IT and personnal data protection / GRDP
The Data Protection legislation is at the heart of the legal issues dealt with by the Chabert & Associés law firm, in particular in the fields of computer law, of Internet, and also of Health law and biotechnologies.Given the growing importance of personal data and to best meet the needs of its clients, whether private or public, the law firm has created an expertise pole about these issues.
The new General Regulation on Data Protection (GRDP) was adopted on April 8th, 2016 (coming into effect on May 25th, 2018), harmonising in Europe personal data (PD) protection law.
This text being a European Regulation, it is directly applicable in France, with no need for transposition into the domestic law. It aims to taking into consideration recent developments concerning PD processing.
Every organization, as a data controller, must, within de date provided for the coming into effect of the GRDP, comply with its provisions.
In case of an inspection by the CNIL (the French Data Protection Authority), organizations must be able to prove that they comply with the new provisions. The European Union wished to have an effective regulation tool, so the sanctions applying in case of violation of the GRDP provisions obey to dissuasion rationale.
Depending of the violations reproached to the data controller, sanctions imposed to organizations can reach 4% of the organization’s annual world-wide turnover of the previous year.
If the organization is a part of a group, the risk exists that the administrative fine takes into consideration not only the controlled affiliated company’s turnover, but also the whole group’s turnover.
The GRDP brings significant changes in the field of PD processing. Even if the principles stemming from the French Law of January 6th, 1978 (“Information technologies and liberties”) are still effective, the philosophy changes radically: the formalities to be fulfilled with the CNIL disappear, save for same exceptions, and the data controllers’ liabilities is, in return, reinforced.
Legislator adopts, in fact, an ex post control system, instead of the previous ex ante system. In other words, only principles are formulated, data controllers being responsible of the conformity of their organizations to GRDP provisions, in order to ensure every European citizen’s right to the protection of his/her PD.
With the coming into effect of the GRPD, individuals from whom personal data are collected are holders of reinforced rights, and in case of inspection, the organization must prove that, from the PD processing design, the eventual impact of such processing on data subjects was considered and, by default, taken into consideration. The organization must also justify its choices each time that it diverges from an applying requirement applying (keeping of a register, impact assessment, appointment of a DPO (Data protection officer) …).
This new philosophy requires the implementation of internal procedures, as well as the formalization of a significant documentation allowing the inspected organization to justify its choices.
CHABERT & Associés Law Firm supports organizations in the framework of the implementation of such compliance, through different steps.
This center aims to support its customers on the items below:
- Auditing the data processing within the company but also contracts from the perspective of personnal data protection.
- Formalities to be made to the CNIL. (Declaration, authorization ...)
- Drafting specific tools. (Charter of IT system, ethical charter, white book, information memos, rules for legal websites ...)
- Support customers in the framework of the introduction of new technologies. (Biometrics, geolocation, video ...)
- Determining the rules for protection of personnal data within the company.
- Establishment of a Correspondent for personal data protection (CIL)
- Training about personal data protection including the cyber surveillance of employees.
- Health data processing subject to specific requirements.