GDPR compliance is not a state, but a process
The objective of a GDPR compliance project is to achieve a sufficient and adequate level of protection in view of the risks. This is to be able to demonstrate at any time, particularly in the event of security incidents, complaints or inspections, that all the necessary measures have been implemented to counter these risks.
It is always possible to further secure one’s processing operations on a technical, organisational and legal level. Indeed, compliance with changes requires constant updating of internal procedures and policies.
Mapping your processings
What is processing mapping?
A processing map consists of a guided inventory of all the personal data processed by your company.
A data processing map is a census of all the personal data processing operations of an organisation. Establishing a processing map is one of the essential starting points for having an overall view of the personal data processing in circulation within the organisation.
It allows employees to have a better access and understanding of the personal data processed and its origin.
What does the RGPD state?
The mapping of processing operations is a recommendation of the CNIL to measure the level of compliance with the GDPR thanks, among other things, to the information inserted in the Record of data Processing Activities.
Thus, it enables compliance to be monitored over time and to feed the register of processing activities to enable organisations to draw up action plans to ensure compliance.
The processing map must include, as a minimum, the information that must be included in the register of processing activities, in particular :
- the purpose of the processing
- the categories of data
- the data subjects
- the recipients of the data
- the security measures applied to the processing …
Carry out your processing mapping efficiently
Find out how Data Legal Drive helps you implement your data processing map
Determine the processing’s purpose
What is it?
Determining the purpose of its personal data processing is an essential obligation imposed by the GDPR. The purpose of a data processing operation answers the question why is my company collecting this data?
Thus, collecting data from prospects via a website form is an action whose general purpose may be commercial prospecting and whose specific purpose is to make contact in order to sell a good or a service.
Firstly, the declared purpose of a processing operation sets the limit. It is indeed forbidden to process data for purposes incompatible with the initial purposes.
In addition, the purposes of the processing operations carried out must be declared in the register of processing operations and brought to the attention of the data subjects.
Finally, the duration of data retention depends directly on this purpose. Indeed, it is forbidden to keep personal data longer than is necessary to achieve the declared purpose.
Let us take a typical case of a violation of the purpose of processing. Data are collected in order to enable the registration of a person to a service. The purpose of the data collection is therefore the conclusion and performance of a contract.
However, these data are subsequently used for commercial prospecting purposes. The data controller may only use the data for this purpose if he had informed the person of this purpose from the outset.
Informing customers & employees
Any person whose personal data are processed has the right to obtain from the controller a certain amount of compulsory information concerning the processing operations in question and the rights of that person with regard to his or her data.
In the context of employment relationships, the employer is necessarily a data controller of his employees’ data: both the employment contract and the labour code oblige the employer to process certain data (staff register, payroll, evaluations, etc.).
In the context of relations with its customers, a company will also be responsible for processing their data, even if it is only data relating to the follow-up of the contract.
As employment relations and customer relations are two common and essential areas of processing for companies (in BtC or BtBtC for customer relations), there is a well-established practice in these areas regarding RGPD information.
In the context of employment relationships, the employment contract will contain a short clause relating to data processing and, if necessary, may refer to an information notice and/or an IT charter and/or a personal data and privacy charter.
It is essential that these documents are part of the company’s internal rules, can be sanctioned and are permanently accessible to employees, for example via the company’s intranet.
Retain data for an appropriate period of time
What is it?
The GDPR agrees on limiting the retention of personal data over time. Indeed, they indicate that the retention must be proportionate to the purpose of the processing.
There are 3 types of archiving of personal data:
- Current archiving: Routine archiving refers to the need for data to be retained by the data controller in relation to the purpose of the processing. This period may be fixed contractually between the controller and the data subject.
- Intermediate archiving: Intermediate archiving refers to the case where data can be kept longer than the period initially provided for contractually. This is the case when the law establishes a longer period than that provided for in the contract.
- Permanent archiving: Some data cannot be permanently destroyed. This is particularly the case for data of public interest (historical, scientific, statistical)
Some laws set a retention period. In the absence of such laws, the controller is obliged to set a period of time that is proportionate to the objective and purpose. Once this period has been exceeded, the controller must delete or anonymise the personal data of the persons concerned.
It should be remembered that the retention period for personal data begins when the contractual relationship ends or when the processing operation is completed.
Examples of retention periods :
- Data relating to payroll management: 5 years (Article L3243-4 of the Labour Code)
- Personal data of prospects: 3 years if they have not responded to any solicitation for at least 3 years – (CNIL deliberation n°2016-264 of 21 July 2016)
- Data processed by public or private health establishments: 20 years (Article R.1112-7 of the Public Health Code)
- Data relating to personnel management: 5 years (Article R.1221-26 of the Labour Code)
- Tax data: 6 years (Article L102 B of the Tax Procedures Book)
- Electronic contracts: 10 years (Article L213-1 of the Consumer Code)
- Video surveillance data: 1 month (Article L.252-3 of the Internal Security Code)
- Data relating to cookies: according to a deliberation of the CNIL (n°2013-378), the data collected through cookies can be kept for 13 months after the first deposit on the terminal of the person concerned. The data subject’s consent will have to be renewed before his or her personal data can be processed again. Please note that the fact that a user makes several visits to the same site does not mean that the retention period can be extended.
To go further
First of all, it should be remembered that the controller has an obligation to ensure the security of personal data in order to protect against risks, in particular those linked to loss, technical defects, etc. This obligation also applies to the processor acting on behalf of the controller. This obligation is also incumbent on the processor who acts on behalf of the controller. To ensure this, a new clause can be inserted into the subcontractor’s contract mentioning the security obligations.
