aim of the RGPD is therefore to frame the implementation of the processing of personal data by setting the legal conditions for the collection, storage, and exploitation of personal data.

So, The RGPD has two major objectives: to strengthen the rights of individuals concerning their personal data and to empower organizations or companies that process individuals' personal data.

As a result, organizations or companies are required to comply with the provisions of the RGPD.

Compliance with the GDPR therefore allows companies to achieve a sufficient level of protection while having the capacity to demonstrate, in particular in the event of a security incident, complaint or control by the CNIL, that companies have successfully implemented all the necessary measures to avoid any risk.

Bringing businesses into compliance with the GDPR requires careful examination of business tools and practices.

This compliance is an obligation for a large number of actors responsible for collecting personal data.

Indeed, these actors must know the challenges and principles relating to GDPR compliance.

The compliance of the Member States of the European Union is reflected in a multi-stage process established by the CNIL. Thus, it aims to achieve a sufficient level of protection of everyone's personal data that is processed by companies to avoid any risk of data loss while respecting the privacy of users and in particular by ensuring their anonymity.

In addition, companies and organizations subject to the obligation to comply with the GDPR always have the option of making the processing of this data more secure at the technical, organizational and legal level. Indeed, complying with the GDPR requires a constant update of the procedure and the internal policy of the company or organization concerned.

In order for compliance to no longer have any secrets for you, it will first be necessary to define the concept of compliance (I) and recall the principles that companies must respect in order to comply with the RGPD (II).

Do you want to go deeper into the subject?

Find our article on the GDPR compliance procedure and the role of the Data Protection Officer (DPO).

Rédigé par Tonye Cottavoz
🕜 10 min
CNIL
RGPD

Dernière mise à jour le May 25 2022

Summary
Text Link
Manage your registers and AGMs online with Axiocap
No more time wasted with paperwork!
Start now
Summary of the article

{{1}}

1. GDPR important definitions

The General Data Protection Regulation (RGPD) follows a European decision whose objective is to strengthen the protection of personal data by ensuring compliance.

Compliance with the GDPR corresponds to the implementation of the means and measures necessary for its compliance, i.e. companies and organizations subject to the GDPR must implement the mechanisms necessary to comply with the rules relating to the processing of personal data established by the Regulation.

The term “personal data” corresponds to any information about a natural person that allows him to be identified pursuant to article 4 of the RGPD.

Personal data is defined as any information relating to an identified or identifiable person. A person is considered to be identified when his identification is made directly, that is to say by first name and last name, or indirectly, that is to say by an identifier number, a telephone number or several elements creating a set of clues specific to his identity. As for the second category, that of identifiable person, this is reflected in the knowledge of a single piece of data or a combination of several data.

The application of the RGPD results in the application of 3 ideas: transparency, the user rights And the corporate responsibility.

Transparency consists in a precise and clear indication of the purpose for which personal data is collected. The storage time, their use and the people who can access them must then be mentioned.

User rights concern the benefit of the right of access to data by the user. In addition to this right, there is the possibility of forgetting, deleting, de-referencing but also of portability.

Finally, the responsibility of companies consists in setting up adequate means to protect personal data through adequate mechanisms while justifying the relevance of the data collected.

{{2}}

2. The principles of the GDPR

The principles of the RGPD are three: that of accountability called responsibility (a), that of privacy by default called data protection by default (b) and finally, that of privacy by design or even the principle of portability (c).

a. The principle of accountability

Companies or organizations subject to the GDPR are required to comply with the rules relating to the protection of personal data under penalty of heavy sanctions.

The GDPR has established several principles that businesses must respect in order to be in compliance and to be able to demonstrate compliance.

Thus, to be in compliance with the RGPD, companies or organizations must comply with principles such as: the principle of accountability or responsibility.

This refers to the obligation to implement internal procedures and mechanisms that allow companies and organizations concerned by the GDPR to demonstrate that they have respected the rules relating to the protection of users' personal data.

In addition, the obligation to implement internal procedures and mechanisms allows companies, on the one hand, to prove that they comply with the data protection rules established by the GDPR and, on the other hand, to ensure that the technical and organizational measures are effective.

In addition, companies subject to compliance with the GDPR must also ensure that the obligations arising from the principle of accountability are regularly updated in order to ensure that the persons whose personal data are used are treated in accordance with the latter.

The principle of accountability is accompanied by two other principles: the principle of privacy by default and privacy by design.

b. The principle of “privacy by default”

The principle of”Privacy by default“or default data protection refers to the fact that the person responsible for processing personal data must ensure that the personal data of persons using their service are protected by ensuring the highest level of security of their data. This is done by systematically taking security and protection measures that can be implemented either systematically or on an ad hoc basis when processing personal data.

The principle of privacy by default makes it possible to minimize and regulate, both internally and externally, the use made by the companies and organizations concerned of their customers' personal data. This is the case for technical documentation relating to design, which must imperatively emphasize respect for privacy.

The principle of privacy by default only applies when the product or service is communicated to the user.

In this case, the protection standards must be applied by default, i.e. without external manipulation, so that only data that is really likely to be used by companies is collected and stored.

Therefore, the principle of privacy by default extends to the quantity of personal data collected or to the extent of data processing, the duration of data storage as well as the accessibility of this data.

c. The principle of “privacy by design”

The principle of “privacy by design” Refers to Principle of portability personal data of users of treatment services. According to this principle, those responsible for processing personal data must put in place internal rules and implement measures that guarantee compliance with the protection of personal data.

