The General Data Protection Regulation (GDPR) was adopted on April 27, 2016, and has been applicable since May 25, 2018. It represents a major reform of data protection law in Europe. Together with the directive on the prevention and detection of criminal offenses, it forms the “data package” aimed at harmonizing data protection rules, strengthening individuals’ rights and control over their data, and spreading the European concept of data protection through an extraterritorial effect.

As for French law, one of the major changes introduced by the GDPR is the transition from an administrative regime of prior formalities to a regime of overall compliance.

The GDPR applies to the processing of personal data, which refers to any information relating to an identified or identifiable natural person. This includes data that can directly or indirectly identify a person, such as name, identification number, location data, or specific elements of their physical, physiological, genetic, mental, economic, cultural, or social identity. Anonymous data is excluded from the scope of the GDPR, while pseudonymized data remains classified as personal data because it remains linked to the data subject. Purely personal or domestic activities are exempt from the scope of the regulation. French legislators have used the opportunity to introduce specific provisions by holding that the GDPR applies whenever the data subject resides in France, even if the data controller is not established in France.

The data controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. This is the entity that decides on the implementation of processing and assumes responsibility for it. The data processor is defined as the natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. The processor must be distinguished from the data recipient because it is not authorized to use the data for its own purposes or to communicate it to a third party on its initiative, except as provided for by legislative or regulatory provisions.

Any processing of personal data must comply with the fundamental principles set out in Article 6 of the GDPR. Data is collected for specific, explicit, and legitimate purposes corresponding to the objectives pursued by the data controller. The purpose may involve multiple distinct objectives. The purpose(s) must be specific, explicit, and legitimate. Data must be processed lawfully, fairly, and transparently in relation to the data subject. To be lawful, processing must be based on a legal basis, i.e., meet one of the conditions set out in Article 6 of the GDPR. The individual must consent to the processing, or it must be necessary for:

– the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,

– compliance with a legal obligation to which the controller is subject,

– the protection of the vital interests of the data subject or of another natural person,

– the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data controller is also subject to an obligation to minimize data. Data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. This principle is also called the principle of proportionality.

Data must be accurate and, if necessary, kept up to date. All reasonable measures must be taken to ensure that inaccurate personal data are erased or rectified without delay.

Data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Data cannot be stored indefinitely but only for a specified duration.

In addition, the data controller must respect the principle of integrity and confidentiality. Data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.

For any processing of personal data to be lawful, it must be based on a legal basis. The consent of the data subjects is given for one or more specific purposes and is one such legal basis. Consent is not a valid legal basis for the processing of personal data in a particular case if there is a clear imbalance between the data subject and the data controller. Consent cannot be freely given if the data subject is unable to refuse or withdraw consent without suffering a detriment. Consent must be given for a specific purpose and in a granular manner. The data subject must have been informed prior to giving consent in order to be able to give it knowingly. Communication must be in clear, accessible, and understandable language. Consent must be given by a clear affirmative act. The data subject has the right to withdraw consent at any time, and it must be as easy to withdraw as to give consent. The processing of data is not lawful if the child is under the age of 16.

Certain data are subject to special protection because they are considered sensitive. These include data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning the sex life or sexual orientation of a natural person. As a principle, the processing of this type of data is prohibited. There are exceptions, however, when the individual has given explicit consent for one or more specific purposes, or if the processing is necessary for the performance of obligations and the exercise of rights related to the data controller or the data subject in the field of employment law, social security, and social protection, to the extent that such processing is authorized by union law, member state law, or a collective agreement; or if the processing is necessary to protect the vital interests of the data subject or another natural person.

The GDPR introduced a principle known as accountability, often translated into French as the “principle of responsibility.” Article 24 of the GDPR specifies that the data controller must implement appropriate technical and organizational measures to ensure and be able to demonstrate that processing is performed in accordance with the GDPR. The data controller must therefore establish internal rules to ensure compliance with the GDPR. Measures must be defined taking into account the nature, scope, context, and purposes of processing, as well as the risks, the probability, and severity of which may vary, to the rights and freedoms of natural persons. It is thus a dynamic process of ongoing compliance. This principle is reflected in the definition of data protection and information security policies, the establishment of a register of processing activities and data breaches, and consideration of the principles of accountability.

The GDPR introduces various rights for data subjects, including:

– the right of access to their data,

– the right to rectification,

– the right to be forgotten,

– the right to restrict processing,

– the right to data portability,

– the right to object to processing.

Data circulation is a major concern of the European legislator. While the GDPR addresses this issue within the European Union, it imposes limits on the transfer of data outside the European Union. While unlawful transfers within the European Economic Area and the European Free Trade Association are more complex outside of these areas. Some countries have regulations recognized as equivalent by the European legislator. When this is not the case, companies can proceed with data transfers if they establish internal group rules requiring compliance with the GDPR. Thus, with the United States, the European legislator initially recognized the equivalence of American law, then European law reversed this decision before European authorities recognized equivalence between the two systems (following a reform

 of American law). It is therefore necessary to regularly monitor the state of the law when making international data transfers.

In the event of a GDPR violation, sanctions can amount to €2,000,000 or 4% of the worldwide turnover of the previous financial year, with the higher amount being applicable.

For any questions regarding data protection law, the firm is at your disposal.

Useful links:

CNIL Website: Homepage | CNIL

Study on the Economic Impact of the GDPR: https://www.citigroup.com/global/insights/citigps/financial-consequences-of-the-gdpr#:~:text=The%20study%20finds%20that%20companies,effects%20were%20not%20spread%20evenly.