Le RGPD : Un règlement européen crucial pour la protection des données personnelles.
1. Qu’est-ce que le RGPD ? Le RGPD est le Règlement général sur la protection des données, remplaçant la directive 95/46/CE pour renforcer la protection des données personnelles.
- Les institutions à l’origine du RGPD : Adopté par le Parlement européen et le Conseil de l’Union Européenne en 2016.
- Les raisons de la création du RGPD : Réponse à la croissance d’Internet pour encadrer la collecte et le traitement des données.
2. Les données personnelles : Définition et régulation.
- Qu’est-ce qu’une donnée personnelle ? Toute information identifiant une personne physique.
- La régulation de l’usage des données personnelles : Collecte loyale, consentement et droit d’accès des personnes concernées.
3. Objectif du RGPD : Protéger les droits des individus et responsabiliser les entreprises traitant des données personnelles.
{{1}}
1. What is the General Data Protection Regulation?
The acronym RGPD or GDPR (General Data Protection Regulation) refers to “General Data Protection Regulation”. It is a European regulation relating to the protection of natural persons with regard to the processing of their personal data and the freedom of movement of these same data, thus repealing Directive 95/46/EC (ancestor of the RGPD).
Until then, only the Data Protection Act of 6 January 1978 No. 78-17 had the role of protecting individuals' personal data. For more information on this Act, click here.
The RGPD complements and strengthens the Data Protection Act.
a. The institutions behind the RGPD
This regulation no. 2016/679 on the protection of personal data was adopted jointly by the European Parliament and the Council of the European Union on April 27, 2016. You can consult it in its entirety over here.
b. The reasons for the creation of the GDPR
The general regulation on the protection of personal data was created by the European legislator following the strong growth of the Internet in order to allow large companies to overcome numerous legal loopholes, define new uses and determine how the personal data of the users of their services should be collected and processed.
{{2}}
2. Personal data
a. What is personal data?
The concept of “personal data” refers to any information relating to an identified and/or identifiable natural person. The identification of the person can be direct, that is to say that the person concerned will be identified by his first name, or indirectly, that is to say that the person concerned will be identified thanks in particular to his telephone number or his customer number.
In short, the identification of a natural person can be done from a single piece of data such as their DNA or their social security number or from a set of data concerning them such as their gender, age, address or even their membership in an association.
Good to know:
The use of personal data is not recent. Indeed, the personal data of any natural person has been used for many years by multiple administrations and public services but also by private companies (customer files).
However, the collection of personal data has reached its peak thanks to the digitization of the economy and the daily uses of natural persons (personal data from browsers).
b. Regulation of the use of personal data
Users' personal data must be collected fairly and for specific purposes and with the consent of the person concerned.
Therefore, anyone who has consented to the use of their personal data by a service has the right to access the data collected about them and to request their correction.
{{3}}
3. What is the aim of the GDPR?
To achieve the creation of the RGPD, the legislator relied on article 8 of the Charter of Fundamental Rights of the European Union relating to the protection of personal data.
The aim of the RGPD is to protect the personal data of individuals by framing the rights and duties of the people who collect and process this data. It therefore aims to strengthen the rights of individuals and to empower companies that process individuals' personal data.
{{4}}
4. Actors who are required to respect the RGPD and its protective organization
a. Persons required to comply with the RGPD
The European Regulation on the protection of personal data must be respected by any public or private organization (including subcontractors who process personal data on their behalf or on behalf of a third party) as soon as it is established on European territory or carries out an activity through which it collects personal data belonging to European residents, regardless of its sector of activity or size.
b. The obligations of companies subject to the RGPD
To be in compliance with the RGPD, companies have several obligations to respect such as:
- Guarantee maximum security of the personal data of each user of the company's services;
- The company must request the consent of the person concerned in advance before using their personal data;
- The company using personal data must be transparent in its data processing. As a result, it has a duty to provide advice and information to its users;
- The company must not infringe the rights of its users when using their personal data;
- The company must keep a data processing register (maintaining this register is mandatory in companies with more than 250 users). We provide you with a customizable GDPR register template to download free of charge here;
- The company must appoint a data protection officer (DPO);
- The company must carry out analyses on the impact prior to the processing of personal data in order to manage the possible risks that may arise during the processing and thus avoid data leaks.
