What is GDPR?
Location, browsing history, name, IP address … all this information is personal data. Very easily accessible, it can be collected, exploited, in short processed by third parties for various purposes. Since this data reveals much about a person, its processing can have a direct impact on his or her freedom and fundamental rights. This is the reason why the General Data Protection Regulation (GDPR) was adopted by the European Union. This text is part of a movement for transparency and people protection. Under this Regulation, the players will not only have to ensure the security of the processing of personal data, but also be able to prove their compliance with these new provisions.
The means to protect
The GDPR, which will take effect on May 25, 2018, is intended to ensure that individuals whose data is processed have previously received clear, comprehensible, and accessible information on the processing methods, the consequences for applying them, and their rights for the implementation of the principle of informational self-determination.
- Information on processing can be given in several forms: written, oral or electronic; however, if the information is oral, the data controller must provide evidence that the information was provided, which in fact implies that the individual has signed a document certifying this.
- As for the content of the information, the mandatory information varies depending on the processing carried out. It concerns those involved in the processing, their methods, the rights of the person whose data is processed, and the methods to transfer data outside the European Union. The GDPR reinforces the information compared to previous legislation (Information Technology and Freedoms Law) by adding mandatory information (Articles 13 and 14).
The new regulation emphasizes the guarantees that surround the consent of the individuals. Mandatory and prior to the processing of their data, it must meet several conditions to be granted.
- It must be obtained in writing (paper or electronic form). It is up to the data controller to provide proof consent was granted.
- The GDPR states that consent must meet four characteristics:
- It must be flexible, i.e. it can be withdrawn at any time, without constraint.
- It must be specific, in other words only for data processing, i.e. the purpose is defined and not in general terms.
- It must be clear, which means that it must contain explicit and comprehensible information.
- And it must be unambiguous, i.e. not raise questions to its content or scope, which guarantees that the data controller can prove total compliance with the GDPR.
For companies, this regulation may appear burdensome and costly to implement in cost, time and energy. In reality, it must be seen as a tool that will generate the trust of users who will be more than willing to rely on a company that is accountable and respectful of the rules for data processing than a competitor who ignores these recommendations.
ALATIS is ready to assist you in your compliance with GDPR. To contact us: firstname.lastname@example.org.
Anne DESMOUSSEAUX, Founding Partner, Lawyer, European Trademark & Design Representative