The purpose of this principle of portability is to protect the personal data of individuals.

To this end, the principle of privacy by design requires companies using personal data to integrate this protection from the design of the project relating to the processing of individuals' personal data. This is in order to minimize the risks of non-compliance with data protection principles and thus be in compliance with the RGPD.

To do this, the company must take the measures and put in place appropriate organizational techniques for the processing of personal data.

Organizational measures and techniques are assessed according to the purpose sought by the company in charge of processing individuals' personal data.

In short, the principle of privacy by design makes it possible to put in place preventive measures that aim to limit the risks of violation of privacy and thus, avoid companies or organizations paying a fine for non-compliance with the RGPD.

The principle of privacy by design is a regulator of the use of personal data of users of data processing services.

Indeed, companies and organizations responsible for processing personal data should not collect personal data from their users without legitimate reasons. The RGPD also provides for the possibility for a user to delete their data from the database in which they are stored when their storage is not useful.

This principle allows users to have some control over their personal data.

It is a question of encouraging companies to adopt technical data protection methods when designing data collection processes in order to guarantee their users that their personal data is protected and secure.

Therefore, the companies concerned must comply with a set of rules relating to data security, in particular in terms of data collection, transfer and storage, but also, limit the loss of personal and sensitive data in order to prevent the occurrence of damage in order to obtain a good reputation in order to obtain a good reputation encouraging the arrival of new potential actors for the company concerned.

In short, the principle of privacy design is based on several principles:

  • The implementation of preventive measures in order to prevent breaches of personal data protection;
  • The establishment of personal data protection by default, i.e. companies responsible for the protection of personal data are required to set up an implicit and default protection system;
  • Businesses must protect the personal data of their users when designing privacy protection systems;
  • Companies must guarantee the security and protect the privacy of their users throughout the project but also throughout the duration of the storage of personal data;
  • Businesses should also ensure that their practices are visible and remain transparent;
  • Businesses must respect the privacy of their users;
  • They must guarantee their users optimal protection of their personal data;

These elements are the foundations of the principle of privacy by design and must be respected at every stage of the process.

To achieve this, the person responsible for processing personal data must implement the appropriate measures and techniques to ensure compliance with the RGPD.

The person responsible for implementing the appropriate measures and techniques to comply with the GDPR is the data protection officer. The latter must take into account the type of processing and the context in which it was carried out: nature of the data (sensitive or not), the purposes pursued and risks that may affect the processing of the data and the rights and freedoms of users.

In addition, the responsibility for data protection may also fall on subcontractors according to article 4 of the RGPD.”any person processing personal data on behalf of a manager, the latter are qualified as a subcontractor“.

Indeed, article 4 of the RGPD provides that the processing of personal data may be carried out by one or more designated persons who determine the means of data processing.

In addition, the concept of joint controllers for the processing of personal data is provided for by article 26 of the GDPR, according to which, in the presence of several managers, they must jointly determine the purposes and the means implemented for the processing of data.

Therefore, data controllers must also transparently define their respective obligations in a contract in order to comply with the rules of the GDPR, in particular the rules relating to the exercise of the rights of persons whose personal data is processed.

In short, personal data controllers must both put in place the measures necessary to comply with the RGPD while demonstrating their implementation because the person responsible has an obligation to provide information on all the processing that he carries out.

Good to know:

The CNIL considers that the person responsible for the processing of personal data must be autonomous in the implementation and management of data processing.

Applying the principles seen above to company law, it appears that the partners of a company are responsible for the processing of the data they use to continue their activity because they make decisions concerning files of members or members of the company responsible for processing personal data, but also concerning management files, human resources files and files relating to the payroll of employees.

⇢ In order to facilitate the drafting of your RGPD registers, we provide you with a free customizable GDPR registry template.

1
2
3
4
5
6
7
8
9
Tonye Cottavoz
Paralegal
Welcome
>
blog
>
Data security
decorative triangle page register of dematerialized title movements | axiocapdecorative triangle page register of dematerialized title movements | axiocap

Frequently asked questions

Follow our latest articles and tips

Fill in your contact details to receive our monthly email newsletter.
Thank you, your request has been received.
Whoops! An error occurred while submitting the form.

Consult other articles

Image mise en avant article sur le rôle de l’avocat dans la croissance des entreprises - blog Axiocap
Gouvernance
Croissance

Le rôle stratégique de l’avocat en droit des affaires dans la croissance des entreprises

Avocat en droit des affaires et croissance d'entreprises : comment sécuriser vos décisions et booster votre développement ?

de Alexandre Pouyaud

Read the article
5 min
09/07/2025
Visual article on the crisis unit - Axiocap
Management
Emergency

Crisis unit: anticipate to deal with the crisis

Crisis unit: Understand the importance of an effective crisis unit in managing emergencies and ensuring the resilience of your organization.

de Anne Lewin Fleur

Read the article
5 min
Sep 09, 2024
CNIL
RGPD

RGPD definitions and principles

The RGPD is a European regulation that brings together all the rules relating to the protection of personal data. The aim is to harmonize all legal provisions relating to...

de Tonye Cottavoz

Read the article
10 min
May 25 2022
The legislation mentioned falls exclusively under French law. 🇫🇷
Create an account
Go digital
Request a demo
Contact us!
A question? Need help?
Made with love and pride in Montpellier.
Copyright Axiocap © 2024. All rights reserved.
All rights reserved.
GDPR chatLegal informationCGUVCookies policy