The European Regulation of 27 April 2016 on personal data entered into force on 25 May 2018.
Its objective is to strengthen the protection of individuals within the European Union. It defines and specifies a certain number of rights granted to individuals whose personal data are processed. It also lays down a number of obligations for companies.
1. A wide scope of application
Since 25 May 2018, any company offering goods or services to data subjects throughout the European Union must apply the GDPR.
2. The principle of accountability and the end of reporting obligations
The accountability principle is one of the fundamental principles of the GDPR. It refers to the obligation for companies to implement internal mechanisms and procedures to demonstrate compliance with data protection rules.
This principle requires companies to provide the supervisory authorities with documentation establishing compliance with the Regulation.
Regular processing operations must now be included in a register and no longer have to be declared to the CNIL.
3. Heavier penalties
Failure to comply with the obligations of the Regulation is punishable by administrative fines issued by the CNIL.These fines have been considerably increased and can amount to up to €20 million or 4% of worldwide turnover (the biggest amount will be selected).
The CNIL monitors the application of the GDPR and in January 2019 pronounced a penalty of 50 million euros against Google LLC.
4. Strengthening the rights of the data of the persons concerned
New rights are recognised for the data of the persons concerned.
These include, for example, the right to portability, the right to be forgotten and the right to be restricted. In the event of a data breach, procedures must also be defined for notifying the CNIL and the persons concerned.
5. A new actor: the Data Protection Officer (DPO)
The DPO guarantees the compliance of his organisation with the Data Protection Act.
Its nomination, obligatory in certain cases (*), is one of the major measures of the Regulation. It takes over from the Data Protection Correspondent, but has a broader remit.
Companies wishing to commit to respecting the privacy of individuals may also proceed with the optional appointment of a DPO.
The DPO continuously monitors the compliance of his organisation. His appointment must meet conditions of integrity and professional ethics.
For public authorities or bodies, bodies whose core activities lead them to carry out regular and systematic monitoring of individuals on a large scale, bodies whose core activities lead them to process so-called "sensitive" data or data relating to criminal convictions and offences on a large scale.
6. New obligations for subcontractors
Until 25 May 2018, only the controller - who decides on the purposes and means of the processing - was responsible.
The GDPR provides that a processor is responsible in principle and is subject to specific security, confidentiality and accountability obligations.
It has a relative duty to advise on certain points of the Regulation (loopholes, security, data destruction, contribution to audits).