GDPR – final stretch!

May 3rd, 2018
Updated on May 21st, 2018

The GDPR [1] takes effect on May 25, 2018. As of this date all of your personal data processing operations, ongoing or future, that are within its scope of reach, will need to be fully compliant with this fundamental regulation.

  • The GDPR applies to the processing of information that allows, directly or indirectly, to identify an individual (names, images, sounds, telephone numbers, IP addresses, location data, trackers, comments, profiles, etc.),
  • Are subject to the GDPR companies, associations, public bodies and individuals (except in the case of a strictly personal or domestic activity), which:
    • have an establishment in the territory of the European Union, or
    • process personal data relating to individuals located in the EU territory either in connection to an offering of goods or services to them, or to monitor their behavior within the EU.

To determine if you offer goods or services to individuals located in the EU territory you can rely on a number of factors such as: the language of the offering being one of the languages currently used in the member states, the use of the euro currency or, when applicable, the targeted advertising on your website.

Regulatory context:

The GDPR is completed by national legislation in each EU member state (although to date, only 4 states have adopted specific legislation implementing the GDPR; in France, the law n° 78-17 of January 6, 1978, known as “informatique et libertés“, is being subject to a controversial reform, with a final version voted on May 14 by the National Assembly and immediately challenged by 60 senators before the Constitutional Council). A second European regulation (ePrivacy) will address more specifically the processing of electronic communications data – content and metadata – by internet players: internet service providers, OTT (messaging application providers, VoIP, e-mail, etc.), users of cookies and trackers, and in some cases the Internet of Things and Machine-to-Machine communications players. Penalties for breach will be aligned with those provided in the GDPR. This regulation was also planned to take effect on May 25, 2018 but its negotiation is currently blocked at the member states’ level.

The GDPR focuses on the accountability of the various data processing players. The system known previously which was based on legal formalism has been abandoned in favour of a system where each player must systematically assess the compliance of its data processing operations and demonstrate the measures it has taken. In some cases, it will be necessary to keep a record (I) and / or appoint a data protection officer (II). Some data processing operations will be subject to a prior impact assessment (III). In any case, each player must systematically ensure observance of a number of principles, including the lawfulness, fairness and transparency, the proportionality and security of the data processing (IV). Infringements may trigger severe liabilities and fines (V).

I. Check if you need to keep a record

Whether you are a controller or a processor, you will probably need to keep a record of your data processing activities. The Regulation provides for an exception in favour of entities employing less than 250 people, however it only applies when their processing of personal data:

  • is not likely to result in a risk to the rights and freedoms of the data subjects,
  • is occasional, and
  • does not include data deemed “sensitive” or data relating to criminal convictions and offences.

Thus you will be required to keep a record if your company employing less than 250 people processes personal data on an usual basis (for example, to manage subscribers to an online content service).

This obligation is more than a mere formality, insofar as it encourages each player to have a good understanding of the data processing operations it carries and of their implications. The record must include for instance: the categories of data processed and persons concerned, the recipients of the data, the duration of the processing, etc.

Its content differs slightly for controllers and processors. Thus, if you do not undertake the same role in respect of all the data processing activities that you carry, you will need to keep two records.

NB The data controller is the one who determines both the purposes and means of data processing. Conversely, the one who processes personal data on behalf of a client is a data processor. For example, a company offering targeted advertising services will be described as a processor when it processes its client’s data to promote its client’s products. But when the same company decides to use the same data to promote other products, it will be considered a controller for such purpose.

The controller and the processor enter into a contract detailing their respective rights and obligations. The French data protection authority (CNIL) has published a template of contractual clauses pending the adoption of standard clauses within the meaning of Article 28.8 of the Regulation.

The record must contain the following information:

If you are a controller:

  • your name and contact details and, where applicable, those of the joint controller, of your representative and of the DPO, and
  • the purposes of the processing and, where possible, the envisaged time limits for erasure of the different categories of data, and
  • a description of the categories of data subjects and of the categories of personal data processed and the categories of recipients to whom you have sent or will send the data, and
  • where applicable, the transfers of personal data to a third country or international organisation that you will need to identify and, for transfers taking place in the absence of an adequacy decision by the European Commission or of appropriate safeguards, including binding corporate rules, and not comprised in the derogation for the specific situations referred to in Article 49, 1st paragraph, 1st subparagraph of the Regulation, the documentation of suitable safeguards, and where possible, a general description of the technical and organisational security measures implemented.

