• What does GDPR mean?

    GDPR is the acronym of General Data Protection Regulation. It is the new European privacy regulation which has become enforceable on May 25, 2018. The GDPR replaces and updates the EU Data Protection Directive (Directive 95/46/EC) and is intended to harmonize data protection laws throughout the European Union by applying a single regulation which is binding throughout each member state. Please find EU GDPR text on the following link: https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=CELEX:32016R0679

  • What is a personal data?
    “Personal data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who may be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (article 4 of the GDPR)
  • Who may be a data subject under the GDPR?
    A data subject is a natural person to whom personal data relates. This data subject shall be located in the European Union to be protected by the GDPR.
  • Who are the data controllers under the GDPR?
    Data controllers are natural or legal person who determine the purposes for which and the manner in which any personal data are, or are to be, processed.
  • Who are the data processors under the GDPR?
    Data processors are natural person or legal entity who process data on behalf of the data controller.
  • What are the main GDPR principles?
    1. Fairness and Transparency: Data Controllers and Data Processors ("Organisations") shall process personal data fairly and provide individuals with information about how and why their personal data is processed.
    2. Lawful Processing: Organisations shall only process personal data lawfully where there is a valid legal basis. Where organisations are processing as a data processor, organisations shall follow the documented instructions of the data controller and comply with the relevant contract terms.
    3. Purpose Limitation: Organisations shall only collect personal data for a specific, explicit and legitimate purpose. Any subsequent processing should be compatible with that purpose unless organisations have obtained the individual’s consent or the processing is otherwise permitted by law.
    4. Data Minimisation: Organisations shall only process personal data that is adequate, relevant and limited to what is necessary for the purpose for which it was collected.
    5. Data Accuracy: Organisations shall take reasonable steps to ensure personal data is accurate, complete, and, necessary, kept up-to-date.
    6. Individual Rights: Organisations shall allow data subjects to exercise their rights in relation to their personal data, including their rights of access and rectification.
    7. Storage Limitation: Organisations shall only keep personal data for as long as it is needed for the purpose for which it was collected or for a further permitted purpose.
    8. Data Security: Organisations shall use appropriate security measures to protect personal data, including where third parties are processing personal data on our behalf.
    9. Accountability: Organisations shall take steps to comply with, and be able to demonstrate compliance, with the GDPR rules and guidelines.
  • Which rights data subject may exercise under the GDPR?

    Individuals have numerous rights under data protection law, including:

    • Access: Individuals have the right to know what personal data the Company processes about them, and to obtain a copy of that personal data.
    • Rectification: Individuals have the right to have inaccurate data corrected and/or incomplete data completed with supplementary data.
    • Objection: In some circumstances, individuals have the right to object to their personal data being used for a particular purpose, for example to send them direct marketing or to make automated decisions.
    • In certain circumstances individuals may also have the following rights:
    • Portability: Individuals have the right to receive personal data which they provided to the organisations in a commonly used machine-readable format, so that they can share it with a different organization.
    • Erasure: Also known as the “right to be forgotten”, individuals have the right to have personal data erased if the organisation has no lawful basis to continue processing the data. In some cases, or for some types of personal data, the Company may decide not to erase the data but instead restrict its use (for example, it can only be used in the event of a legal claim).
  • Does the GDPR apply only for organisations established in the EU?
    No, this regulation applies to the processing of personal data of data subjects located in the European Union regardless of the location of the controller or processor either related to: (a) the offering of goods or services, irrespective of whether a payment by the data subject is required or not ; or (b) the monitoring of their behaviour within the European Union.
  • Is data subjects consent mandatory to process their personal data?

    No, processing shall be lawful if and to the extent that at least one of the following applies:

    (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

    (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

    (c) processing is necessary for compliance with a legal obligation to which the controller is subject;

    (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

    (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

    (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

  • Is it mandatory that European personal data be stored within Europe?
    No, the GDPR does not contain any obligation to store personal information in Europe. However, transfers of European personal data outside the European Economic Area (EEA) requires to be covered by appropriate safeguards such as standard data protection clauses implementation.