Regulation (EU) 2016/679, the European Union’s (EU) new General Data Protection Regulation regulates the processing by an individual, a company or an organisation of personal data relating to individuals in the EU. This regulation harmonizes data privacy laws across Europe and will be enforced in France on 25 May 2018.
It applies if the data controller (company or organisation that collects data from EU residents) or the data processor (company that processes data on behalf of a data controller), or the data subject (person) is based in the any of the 28 countries of the European Union. It doesn’t apply to the processing of personal data of deceased persons or of legal entities. The rules don’t apply to data processed by an individual for purely personal reasons, provided there is no connection to a professional or commercial activity.
GDPR main axes:
- Reinforcement of the right of individuals to have their personal data protected
- Establishment of the obligations of those processing and those responsible for the processing of the data
- Reinforcement of the authorities controlling powers
What are the companies’ obligations?
- Lawfulness, loyalty, transparence
- Purpose and data retention limitation
- Minimisation and accuracy of data
- Integrity and confidentiality
- Notification of the personal data file and its characteristics to the CNIL (France)
- Ensure that citizens are in a position to exercise their rights through
information - Accept on-site inspections by the CNIL and answer to any request for information
Moreover, companies should be able to prove their conformity to GDPR.
How can companies comply with GDPR?
Companies are required to comply with specific obligations as regards security, confidentiality and documentation of their activity:
- by implementing a data protection system and procedures
- by regularly educating and training their employees
- by designating a data protection officer
What is personal data?
Accordingly to the EU, personal data is “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data”.
Anonymized data is no longer considered personal data. However, for data to be truly anonymised, the anonymisation must be irreversible.
Examples of personal data
- name and surname
- home address
- email address
- location data
Learn more about this:
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
Commission Nationale de l’Informatique et des Libertés (CNIL)