If you are a processor:

  • the name and contact details of the processor(s) and of each controller on behalf of which you are processing data, and, if applicable, of their representative the DPO, and
  • the categories of data processing carried out on behalf of each controller, and
  • where appropriate, the transfers of personal data to a third country or an international organization that you will need to identify and, for transfers taking place in the absence of an adequacy decision by the European Commission or of appropriate safeguards, including binding corporate rules, and not comprised in the derogation for the specific situations referred to in Article 49, 1st paragraph, 1st subparagraph of the Regulation, the documentation of suitable safeguards, and
  • to the extent possible, a general description of the technical and organisational security measures implemented.

The CNIL has published a template of record of processing activities that gives a good indication of the steps to be taken to comply with the Regulation.

The record may be kept in electronic form. It is made available to the supervisory authority upon request.

To know more:

  • GDPR, Article 30
  • Record of processing activities template proposed by the CNIL (in French).

II. Check if you need to appoint a Data Protection Officer (“DPO”) 

In your capacity as controller or processor, you may also be required, or wish, to appoint a DPO.

The obligation to appoint a DPO concerns:

  • entities the core activities of which lead them to carry out regular and systematic monitoring of data subjects on a large-scale,
  • entities the core activities of which consist of processing on a large scale data deemed “sensitive” or data relating to criminal convictions and offences, and
  • public authorities and public bodies.

For example, an online advertising agency using data mining to refine its knowledge of the end customer will be required to appoint a DPO.

National legislation can impose other cases of compulsory designation of a DPO.

In any other cases the designation of a DPO is optional. However, it is strongly recommended in practice to appoint a DPO thanks to its role, which is to provide real support, custom-made, and on the long term to data processing players.

The DPO has a role of:

  • information and advice on your data protection obligations (including those relating to impact assessments),
  • monitoring the compliance of your data processing activities with applicable regulations, and
  • privileged contact and cooperation with the supervisory authority.

If you appoint a DPO, either on a compulsory or on a voluntary basis, you will need to have him/her involved properly and in a timely manner in all data protection matters to enable him/her to carry out his/her tasks.

The DPO can be an employee of the company or a service provider.

He must be designated on the basis of his expert knowledge of data protection law and practices. His level of expertise must be adapted to the complexity of the data processing activities contemplated. There is no standard profile for the DPO, who can come from the technical or the legal sectors or other sectors.

If you choose to appoint one of your employees as DPO, you must guarantee his ability to communicate directly with the management for the exercise of his duties, as well as his independence, disciplinary immunity, access to specific professional training.

Appointing an attorney-at-law as a DPO can be of interest to the extent that, on the one hand, he/she is subject to strict professional rules, including absolute attorney-client privilege and absence of conflicts of interest, and on the other hand, he/she benefits from substantial third-party liability insurance coverage (up to € 4 million per claim for Parisian lawyers).

In any case, you must be vigilant and gather all the necessary information before entrusting the keys to your personal data processing to a third party. The CNIL has issued numerous warnings against deceitful offers of individuals or companies promising “turnkey compliance” with the GDPR. Note that if you implement non-compliant data processing solutions as a result of recommendations of a non-diligent or inadequately prepared DPO, you will be solely responsible to the authorities. The DPO may only incur criminal liability for intentional violations of the criminal law provisions of the data protection laws.

You can appoint your DPO online on the CNIL website.

To know more:

  • GDPR, articles 37 to 39
  • CNIL’s page dedicated to the designation of the DPO (in French).

III. Before any data processing, remember the data protection impact assessment (“DPIA”)

The obligation to carry out a prior impact assessment is imposed on data controllers who plan to implement a data processing that is likely to result in a high risk to the rights and freedoms of the data subjects, including their right to privacy.

The impact assessment is required especially when the data processing involves:

  • systematic and extensive evaluation of personal aspects of individuals based on automated processing, including profiling, and on the basis of which decisions are made that produce legal effects on the individuals or significantly affect them in a similar way,
  • the large-scale processing of data deemed “sensitive” (relating to biometrics, health, sexual preferences, racial or ethnic origin of the data subjects, etc.) or relating to criminal convictions and offences,
  • systematic monitoring of a publicly accessible area on a large-scale.

For instance, DPIA should be performed for a service based on the geographical location of users, distributed and adopted massively by the public with data being collected and sent to a remote server.

