FAQ- Frequently Asked Questions
What is the GDPR or RGPD?
GDPR “General Data Protection Regulation”.
RGPD « Règlement Général sur la Protection des Données Personnelles »
It is a European reference legislation relating to personal data protection.
It provides a single and standardised legal framework applicable to all member states, intended to guarantee the protection of privacy and personal data.
Who is concerned by the GDPR?
The GDPR applies not only to organisations located in the EU, but also organisations located outside the EU if they offer goods or services within the EU.
When does the GDPR enter into force?
The Regulation has been applicable for the entire European Union since 25 May 2018.
What is personal data processing?
Data processing is defined as any operation or set of operations carried out with or without the use of automated processes and applied to sets of personal data, such as recording, organisation, structuring, storage, adaptation or alteration, extraction, consultation, use, disclosure by transmission, dissemination or any other form of circulation, alignment or consolidation, limitation, deletion or destruction.
Which data is concerned by the GDPR?
The GDPR only regulates personal data, which is defined as any information relating to an identified or an identifiable natural person.
Which personal data is considered sensitive?
Information concerning racial and ethnic origin, political, philosophical, or religious opinions, trade union affiliation, health or sexuality.
How is sensitive data collected and processed?
Sensitive data is data which, by nature, involves risks to the rights and freedoms of individuals, and which is therefore subject to a strengthened protection regime.
The GDPR imposes the principle of a ban on processing personal data; this ban is combined with certain exemptions.
Several exceptions, alternatives, and processing bans are provided for.
What is a data controller?
A legal or natural person, public authority, agency or other body which, alone or in in conjunction with others, determines the purposes and methods of the processing of personal data.
What is a processor?
The processor is defined as the legal or natural person, public authority, service, or other body that processes personal data on behalf of the data controller.
Is non-digital processing concerned?
The GDPR applies to all processing of personal data, whether this is fully or partially automated, as well as the non-automated processing of the data contained or which may be featured in a file.
A file is not only a database or an Excel table. It may be a paper document, a video-surveillance installation that gathers information on an individual, etc.
What are the objectives of the GDPR?
– To create a standard framework applicable throughout the European Union, and strengthened cooperation between the supervisory authorities.
– To change the approach, with accountability of data controllers
Pursuant to the principle of accountability, a register of processing activities is implemented. It provides an exhaustive list of the different data processing
– Strengthen individual rights
► Right to information and consent: increased transparency
► Right to access and rectify
► Right to erasure via the right to be forgotten
► Right of opposition and to request a restriction
► Right to data portability
► Right to claim compensation
– Respect privacy and personal data by design for new projects and by default for current projects
Data protection by design
Data protection by design involves the implementation of technical and organisational measures intended to implement the principles relating to the protection of the data of the person concerned, in advance and during the selection of processing methods, namely with regard to the risks raised by the processing for the rights and liberties of natural persons.
Data protection by default
By default, only the data necessary for the specific purpose of the processing operation is processed. These principles apply to the quantity of data, the scope of the processing, the retention period and the accessibility.
Analysis of the impact relating to data protection
The regulation provides for the obligation for data controllers and processors to carry out an impact analysis regarding data protection prior to processing operations which are liable to carry a significant risk to the rights and liberties of natural persons