In the continuity of the article "The RGPD and the laws on personal data in France", we will focus on the precise provisions of the RGPD. This article will therefore detail the main points of the RGPD, which are essential for understanding the architecture of its system and its spirit, with a view to their operational application in companies; thus, not all the provisions will be repeated here.
The analysis will be done in chronological order, with mention of the articles, paragraphs and points concerned (in abbreviated form), for the sake of good understanding and precision of the provisions analysed.
Article 3 of the GDPR sets out the territorial scope of application of the GDPR. It thus concerns any organization (controller or processor) established within the EU (whether or not the processing takes place within the EU), but also any organization outside the EU processing personal data of European individuals.
Legal basis of the processing
Processing is lawful if the person has given his or her consent (paragraph 1, point a), if there is a contract (1b) or a legitimate interest (1f), with the condition, among others, that the purposes of the processing are compatible with those of the collection, as established by the controller (4a) (article 6)
Duty to inform
Direct collection mainly obliges the controller to indicate the purposes (1c), the legitimate interest when it is the legal basis of the processing (1d) and the rights of access, modification, opposition and erasure that can be exercised by the data subject (2b) (Article 13)
For data not collected directly from the individual, information must be provided individually (identity of the controller, purposes of the processing, etc.) unless this represents a disproportionate effort (Article 14 (5b)); this does not prevent the data subject from being publicly informed of the measures taken by the company to protect his or her rights (e.g., via a website).
The data controller has an obligation to notify each recipient of rectifications or deletions of data requested by an individual (Article 19), unless the effort is disproportionate.
Rights of the persons concerned
Any person whose data are processed has a right of access (article 15), a right of rectification (article 16), a right to erasure (at the request of the person, erasure is compulsory if for marketing purposes, or for any other reason unless there is a compelling legitimate interest (1c) of the data controller (article 17)), a right to restriction of processing (article 18).
The data subject may alsoexercise his or her right to object to the processing: at the request of the person and absolutely if marketing. For all other purposes, also possible except for legitimate and compelling interests of the controller (article 21).
Every natural person has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects on him or her or significantly affects him or her in a similar way (Article 22).
General obligations
Data must be protected by design and by default (Article 25).
The data controller must keep a register of the processing activities (Article 30), in which must be indicated, among other things, the purposes of the processing, the categories of recipients, the periods of data retention, etc.
Article 32 requires the controller and its possible processor to implement appropriate technical and operational security measures (such as pseudonymization, encryption, confidentiality, testing, code of conduct).
The regulation establishes the principle of notifying the CNIL within 72 hours of a personal data breach (nature, consequences, measures taken, documentary trace), if there is a risk to the rights and freedoms of the persons concerned (article 33). Communication of this information to the persons concerned, if there is a high risk to their rights and freedoms (article 34), unless this would represent a disproportionate effort (3c).
An impact assessment is mandatory, inter alia, if the processing is large-scale or automated, with or without profiling (Article 35).
Prior consultation of the CNIL by the data controller is necessary if the processing operation requires an impact assessment because it presents high risks for the rights of the data subjects (Article 36).
The appointment of a Data Protection Officer(DPO) is, among other things, mandatory if large-scale processing with regular monitoring of natural persons is involved (Article 37).
Miscellaneous provisions
The adoption of a code of conduct is recommended (by companies or associations, federations) (article 40), as is the encouragement of (voluntary) certification (article 42).
Extra-European transfers are regulated (articles 44 to 50).
The CNIL's administrative fines can reach up to 4% of the worldwide turnover or 20 million Euros (whichever is higher, depending on the infringements sanctioned) (Article 83).
The regulation leaves it open to the member states to adopt specific national measures designed to reconcile the public's right of access to official documents with the right to protection of personal data (Article 86).
The next article will deal with the European regulation on electronic communications, called ePrivacy, which is currently being drafted.