For predictability and transparency reasons, each supervisory authority must make public a list of the kinds of processing operations that are subject to the impact assessment requirement. The CNIL has also announced the forthcoming publication of a list of types of data processing exempted from the requirement.

In the meantime, you should refer for your contemplated data processing operations to the nine criteria established by the G29 (“Article 29” Working Party of the European supervisory authorities):

  • the evaluation or scoring, and / or
  • the automated decision-making with legal or similar significant effect, and / or
  • the systematic monitoring, and / or
  • the processing of sensitive data or data of a highly personal nature, and / or
  • the large scale processing of data and / or
  • the matching or combining of data sets, and / or
  • the processing of data concerning vulnerable data subjects, and / or
  • the innovative use or application of new technological or organizational solutions, and / or
  • if data processing in itself prevents the persons concerned from exercising a right or benefiting from a service or a contract.

It is generally considered that whenever a contemplated data processing meets at least two of these criteria it must be subjected to an impact assessment. But sometimes the presence of a single criterion can be sufficient.

In practice, given the need to document your compliance efforts, it is advisable to carry out an internal risk assessment for each data processing envisaged and to carry out formal impact assessments as soon as the processing corresponds to at least one of the nine criteria mentioned above.

The impact assessment must contain at least a systematic description of the processing operations intended and their purpose, their necessity, their proportionality, an assessment of the risks to the rights and freedoms of the data subjects and the measures planned to avoid the risks.

If your DPIA indicates that the desired data processing would result in a high risk to data protection, you will have to consult the supervisory authority (in France, the CNIL) prior to any processing. The latter will issue a written notice within 8 weeks and you will be bound by the recommendations it may contain.

If you are a processor, you will have the obligation, per your contract with the controller, to help the latter to carry out the DPIA by providing all necessary information.

To know more:

  • GDPR, Article 35
  • CNIL’s page dedicated to the DPIA (in French).
  • Impact analysis tool (in French), downloadable here.

IV. In any event,

4.1 , make sure that the data processing is lawful

This obligation concerns the controller.

Contrary to popular belief, you do not have to systematically collect the consent of the data subjects for the processing of their personal data to be lawful with regards to the GDPR (just as you did not have to do so under the previous regime resulting from Directive 95/46).

You may rely on any of the other legal bases set out in Article 6 of the Regulation, if you meet the corresponding requirements.

You are exempted from collecting the data subject’s consent when the data processing implemented is necessary:

  • for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract,
  • for you to comply with a legal obligation to which you are subject,
  • for protecting the vital interests of the data subject or other individual, or
  • for the performance of a task carried out in the public interest or in the exercise of public authority vested in you, or
  • for the purposes of the legitimate interests that you, or a third party, pursue, unless they are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

For example, when an online content provider collects and combines the data of its subscribers referred to in Article 5 of the regulation of 14 June 2017 to check their state of residence, or when it processes their location data when they travel within the EU territory to grant them access to their contents, collecting the consent of the data subjects is not necessary.

It should be noted, however, that these bases are subject to strict interpretation and that, according to G29, the legal basis of any data processing must be chosen before its implementation, without any possibility to change after it starts. It is therefore a must to carry out a serious and careful assessment from the beginning.

If none of the alternative grounds seems accessible, then you must collect the consent of the data subjects.

For example, consent will be required for a mobile phone application to collect data from a data subject for behavioural advertising purposes, if the profiling is not necessary for the performance of a contract with the data subject.

But be careful with consent, which must be given freely and possible to withdraw at any time.

If you condition the provision of a service to an individual under a contract entered with him/her (for example, providing updates to a connected object) to him/her consenting to a data processing that is not strictly necessary to perform that contract, then the consent obtained will not be valid. Conversely, if the processing is limited to the data necessary to perform the contract, then its legal basis will not be the consent, but the contract.

When your data processing is based on the consent of the data subject, the consent request must be:

  • presented in a written or oral form clearly distinguishing it from other items, and
  • intelligible, and
  • easily accessible, and
  • formulated in clear and plain language.

To be valid, your consent request need to:

  • be independent of other terms and conditions that you propose, and
  • propose granular options to be agreed separately for each different types of data processing, rather than for bundled processing purposes, and
  • identify exactly which organizations and third parties need the consent without using categories of organizations.

