MAIN PRINCIPLES OF DATA LAW
A natural person can be identified through their data:
• Directly: the natural person will be identified by his surname, first name, address, etc.;
• Indirectly: the natural person will be identified in particular by his telephone number, his license plate, his postal or email address (unless the email address contains the surnames and first names), the number of his credit card, etc. …
This identifying data is qualified as personal data and regulated by the Data Protection Act and by the General Data Protection Regulations (GDPR).
1) The common law regime for personal data
Personal data consists of any information relating to a natural person (a natural person is a human person born alive and viable) which allows him to acquire legal personality and therefore to have rights and duties.
The identification of a person is sometimes carried out thanks to a single piece of data such as the name or sometimes by the crossing of data (telephone number, credit card number, magnetic transport card, etc.).
On the other hand, data concerning a legal person does not constitute personal data. Is a legal person a company, an association, an administration etc…
2) Sensitive personal data
A sensitive personal data is a revealing:
• Racial or ethnic origins,
• Political opinions,
• Religious or philosophical beliefs or trade union membership,
• Genetic data,
• Biometric data for the purpose of uniquely identifying a natural person,
• Health data or data concerning sexual life or sexual orientation.
This data is qualified as sensitive and cannot be collected unless:
• The data subject has given express consent,
• The information is manifestly made public by the data subject,
• Data is necessary to safeguard human life,
• The use of data is justified by the public interest and authorized by the CNIL,
• The data concerns the members or adherents of an association or a political, religious, philosophical, political or trade union organization.
Information concerning offenses or convictions is not classified as sensitive data. However, they benefit from specific protection. As such, only the courts and certain public authorities can use them, just like the victim in the context of the defense of her rights.
The General Data Protection Regulation (GDPR) introduces a balance between the necessary management of data by administrations and companies and the protection of the privacy of the persons concerned. The regulations on personal data therefore follow several principles aimed at ensuring that this balance is respected.
Processing can only be based on consent, contractual necessity, a legal obligation, the safeguard of human life, a public interest, a legitimate interest of the controller.
On the purposes and identity of the data controller as well as any other information necessary to ensure fair data collection
The data must be adequate, relevant, limited, and they must be necessary for the purpose
4) Respect for the purpose
The purpose must be explicit, legitimate, determined. Further processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes is presumed to be compatible.
This is the obligation to adopt appropriate technical and organizational measures with regard to the risk incurred and the nature of the personal data.
6) Responsibility / Accountability
It is mandatory for the controller to implement a compliance process including an ethical component.
7) Compulsory appointment of a Data Protection Officer
This obligation is limited to public authorities, to activities requiring regular and systematic monitoring and to activities consisting of large-scale processing of sensitive data.