On the one hand, the french authority recommends that traceability systems be put in place for consultations of data that have been archived. In addition, it recommends a method of conservation according to the archiving. If it is a question of permanent archiving, it is recommended that this be carried out in a separate database, independent of the one commonly used, and that access be authorised only to a specific department or structure within the company.
In the case of intermediate storage: the data controller may choose the means he/she wishes, provided that he/she has taken the necessary technical and organisational measures to protect the personal data, as well as limiting access to this storage to a specific department or structure of the company.
Choose a legal basis
Legal basis, GDPR, What is it?
Any processing of personal data must have a legal basis.
Unlike the purpose of processing, which indicates the business objective of the processing, the legal basis is the legal title, the reason that authorises your company to process this data.
Please note: as the legal bases for using an individual’s information are listed exhaustively in the GDPR, it is important to identify the appropriate legal basis, or not to process the data if this legal basis does not exist/no longer exists.
This could be, for example, the consent of the individual, or the requirements of the performance of a contract.
The lawful basis for processing must be made known to the data subject, and included in the record of processing activities to demonstrate that personal data is processed with respect for
Your company processes data because this processing is necessary for the performance of a contract.
When the contract and the applicable limitation periods expire, the legal basis no longer exists, so your company must delete the data concerned. The only way you could continue to process it, for example for marketing purposes, would be on a new legal basis, asking the individual for consent for further processing.
To go further
The legal bases listed by the GDPR are the following, where the processing :
- has been consented to by the data subject
- is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures taken at the request of the data subject
- is necessary for compliance with a legal obligation to which the controller is subject
- necessary for the protection of the vital interests of the data subject or of another natural person
- necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of natural persons which require the protection of personal data prevail, in particular where the data subject is a child
Where personal data are so-called “sensitive”, Article 9 of the GDPR lists the specific, stricter legal bases that may be chosen for the processing of such sensitive data.
The collection of GDPR consent
What is GDPR consent?
The obligation to obtain the consent of the persons concerned is one of the legal bases provided for by the General Data Protection Regulation. This consent authorises the implementation of personal data processing and can be collected in different ways (checkbox, handwritten signature etc.)
The GDPR defines data subjects’ consent as “any freely given, specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement to personal data being processed”.
What are the changes in the GDPR regarding data subjects’ consent?
The GDPR has not fundamentally changed the notion of consent of data subjects, but rather consolidated its definition by adding safeguards, including :
- The right to withdraw: the possibility for the data subject to withdraw his or her consent whenever he or she wishes
- Proof of consent: The data controller must be able to demonstrate at any time that the person has consented (Article 7 § 1 of the GDPR)
- Explicit consent: the consent of the data subject must be explicit, which must be manifested by an express declaration. This implies the implementation of specific mechanisms by the controller to obtain such consent. Explicit consent is necessary to process sensitive data, for example
- Consent of minors: In France, a minor under 15 years of age cannot consent to the processing of his or her personal data and requires both the consent of the holder of parental authority and the consent of the child himself or herself. This age varies according to the Member States, ranging from 13 to 16 years
How to collect GDPR consent?
The GDPR imposes 4 cumulative criteria for a valid request for consent:
- Free: The consent of the data subjects of the processing must be free, in other words, they are free to accept or not the processing concerning them. It must not be coerced or influenced
- Specific: Consent must only relate to the purpose to which the person is attached. In cases where a processing operation involves several purposes, the data subject must be able to consent to each of them
- Informed: The data subject must have certain information before consenting, the controller must be able to provide him/her with certain information in order for the consent to be informed (the identity of the controller, the purposes pursued, the categories of data collected, the existence of a right to withdraw consent, whether or not the data collected are transferred to a country outside the EU)
- Unambiguous: consent must be clearly expressed and unambiguous. The following do not constitute unambiguous consent: pre-ticked boxes; grouped consents (i.e. a single consent instead of several separate consents); inactivity (e.g. the absence of a response to an email does not constitute consent)
Let us take a typical case of vitiated consent. A person subscribes to a service and has to provide personal information to do so. On the face of it, the data will only be used to conclude and execute the service contract. However, profiling is carried out in order to send marketing information to subscribers.
This purpose is stated in an information notice which the individual is obliged to accept by clicking on a box “I consent to the processing of my data”. No reference to the information notice is made, the person has to contact the controller to obtain it.
In such a case, the person has not really consented to the processing of his or her data for marketing purposes, so the processing is unlawful.
To go further
The case of withdrawal of consent
Article 7(3) of the GDPR provides for the right of the data subject to withdraw consent. Furthermore, the data subject may request the controller to withdraw consent at any time. The latter is obliged to inform the data subject of his or her right to withdraw consent prior to the collection of consent.
Consent was already enshrined in the Data Protection Act, but the GDPR has strengthened the conditions for obtaining it, including the right to freely change one’s mind about the processing of data by the controller.
Is consent required for every treatment?
The GDPR establishes 6 legal bases for processing personal data, among them consent. In this respect, the lawfulness of the processing is not only admitted on the basis of the consent of the data subjects, it can be on the basis of the performance of a contract or in the legitimate interest of the controller. It is up to the controller to adapt the purpose of the processing to the appropriate legal basis.
What about the validity of consent collected before the entry into force of the GDPR?
Consent of data subjects collected before the entry into force of the GDPR on 25 May 2018 is considered valid as long as it meets the requirements provided for by the GDPR. Otherwise, the controller must ensure that the conditions required by the GDPR are met for the consent to be considered validly collected.