{{5}}
5. The role of the CNIL
a. The origin of the CNIL
In France, the authority responsible for verifying that organizations subject to the GDPR comply with it is the Commission Nationale de l'Informatique et des Libertés, better known by the acronym “CNIL”. This independent administrative authority (AAI) was created by the Data Protection Act of January 6, 1978 to support professionals in complying with the regulation on the protection of personal data, to help individuals to control their personal data and to exercise their rights.
It is an independent administrative authority composed of 18 elected or appointed members whose role is to ensure the correct application of the rules of the GDPR by each of the organizations subject to it.
The CNIL alerts, advises and informs all actors, but it also has the role of controlling and sanctioning any breach of the RGPD.
b. The missions of the CNIL
To play its role as guardian of personal data, the CNIL has 4 main missions: a mission of information and protection, advice and support, control and sanction but also a mission of forecasting.
As part of its missions, the CNIL observes several elements.
In particular, the CNIL must verify that the principle of transparency has been respected by the organization under its control. It checks that the information relating to the use of the personal data collected is complete by ensuring that it is easily accessible so that the owner can consult, modify or delete it, in accordance with the right to be forgotten mentioned in article 17 of section III of the RGPD entitled “Right to erasure (“right to be forgotten”)”.
The CNIL must also ensure the sharing of personal data: it verifies that the organization that collected the user's data only collected information that is useful to it and that it is only personal data previously consented to by the user of the organization's service.
In addition, the CNIL must also look at the data retention period: all personal data consented by users that organizations have collected must be kept only for a period necessary for the authorized use.
Finally, the CNIL must ensure the security and confidentiality of data: users' personal data must be stored in secure locations so that their confidentiality is guaranteed to users of the controlled services.
{{6}}
6. Penalties in case of non-compliance with the RGPD
If a company does not comply with the GDPR, it risks both criminal and administrative sanctions.
a. Administrative sanctions
So-called administrative sanctions are governed by article 83 of the GDPR and result in the payment of a fine.
These sanctions issued by the CNIL must be proportionate to the seriousness of the breach committed by the company, while being dissuasive.
Thus, the CNIL is the competent authority responsible for determining the nature of the sanction that the company must suffer as a result of its breach of the RGPD.
To do this, the CNIL must take into account several elements such as:
- The seriousness of the GDPR violation;
- The duration of the violation;
- Verify that the company that has committed a breach has made every effort to mitigate the damage caused to the persons who are victims of the breach;
- Assess the degree of cooperation of the company involved.
In the event that the company in question receives an administrative penalty, the amount of the fine varies according to the violation detected by the CNIL.
For example, in the event of a violation of the conditions provided for in the collection of children's consents or a violation of Privacy by Design (article 25 of the RGPD), which requires the company to implement a protection of the personal data of its users from the moment of conception as well as a default protection for all the personal data it processes, the company in question may be condemned to the payment of a fine of up to 10 million euros. For more information, see our article on Privacy by design or the protection of privacy by design.
Another example, in the event of a violation of the principles of data processing or the conditions for the legality of data processing, the company in question may be fined up to 20 million euros.
The highest fine to which the CNIL has condemned a company is 50 million euros. This administrative penalty was imposed on Google following multiple breaches of the GDPR.
b. Criminal sanctions
Article 84 of the RGPD provides for the possibility for each Member State of the European Union to establish criminal sanctions in case of violation of the RGPD.
For example, France has provided in its legislation that in the event of a violation in the use of a user's personal data that does not fall within the scope of administrative sanctions, the legal representative of the company in question may be sentenced to a term of imprisonment of up to 5 years and a fine of 300,000 euros, under article 226-21 of the Criminal Code, which provides that:
“The fact, by any person holding personal data during their recording, classification, transmission or any other form of processing, of diverting this information from its purpose as defined by the legislative provision, regulatory act or decision of the National Commission for Informatics and Freedoms authorizing automated processing, or by declarations prior to the implementation of this processing, is punishable by five years of imprisonment and a fine of 300,000 euros.”
Good to know:
Individuals who are victims of a personal data breach can ask the company that caused the damage to pay damages.
Do you want to go deeper into the subject?
Find our article: RGPD definitions and principles.
