Yield, data, Europe will be your guardian!

June 27th 2016

The new General Data Protection Regulation, more commonly referred to as the GDPR, was published on May 4, 2016 in the OJEU (Official Journal of the European Union) and shall be applicable as from May 25, 2018.

The GDPR places the obligations relating to the protection of personal data at the fore of economic activity by enforcing them very stringently on companies, which, failing to respect the terms of the regulation and comply by Spring 2018, may be subject to a fine for up to 4% of the annual turnover of the group in question or a maximum of 20 million euros.

In France, the CNIL which, until now, had been unable to enforce its standards on blue chip companies, will phase out its maximum fine of 150,000 euros, for the benefit of a much more significant and dissuasive sanction.

In short…

- What is the scope of application of the GDPR?

The GDPR applies to any data processing of a personal nature, except for exceptional cases provided by the Regulation.

The GDPR applies to data processing of a personal nature carried out in the context of activities of an establishment, data controller or sub-contractor set up in the territory of the European Union, whether or not the data processing takes place in the European Union.

-  What are the major plus points of the GDPR?

  • New definitions (personal data, data processing, profiling etc.);
  • More punitive sanctions;
  • More stringent obligations for the data controllers, who are now jointly liable with their sub-contractors;
  • Enhanced rights for the persons whose data is collected;
  • A more efficient European cooperation between the relevant authorities.

What is personal data?

This very broad notion is defined by the GDPR (but also by the previous texts) as: any information relating to an identified or identifiable individual”.

In practice, personal data may simultaneously be “direct” data, such as a surname, or “indirect” data, such as an email address, an individual’s computer IP address or any other commercial and/or technical identification number.

By asserting that an “online user identification” is personal data, the GDPR has rounded off the French discussions on the qualification of the IP address, as the CNIL considered that it was personal data yet, up until now, the Cour de cassation (French Civil Supreme Court) has issued judgments to the contrary.

What is data processing?

This is also a very broad notion, defined by the GDPR as: “any operation or set of operations carried out or not by the means of automated processes and applied to personal data or a set of personal data such as the collection, recording, organization, structuring, storage, adaptation or the modification, extraction, consultation, utilization, communication by distribution, dissemination or any other form of data provision, reconciliation or interconnection, limitation, deletion or destruction”.

What conditions have to be met for data processing?

-      It must be sincere.

Any person whose personal data is collected must be informed, at the time of collection, of the data controller’s identity, the purpose of the data processing and the data recipients. The GDPR specifies that the information must be concise, transparent, intelligible and easily accessible.

Certain data processing (for example, sensitive data concerning origin, sexuality, political opinions, etc.) is strictly regulated and may only be made after obtaining the express consent of the person in question.

The person concerned must be informed of his right to object to the data processing, access the data collected, modify the data and as the case may be, request the withdrawal for legitimate reasons.

The GDPR specifies, in addition, that the same facility for giving consent must also apply when withdrawing consent.

The GDPR also regulates the means by which the recipient of the data, who is not the source of the data being collected, must inform the person whose data is being processed.

-      It must be lawful.

Data processing may only be made for a given, explicit and lawful means of processing, in one of the following conditions, without ever having a general purpose:

  • Express consent of the person concerned;
  • Necessary for the performance of the agreement;
  • Necessary for the respect of a legal obligation or for the essential interest of the person in question or for the performance of a public interest mission.

The major plus point of the GDPR: the data controller must be able to prove that the consent was given. Furthermore, the data collected may not subsequently be processed in a way that is inconsistent with the initial purpose, as the data controller would risk new pecuniary sanctions being inflicted on him by the GDPR (see supra).

-      It must be proportionate.

This is one of the major plus points of the GDPR: the data must be limited to the required minimum with regard to the processing purposes” whereas, until now, the EC Directive (95/46/EC) and French law only set forth a “non-excessive” data processing.

This enhances the appropriate and relevant nature of the data processing with regard to the given purpose.

-      It must be secure.

Another major innovation of the GDPR: the companies must ensure that they adopt appropriate organizational and technical measures as from the creation of a project giving rise to data processing (privacy by design).

Furthermore, each company is now obliged to provide its contacts with the highest level of data protection possible (privacy by default).

Until now, a generic security obligation was imposed to the data controller who had to apply it to the sub-contractor under contract. Now, the data controller, who has recourse to a sub-contractor, must ensure that the latter meets the requirements for the security and protection of the data for the person in question.

The GDPR also recommends a preliminary audit for the use of new technologies.

     It must be controlled.

Data processing must be controlled, including by the data controller with regard to his sub-contractor.

To do so, the GDPR obliges companies to be able, at any time, to justify the compliance with the rules for protecting personal data.

This control applies to a certain number of statements to be made with the national authority by the registered office of the company’s principal establishment, for all the data processing carried out in Europe (for example, the CNIL, for a company which has its registered office located in France).

In this regard, it must be recalled, in particular, that any personal data transfer to a country outside of the EU (including the United States since the ruling issued by the Grand Chamber of the CJEU on October 6, 2015 in the case “Schrems v/ Digital Rights”) must be stringently controlled and the GDPR sets forth that the data processing as well as transfer must be subject to European regulations, even outside of the EU.

Furthermore, the companies must now notify the control authorities as well as the persons in question, in the event whereby they would have been at the receiving end of security failures, compromising data security.

Furthermore, the GDPR provides that any company with more than 250 employees must draw up a register of all the data processing made, like any company which processes sensitive data large-scale, or makes a regular and systematic monitoring of individuals.

Finally, the data controller and the sub-contractor must now appoint a data protection representative in the event whereby:

  • the data controller’s activities or those of the sub-contractor, or the purposes of the processing require a large-scale regular and systematic follow-up;
  • the processing concerns data referred to as “sensitive”;

in other cases as required by the national legislation.

Other innovations of the GDPR

Other significant innovations are to be mentioned, such as:

  • The formalization of a right to oblivion;
  • The creation of a right to restrict data processing;
  • The creation of a right to data portability;
  • The supervision of profiling;
  • Enhanced intra-community policies for cooperation and consistency;
  • Enhanced obligations relating to data sub-contracting;
  • Enhanced sanctions.

To come…

The Draft legislation for a Digital Republic, currently under examination in French Parliament, includes numerous provisions resulting from the European Regulation but also provides for new provisions (pending the final text) and should be adopted before 2018.

It therefore appears preferable for a French company to comply within a reasonable time period in order not to be disrupted, if the matter is urgent, when these texts become fully applicable.

Jérôme Sujkowski - Jean-Christophe Chevallier