For example, consent will not be valid if obtained by a general request such as: “By subscribing to our service you agree with us using your data for any purpose that we may deem necessary”.

You must inform each data subject of his/her right to withdraw the consent given and explain how to proceed. In principle, the consent should be as easy to withdraw as it was given.

Note the importance of keeping records to prove the consent collected, by specifying when and how each person gave or withdrew her consent, and what information you had provided to obtain consent.

As no legal “expiry date” has been provided, the G29 recommends periodically renewing consent.

  • Specific area of concern: personal data relating to children

For minors under 16, consent must be collected from the holder of parental responsibility. National laws can lower this age of the “digital age of majority” up to 13 years.

In France, the law finally voted by the National Assembly lowered the “digital age of majority” to 15 years, with a mechanism of double consent by children and their parents below 15. The outcome is now in the hands of the Constitutional Council.

In the United States, where COPPA (Children’s Online Privacy Act) protects the online privacy of children under the age of 13, researchers at the University of Berkeley recently revealed in a study performed on almost 6,000 Android apps referenced for download on Google Play Store in the category “Designed for Families” a multitude of irregular practices, including the lack of consistent means for obtaining parental consent, both for the collection of data of their children, and for the transfer of such data to advertising agencies. Interestingly enough, applications that were subject to voluntary Safe Harbor certification generally had the same irregularities in data transfer as non-certified ones.

Pour aller plus loin :

  • RGPD, articles 6 à 8
  • Lignes directrices du G29 sur le consentement (version soumise à consultation, en anglais)

4.2 , ensure the data is properly used

Under the GDPR, the controller must ensure, and be able to prove, that the personal data processed by itself or on its behalf is: adequate, relevant, proportionate and accurate, collected for specified, explicit and legitimate purposes, and processed fairly and in a transparent manner.

A few details on these requirements below:

  • The data processed must be adequate, relevant and proportionate

This means that you will have to adjust the nature and the amount of personal data that you intend to process to the legitimate aims pursued.

Example: a flashlight application for mobile phone should not have access to all of the information stored in the mobile phone.

  • The data processed must be accurate and, where necessary, kept up to date

This means that you must take all reasonable measures to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.

You can either leave it to the data subject to modify or delete the data at his/her will (subject to the compliance with your legal obligations, as the case may be), or ask him/her from time to time about a potential change of situation.

  • Data must be collected for specified, explicit and legitimate purposes

For each data collection operation, you will need to determine its specific purpose(s), to assess its legitimacy in particular with regard to the legal basis of the data processing and the rights and freedoms of individuals, and be able to clarify the purpose(s) to all.

Example: recruitment management, client management, satisfaction survey, premises monitoring, etc.

  • Data must be processed fairly and in a transparent manner

This means that you will not be able to use the personal data for secondary, unforeseen or dissimulated purposes.

Example: the use of a connected toy must not allow the manufacturer to process the data collected by the application of the toy without the explicit consent of the data subject / of the holder of parental responsibility.

To know more:

4.3 , ensure the security of personal data

This obligation has a different scope depending on whether you act as a controller or a processor.

  • First of all, for data controllers it implies the need to take the appropriate technical and organizational measures to protect the data by design and by default.

This reflects the following principles:

– “privacy by design“, imposing to consider the implications in terms of protection of the personal data, and particularly in terms of risks for the rights and freedoms of individuals, from the technical and functional design stage of any product or service based on the processing of personal data or which processes personal data to fulfil its task (e.g. by minimizing the data collected and operating pseudonymisation as soon as possible), and

– “privacy by default“, ensuring that, by default, only the data which is necessary for the specific purposes is processed. The necessity is assessed in relation to the amount of data collected, the extent of their processing, the duration of their storage and their accessibility (which must, by default, be limited to a defined number of people – e.g. by securing the URLs).

Consequently, to determine the extent of the obligation of protection you will first need to delineate the data processing operations, their respective contexts and implications, then identify the risks, their origin, their probability and the foreseeable impact on the rights and freedoms of the individuals, then identify the existing or contemplated protection measures to comply with the legal requirements for the implementation of the data processing operations and minimize the risks. If you detect a high risk for the rights and freedoms of individuals, you will have to formalize the above-mentioned DPIA.

NB If processors are not expressly subject to this obligation under Article 25 of the Regulation, they must nevertheless comply with it to the extent necessary to guarantee to the controller that the tools and means of processing that they use observe the requirements in terms of data protection set out in the Regulation.

