Personal data
Personal data is considered to be "any information relating to an identified or identifiable natural person" and an identifiable natural person "a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity" (Article 4 RGPD).
Described as the "black gold" of the 21st century, personal data is both a source of responsibility and a formidable development challenge for economic players. In a restrictive and evolving regulatory context we help you set up a relevant and compliant personal data management policy.
1 - RGPD Compliance
We help you to comply with or verify your compliance with the General Data Protection Regulation n°2016/679 (RGPD) :
We first carry out a processing audit in order to:
-identify and map all your personal data processing operations
-understand the purpose and legal basis of each processing operation
-identify your personal data processors (i.e. the companies to which you entrust the processing of your personal data).
On the basis of this audit, we are able to:
- identify non-conformities and make any necessary adjustments to ensure compliance
- draw up a register of processing activities enabling us to identify :
o the name and contact details of the controller and, where applicable, the joint controller, the controller's representative and the data protection officer
o the purposes of the processing
o a description of the categories of data subjects and categories of personal data
o the categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organizations
o where applicable, transfers of personal data to a third country or to an international organization, including the identification of this third country or international organization
o as far as possible, the deadlines for deleting the various categories of data
o as far as possible, a general description of the technical and organizational security measures in place
-carry out an impact assessment when the planned processing is likely to generate a high risk for the rights and freedoms of the individuals concerned,
draw up the documentation required to ensure respect for the rights of individuals (drafting policies or charters for the use of personal data, setting up procedures for opposition, access, rectification, deletion or de-referencing)
-appointment of a Data Protection Officer (DPO)
-drawing up and monitoring RGPD compliance documentation
2 - RGPD in contracts
2.1 - The processor's obligations
The RGPD lays down provisions that must be included in contracts signed between a personal data processor, i.e. a company that processes personal data on behalf of the controller, and the said controller.
In particular, the contract signed between the controller and the processor must stipulate that the processor :
- processes personal data only on the basis of documented instructions from the controller, including in the case of transfers of personal data to a third country
- ensures that persons authorized to process personal data undertake to respect confidentiality or are subject to an appropriate legal obligation of confidentiality
- takes all measures required to ensure the security of personal data
- complies with the conditions required when appointing another processor (prior written authorization from the controller, contract in place with the new processor including the same data protection obligations as those set out in the contract between the controller and the processor)
-assists the data controller, by means of appropriate technical and organizational measures, as far as possible, in fulfilling its obligation to respond to requests from data subjects to exercise their rights (right of information and access to personal data, right of rectification and erasure, right of opposition, etc.)
-assists the data controller in ensuring compliance with its obligations in terms of security of processing, notification to the supervisory authority of a personal data breach,
communication to the data subject of a personal data breach, data protection impact analysis and prior consultation
-according to the choice of the controller, deletes all personal data or returns them to the controller at the end of the provision of services relating to the processing, and destroys existing copies, unless applicable law requires the retention of personal data
- makes available to the controller all the information necessary to demonstrate compliance with the obligations laid down in this article and to allow audits, including inspections, to be carried out by the controller or another auditor appointed by it, and contributes to such audits.
2.2 - Data transfers
The RGPD authorizes transfers of personal data outside the EU to countries considered by the European Commission as providing an adequate level of protection, or in the presence of appropriate safeguards to secure the transfer, such as the European Commission's standard contractual clauses or Binding Corporate Rules (BCR).
Recent developments in the personal data news (invalidation of the Privacy Shield framing personal data transfers to the United States following the CJEU's July 16, 2020 decision, known as "Schrems II", Brexit) have reinforced the need to secure any transfer of personal data to countries outside the EU.
Externalegal assists you in securing your personal data transfers, notably by negotiating appropriate contractual clauses.