aller au menu aller au contenu

 

GDPR

Objectives 

The European Regulation 2016/679 of 27 April 2016 known as GDPR (General Data Protection Regulation) aims to harmonise and strengthen European legislation on the storage, processing and flow of personal data.

More precisely, it enables to:

Main provisions

GDPR regulation (General Data Protection Regulation) refers to the Regulation (EU) 2016/679 of the European parliament and of the Council of 26 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).

The Regulation comes into force on May 28th, 2018.

SCOPE OF APPLICATION

The Regulation applies to any company established within the European Union that collects, processes and stores data whose use can directly or indirectly identify a physical person or data subject, and to its partners and software providers. It also concerns companies located outside the EU that offer goods and services or collects data on European citizens.

The GDPR regulation concerns natural persons, it deals with the data of employees, customers, prospects and all other personal data used by the institution (subcontractors, service providers, visitors ...). This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. It also does not apply to the processing of personal data in the course of an activity which falls outside the scope of Union law.

GENERAL PRINCIPLES

 

  • Governance requirements

Main provisionsClarification
DPO (Data Protection Officer) appointment
  • A DPO should be appointed
Ensure continuous compliance
  • Compliance with GDPR requirements should be demonstrated through regular monitoring, for instance data protection impact assessment should be carried out
Personal data breach notification
  • Personal data breach should be notified to the supervisory authority competent within the time allowed
Adequacy of personal data
  • The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed
Clear affirmative consent
  • Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her


  • Increase transparency

Main provisionsClarification
Right to data portability
  • In exercising his or her right to data portability pursuant, the data subject shall have the right to have the personal data transmitted directly from one controller to another
Right to erase personal data 
  •  A data subject should have the right to have his or her data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or processed, where a data subject has withdrawn his or her consent, or objects to the processing of personal data concerning him or her, or where the processing of his or her personal data does not otherwise comply with this Regulation
Integrity and confidentialityPersonal data shall be:
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
Data traceability
  • Data traceability should be ensured
Accuracy
  • Personal data shall be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, with regard to the purposes for which they are processed, are erased or rectified without delay

 

  • Scope of data

Two kinds of data fall within the scope of this Regulation: 

  • Personal data relating to identified or identifiable natural person: Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  •  Sensitive personal data: Sensitive personal data means personal data which are, by their nature, particularly sensitive in relation to fundamental rights and freedoms and merit specific protection as the context of their processing could create significant risks to the fundamental rights and freedoms. Those personal data should include personal data revealing:
    • Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership;
    • Genetic or biometric data;
    • Health condition;
    • Sexual orientation or sex life;
    • Criminal offences and convictions;
    • National identification number allowing the unique identification or authentication of a natural person.

Such personal data should not be processed, unless processing is allowed in specific cases. Derogations from the general prohibition for processing such special categories of personal data should be explicitly provided, inter alia, where the data subject gives his or her explicit consent or in respect of specific needs in particular where the processing is carried out in the course of legitimate activities by certain associations or foundations the purpose of which is to permit the exercise of fundamental freedoms.

CHALLENGES AND SOLUTIONS

CACEIS Group is committed to comply with the GDPR and guarantee the protection of the personal data processed in its systems, whether these data concern its customers or its employees.

Your usual sales contact remains at your disposal for further information.

FIND OUT MORE

> Décryptage and Scanning, our regulatory watch newsletters, publish the latest MiFID II and MiFIR developments in French and English. They are well worth consulting.

Key dates