  • Next, both data controllers and processors are required to take the appropriate technical and organizational measures, taking into account the specificities of the processing (scope, purpose, etc.) and the risks to the rights and freedoms of individuals, to ensure a level of data security appropriate to the risk of data breach.

A data breach is, according to Article 4 (12) of the GDPR, a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

The Regulation mentions, among the recommended security measures, the pseudonymisation and the encryption of data, or means to restore the access to the data in cases of physical or technical incident.

The CNIL has published a personal data security guide regrouping in several fact sheets the main actions to take to ensure a basic level of security.

It is interesting to note the recommendation to use the TLS protocol for secure transmission of data, which seems to be ignored by a large part of the application editors (according to the US study on Google Play Store mentioned above, 40% of the 5.855 applications for Android aimed at young audiences analysed did not use this standard protocol).

The obligation of security and the obligation of data protection specifically incumbent upon the controller complete each other. The controller and, as the case may be, the processor can use as an element to prove compliance their adherence to a voluntary certification mechanism issued by an approved certification body or by a supervisory authority that they will have duly applied. In addition, the application of a code of conduct approved by the competent supervisory authority can help prove compliance with the security requirement.

  • Finally, in case of data breach, the data controller and the processor have certain obligations to notify it:
    • the processor notifies all data breaches to the controller, as soon as possible after having known them;
    • the controller notifies the competent supervisory authority (or the lead supervisory authority for violations affecting persons in more than one Member State) without undue delay and if possible within 72 hours, of all data breaches likely to result in a risk for the rights and freedoms of the individuals; it also informs each data subject concerned of breaches likely to result in a high risk to his/her rights and freedoms, except in certain cases (for example, when, after the breach has occurred, measures have been implemented to ensure that the high risk is no longer likely to materialize, or where the communication to each person concerned would require disproportionate efforts and information could be provides by other means, e.g. by means of a public communication).

Given the very short deadlines and specificities of each notification, it is advisable to set up a specific committee for the notification of data breaches, including in particular the DPO and leading members of the IT and system security departments in order to ensure fast and effective response.

Note that the data controller must document all personal data breaches, indicating the factual elements of the breach, its effects and the measures taken to remedy the breach, in order to enable the supervisory authority to assess its compliance. The support from the data processor will be of the utmost importance.

To know more:

4.4 , guarantee the data subjects’ rights on their data

If you are data controller, you must guarantee to the data subjects the exercise of certain rights; your processor (if any) will have to assist you.

These rights are:

  • on the one hand, rights already provided by the data protection law and maintained or reinforced by the GDPR: right of information, of access, of rectification, of objection and right to limitation;
  • on the other hand, rights created by the GDPR: rights of erasure and data portability.

Note that, regarding all these rights, you will have to:

  • always communicate with the person concerned in a concise, transparent, intelligible and easily accessible form, in clear and plain language, especially if it is a child;
  • facilitate the exercise of rights and to refuse only those requests for which you can prove that you have not been able to identify the data subject, and
  • respond to requests for the exercise of rights within the deadlines set by the Regulation and free of charge, unless the requests are manifestly unfounded or excessive.
  • Right of information and access

The right of the data subject to be informed about his/her data processing concerning is strengthened: the GDPR expands the range of information to provide. Moreover, whenever you collect the data from a third party (a common practice nowadays), you must inform the data subject within a limited timeframe (and in any event, at the latest when first communicating with the data subject).

Information is usually provided in writing (e.g. an information panel for CCTV, an information paragraph on a form), but other modalities are possible, e.g. reading the information in case of data collection by telephone.

The GDPR provides several exceptions from the obligation of informing the data subject, including when the information is already available, when the provision of information would be impossible or would require disproportionate effort, or where the information is covered by professional secrecy.

Under the right of access, you must confirm to the data subject, on request, whether or not you are processing personal data concerning him / her. If you are, you must provide a certain amount of information about the processing and its rights with you, as well as a copy of the data that you are processing, in a readable format allowing him/her to verify the conditions of the data processing.

  • Right to rectification

The data subject has the right to obtain from you, as soon as possible, that the personal data concerning him/her which are inaccurate or incomplete are rectified or completed.

For example, you could give the data subject the opportunity to modify the information he/she provided to you directly on your website or application.

