Following the webinar on the GDPR, we are offering a series of four articles on the subject. Origin and Scope of the GDPR Personal Data: What You Can Do with It and How
- The Main Principles of the GDPR
- Practical Cases
- Here, we will focus on the processing of personal data. In the previous article, we discussed the origin and scope of the GDPR. In the next one, we will discuss its main principles.
- What You Can Do with Personal Data
We are talking about processing, with collection being a specific form.
This must be done fairly and lawfully for specific, explicit, and legitimate purposes. In addition, one of the following points must be validated: consent, contract, legal obligation, or vital interests.
The higher the sensitivity of personal data, the more justification must be given for its processing and security. For example, in a newsletter, only the email address is required. This means that if the address’s title is also collected, it implies that multiple newsletters are planned (one per title or lack thereof). The Stages of a Personal Data Processing ProjectThe two main actors in the GDPR are the data controller and the data protection officer (DPO). These two roles can be full-time or part-time, shared, or even outsourced. Please note that in any case, there must be no relationship of subordination between these two employees, even outside of these two roles. To return to the stages, they must proceed as follows: The data controller, based on a need, establishes specifications and may or may not forward them to the data protection officer. This is what is called project management. If the file has been forwarded to them, the data protection officer may decide to conduct a
- impact study preferably with the tool developed by the Cnil. Thanks to this, he amends the project or not. As the impact study is not mandatory, even in the case of certain GDPR processing for small businesses, it is possible not to have a data protection officer. On the other hand, if we carry out an impact analysis, it must be carried out by a data protection officer. After the return of advisory opinion of the data protection officer, the data controller establishes the operational management of works, carries it out and records it in a register. Please note, if he delegates one or more operations to subcontractors, he has the legal obligation of means and results of their actions. A CONTRACTmust be
- establishes
And
sign by the different partners on thedata processing and protection conditions
- subcontracted. This is what we call the project management . Finally, we apply the principle of right to be forgotten, which means that at the end of the processing it is necessary to anonymize, archive,
- or, in the best case scenario, delete all personal data within a reasonable time. Some links to go further
- ToolsDefine a purpose Tool of the Cnilto carry out an impact study (can be adopted if necessary)GDPR actors Data Protection Officer (DPO) Responsible for processing: project management project management explanation and examples of processing records from the point of view of the data controller and of subcontractor Articles on pseudo-anonymization Example of New York taxis speakLinc
- (CNIL digital innovation laboratory) obtaining the postal address thanks to the crossing of routes and the spatial recognition of published photosdetermination of Muslim religion among taxi drivers thanks to five stops at fixed times per day Study by three Belgian researchers (applicable to the medical field): Online tool