2018 Your obligations for personal data and individual freedoms

No Comments

The protection of personal data and individual freedoms has become a sensitive subject. Vigilance is therefore a priority so as not to find yourself in an inextricable situation. Any business is required to collect and use personal information about its prospects and customers. In order to protect the privacy and preserve the individual freedoms of each individual, French law provides for strict rules to be observed under penalty of penalties. Focus on your obligations in terms of personal data and individual freedoms.

Each year, Data Legal Drive updates the GDPR barometer in partnership with Lefebvre Dalloz and AFJE (the French Association of Corporate Lawyers) which establishes a progress report on companies’ compliance after the implementation of the GDPR. This survey, carried out from 08.04 to 02.05.2021 (published on 24.05.2021), with internal and external DPOs and lawyers, highlights the opinion of data and privacy professionals in the private and public sectors, all sizes and from all industries.

The time of upheaval

For a year, the context of the health crisis, new working methods, Brexit, the invalidation of the Privacy Shield or the new CNIL directives concerning cookies have accelerated the security flaws of websites with 24% of more reports in 2020. Between the acceleration of the digitalization of activities and the increase in cyber attacks, companies and communities have developed new strategies dedicated to the protection of personal data. The survey was carried out among 348 internal and external DPOs and lawyers, 3/4 of whom are from the private sector. More than 1/3 are medium-sized enterprises (ETI), 1/3 small and medium-sized enterprises (SMEs) and 1/3 very small enterprises (VSEs) and large enterprises.

The health crisis and the RGDP, a duo?

1 in 2 businesses have a good level of GDPR compliance. More than one in two companies surveyed believe they have achieved a good level of compliance. The health situation will have finally been favorable to the governance of personal data within companies and public bodies which are almost half (47%) to estimate to have reached a level of completeness higher than 70%. However, 37% of the structures show a completeness rate of less than 50%. RGPD is perceived as a transversal, permanent and virtuous approach. For 32% of the companies surveyed, the GDPR is seen as a regulatory obligation; for 27%, it is a technical and / or legal constraint and for 22%, the GDPR is a duty of transparency and a mark of respect.

Health crisis and cyber attacks

Twice as many companies have increased their security. 65% of the structures questioned have accelerated and reinforced their security by introducing new measures, which is twice as much as last year. The heavy sanctions issued by the CNIL against companies and the multiplication of risks related to cyber attacks and data security have made it possible to trigger actions on the part of companies and public bodies:

• 1/3 of DPOs have implemented security measures in accordance with article 32 of the GDPR;

• 64% have carried out audits of the security level of their website: https protocol, data collection forms, etc.

What is the general principle of obligations?

Any collection of personal data must be declared in advance to the CNIL (Commission Nationale de l’Informatique et des Libertés). In the majority of cases, these are files of prospects and customers, in the case of companies.
Before proceeding with your declaration, you must have verified that your file meets all legal obligations and have determined:

• Purpose must be, in all cases, respected. Thereby,
– the use you will make of the data: for example recruitment management, customer management, satisfaction survey, etc.
– what will the data be used for; It should be noted that any file cannot be reused for purposes other than those initially defined: for example, it is not justified to ask for the social security number (or NIR) of a client to feed a file whose purpose is purchasing management.

• The duration : the company cannot keep the information collected indefinitely, it must set a retention period for the latter; however, depending on the purpose, the information recorded in the file may be kept for a longer or shorter time. So when a newsletter subscriber requests to unsubscribe, their data must be deleted from the management file.

• Confidentiality : anyone within the company cannot manage or access the data, the company must designate the authorized person (s) within its team;

• Security : the company must ensure that it puts in place the necessary procedures to ensure the physical and computer security of information. To help SMEs, the CNIL has published a personal data security guide which provides thematic sheets with the basic precautions to be put in place to improve the security of personal data processing.
Also, it is important to note that you must make as many declarations as you have files. In addition, if you plan to transfer the data collected outside the European Union, you must ensure that you comply with the relevant regulations, which authorize these transfers only in very specific cases.

How to declare your file?

Once the various parameters have been defined, you can declare your file online on the website www.cnil.fr. You then select the appropriate form (in most cases, this is the simplified declaration form), then follow the various stages of the procedure (identification of the company, purpose of the file, etc.).
Once your declaration has been sent, you will receive a first confirmation informing you of the processing of your request. After checking your file, the CNIL will then send you a declaration receipt if it complies or notifies you to modify your declaration if it is incomplete and / or does not comply with the management rules. For the sake of rapid processing of your file, it is recommended to opt for the dematerialized follow-up of your process. In general, you get a response from the CNIL in the days following your request.
Upon receipt of your receipt, you can then implement your file, and only from that moment on pain of penalties.

Do not forget the mention to delete, rectify information

You have certainly just obtained the authorization of the CNIL to collect data, but you must still respect an essential rule, that of the right to access, rectify and delete the information collected. Indeed, each individual present in your file must be able to assert this right and be informed of it, by means of a specific legal notice. To help you, the CNIL provides you with various models on its website.

What are the risks involved?

In the event of non-compliance with one or more of the obligations relating to computer data and individual freedoms, you subject your company to heavy penalties. For the majority of offenses in this area, the penal code provides for sentences of up to 5 years in prison and fines of up to 300,000 euros.

Be careful !

Source link

About us and this blog

We are a digital marketing company with a focus on helping our customers achieve great results across several key areas.

Request a free quote

We offer professional SEO services that help websites increase their organic search score drastically in order to compete for the highest rankings even when it comes to highly competitive keywords.

Subscribe to our newsletter!

This form is currently undergoing maintenance. Please try again later.

More from our blog

See all posts