  • Right to object to the data processing

Anyone has the right to object, at any time, to the processing of his/her personal data for direct marketing purposes (which implies not only the cessation of further solicitations, but also the cessation of all data processing operations for direct marketing purposes).

In addition, anyone has the right to object, on grounds relating to his/her particular situation, to other data processing, including profiling, based on your legitimate interest or that of a third party, or on a mission of public interest. You may continue to process their data if you demonstrate the existence of compelling legitimate grounds for the data processing, which override the interests, rights and freedoms of the data subject, or for the exercise of legal claims. Otherwise, you will have to cease processing the data.

It should be noted that this right of objection has been framed differently from the one known before the GDPR, which could have been exercised only for legitimate reasons, but regardless of the grounds of the data processing. As for your obligations, they have been enhanced, particularly concerning the information to provide regarding the existence and the extent of the right to object.

France wanted to maintain a general right to object to data processing, which confirms G29’s initial position.

The right to object has been enriched by a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him / her.

Profiling is an automated data processing designed to evaluate certain personal aspects for predictive or analytical purposes.

The Regulation does, however, provide for certain exceptions. Thus, when your processing activity involves decision-making based exclusively on automated processing, including profiling, make sure that the decision is either necessary to enter into or perform a contract with the data subject, or is based on his/her express consent, or is legally permitted.

  • Right to restriction of data processing

The data subject has the right to obtain from you the restriction of the processing of his/her data:

  • temporarily, the time for you to check certain elements (the data accuracy, when challenged by the data subject, or the balance of interests when exercising his/her right to object), or
  • at the request of the data subject, or where it is in his/her interest, in cases where, you would otherwise have to erase his/her data.

The Regulation defines restriction as the marking of stored personal data, with the aim of limiting their processing in the future.

For the duration of the restriction, the data processing will be reduced to its storage, unless the data subject consents otherwise, or as required for the limited purposes provided by the Regulation.

In practice, regarding closed information systems, you can proceed by data marking, or by moving the data to another location, so as to make it inaccessible for processing. Regarding information made public, the restriction involves removing it as much as possible from public access.

  • Right to erasure of data (“right to be forgotten”)

In some cases you will have to erase, as soon as possible, the personal data of an individual:

  • if he/she withdraws his/her consent on which the data processing is based,
  • if he/she exercises his/her right to object, when you cannot oppose the existence of compelling legitimate grounds,
  • when the data is no longer necessary for the purpose of the data processing,
  • where the data has been unlawfully processed,
  • where the data must be erased under a legal obligation, or
  • when you have collected his/her data (in relation to the offer of information society services ) when he/she was a child, and wishes to have it deleted.

If you have previously made public such data, you will need to reasonably inform the other controllers who process it, which will also have to erase it.

Note that this new right, which is not quite consistent with the right to be forgotten created by the CJEU in the Google Spain case, is limited by a series of exceptions, in particular the freedom of expression and information, and that you will need to weigh the interests at stake before erasing the data.

  • Right to data portability

The data subject has the right to receive the personal data provided to you (excluding the data you have enriched), in a structured, commonly used and machine-readable format, and has the right to transmit such data to another controller without hindrance from you. He/she may also ask you to send the data to another controller, provided that there is no technical impossibility (e.g. if you and the receiving controller are using proprietary and incompatible file formats).You will not be required, under the portability, to delete the data you have transmitted.

In France, the Senate also wanted to create a right of recovery and portability of non-personal data but this right was omitted in the final version of the law voted by the National Assembly.

To know more:

4.5 , and in case of data transfer, comply with the specific requirements

The GDPR does not amend as such the rules already applicable as regards the transfer of personal data outside the Union. However, if you have implemented binding rules, you must review them for compliance with the GDPR.

To be regular, data transfers must:

  • be based on a adequacy decision:

Note that as of 25 May 2018, Member Stated will no longer be the ones to determine which countries are considered to have an adequate level of data transfer protection, but the European Commission.

The European Commission takes the adequacy decisionwhen it considers that a third country ensures an adequate level of protection. This adequacy assessment is reviewed at least every 4 years and the decisions are published in the Official Journal of the EU.

For example: if you want to transfer the personal data you are processing in the US, then you will need to refer to the Privacy Shield, effective as of August 1, 2016. It is a self-certification mechanism for companies established in the US, which has been recognized by the European Commission as providing an adequate level of protection for personal data. You will need to make sure that the certification of the American company is valid (it must be renewed every year) and that it covers the data that you process. To do this, see the Data Protection Shield List posted on the US Department of Commerce website.

  • in the absence of an adequacy decision, benefit of appropriate safeguards and allow the effective exercise of the rights and legal remedies of the data subjects. The appropriate safeguards can be provided by several means, including:
    • by binding corporate rules,
    • standard data protection clauses (adopted by the Commission, or adopted by the supervisory authorities and approved by the Commission),
    • a code of conduct or certification mechanism.

Finally, derogations for specific situations may be allowed (for example when you obtain the consent of the data subject or when the transfer is necessary to enter into a contract) if the transfer is not recurrent, or concerns only a limited number of data subjects or, finally, is necessary for the purposes of the compelling legitimate interests pursued by the controller, who must then in all cases inform the supervisory authority of the transfer. This derogation is also possible if you pursue important reasons of public interest.

To know more:

  • Consultation page relating to data transfers on the CNIL website
  • GDPR, Articles 45 to 47

V. Consequences of infringements

One of the main objectives of the Regulation is strengthening trust, both between companies and between companies and individuals. Therefore, an infringement to its rules is first likely to have impact your reputation, nationally and internationally.

In addition, infringements expose you to legal pursuit by authorities and data subjects.

National supervisory authorities, including the CNIL, have extensive powers:

  • of investigation (obtain communication of information, conduct investigations or data protection audits, access data, premises, equipment…), and
  • of injunction and sanction (warnings, reprimands, orders to comply, orders to rectify or erase, limitations or bans of data processing, withdrawal of certifications, administrative fines, etc.).

The GDPR sets out the general conditions for imposing administrative fines, which will have to be not only effective but also proportionate and dissuasive. They may amount up to EUR 20 M or, in the case of companies, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, depending on the nature of the breach of the Regulation.

Note that your good behavior once found in breach of the Regulation (e.g. the fact of carrying out a security due diligence subsequent to the resolution of a data breach) is appreciated by the CNIL and could allow you to benefit of lighter penalties.

In France, the Senate wanted to use the fines awarded by the CNIL to help finance supporting measures for the data controllers to achieve compliance of their data processing operations, however this proposal did not make it in the final version of the law.

The European Data Protection Board, the EU body regrouping the heads of the supervisory authorities of each Member State, and replacing the G29 as of May 25, 2018, acts as a regulator: it ensures the coherence of the interventions of the various national supervisory authorities and settles disputes when the authorities find themselves in a position of extraterritoriality or “shared territoriality” (where the parties to the dispute belong to different Member States). It ensures compliance with the Regulation in the context of the most important decisions taken by the supervisory authorities, for example with regard to impact assessments.

The data subjects can initiate class actions: such actions, already provided for in French law, can only tend currently to terminate the breach, such as the stopping unlawful data processing operations.

Class action is only possible when all of the conditions below are met:

  • more than one individual,
  • experiencing a similar situation,
  • suffering damages resulting from the same cause,
  • which constitutes a breach of the provisions of the data protection act (and soon the GDPR),
  • of the same nature,

by a data controller or a data processor.

The Regulation does not impose any compensation for the damage suffered (Articles 79, 80 and 82): this possibility has been left to the discretion of national legislation.

In France, the final version of the data protection law allows to seek compensation for damages caused by infringements of the GDPR by means of a class action, but the class action would be limited to the sole reparation of damages resulting from events occurred after the GDPR became effective.

To know more:


In conclusion, given the complexity of the requirements outlined above, efficient organization is of the essence.

You will need to, for existing and new data processing operations, if this is not already done:

  • identify the internal and external collaborators able to steer compliance, so as to dispose at all times of the full panel of necessary skills: legal, technical, operational;
  • where appropriate, designate a DPO;
  • where appropriate, set up a record of data processing activities;
  • identify your needs in terms of data processing and map current and planned data processing operations;
  • analyze each data processing operation against the relevant legal, technical and organizational criteria in order to list the necessary adaptations for compliance or, if that is not possible, the measures to be taken to restrict its scope,
  • evaluate and validate the necessary compliance measures,
  • implement the measures that were validated
  • reiterate the last steps for each change in the data processing operations that you carry.

You are strongly recommended to set up tools (fact sheets, notes, instructions) and processes (monitoring, information, consultation, decision-making, etc.) both for the initial compliance and for its maintenance.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data