Simplified Data Processing and Communication

Simplified Data Processing and Communication

As indicated in Article 2 of the Data Protection Act,” constitutes the processing of personal data any operation or any set of operations relating to such data, regardless of the process used, and in particular the collection, recording, organization, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available, reconciliation or interconnection, as well as blocking, erasure or destruction.” 

The processing of personal data leads to return successively to:

  • collection,
  • storage
  • and management of personal data.
Simplified Data Processing and Communication

I. Regarding the collection of personal data :

I.1°) The file or processing of personal data must most often be the subject of a CNIL declaration

Four cases must be distinguished:

Case no. 1 (exemption from declaration): certain files are subject to exemptions from formalities; the CNIL website establishes a long list of cases of exemption. In this case, the files or processing containing personal data are then purely exempted from reporting formalities, most often because they do not infringe on privacy or freedom. When the files or processing containing personal data do not correspond to a case of exemption, they must then be the subject of a declaration to the CNIL or even an authorization.

Case no. 2 (simplified declaration): this is a simple formality (simplified standard in no. 48); when the files or processing containing personal data do not correspond to a case of simplified declaration, they must then be the subject of a normal declaration or even an authorization request from the CNIL.

Case n°3 (normal declaration): The common law regime is the normal declaration when the file does not come under a particular procedure (art. 22 of the “Informatique et Libertés” law). The processing can be implemented upon receipt of a message from the CIL confirming the recording of the processing in the CNRS processing register. This message certifies that the declaration formalities have been completed but does not exempt the controller from other obligations provided for by law (respect for the file, security, confidentiality, respect for the rights of individuals, etc.).

Case no. 4 (authorization): Certain processing operations may fall under an authorization or opinion request regime. These are more protective regimes that apply to data and processing purposes considered “sensitive” or involving risks to privacy or freedoms. For the record, the computer processing of personal data, which presents particular risks of infringement of rights and freedoms, must, before their implementation, be subject to the authorization of the CNIL. Failure to complete formalities with the CNIL is punishable by 5 years imprisonment and a fine of €300,000.

I.2°) The person responsible for a file must allow the persons concerned by the information it holds to exercise their rights fully

For this, the person responsible for a file must communicate to them:

a) the identity of the customer file manager;

b) the purpose of the customer file (prospecting, subscription management, order management, etc.);

c) the mandatory or optional nature of the answers requested from the customer when he fills out a form, for example, and the possible consequences, for him, of a lack of answer (which is generally materialized by asterisks);

d) the person(s) receiving the data (we are thinking here in particular of the network head if it must be able to use customer data for network communication);

e) the rights of the customer about the customer file (in particular, his right of access, opposition, rectification, etc.);

f) if this is the case, the data will be transferred to a State that is not a member of the European Community.

It is also important to have thus obtained the person’s consent to the collection and processing of the data and to be able to justify it.

Three types of penalties exist:

  • The financial penalties that the CNIL can pronounce: 150,000 euros for a first violation and 300,000 euros in the event of a repeat offense (for a company, the maximum penalty is 5% of its turnover excluding tax within the limit of 300,000 euros);
  • The criminal fine, which can amount to 1.5 million euros;
  • The impossibility of selling the customer file (which can have a strong impact in the context of the sale of a brand when it has invested heavily in its digital communication and CRM). An assignment of customer files created without compliance with CNIL rules may be canceled (forcing the assignor to reimburse the assignee in particular).

II. Regarding the storage of personal data, the person in charge of a file must respect the retention period of the information.

II.1°) The person in charge of a file must guarantee the integrity of the file by adopting physical security measures and guaranteeing the confidentiality of the data

Any person responsible for processing personal data must adopt physical (premises security) and logical (information system security) security measures that are adapted to the nature of the data and the risks presented by the processing. Failure to comply with the security obligation is punishable by 5 years imprisonment and a fine of €300,000.

Only authorized persons can access the personal data contained in a file. These are the recipients explicitly designated to obtain regular communication and “authorized third parties” with the capacity to receive them on an ad hoc and reasoned basis (e.g., the police and the tax authorities). Information communication to unauthorized persons is punishable by 5 years imprisonment and a fine of €300,000. Disclosure of information committed through imprudence or negligence is punishable by 3 years imprisonment and a fine of €100,000.

I I.2°) The expiry period must be respected

Personal data has an expiry date. The person responsible for a file sets a reasonable retention period depending on the purpose of the file.

Duration of simplified standard no. 48:

  • customer : 3 years from the end of the commercial relationship (date of purchase, expiry of warranty, term of a contract, last contact with the customer)
  • prospect : 3 years from the collection or the last contact from the prospect (with the possibility of reminders at the end of the term)
  • bank cards (excluding visual cryptogram): 13 months following the date of debit (or 15 months if deferred debit) – the possibility of longer storage with the express agreement of the customer, without pre-ticking
  • cookies and tracers: 13 months (audience measurement: 6 months)
  • identity documents: 1 year in the event of the exercise of the right of access or rectification and 3 years in the event of the exercise of the right of opposition

The penal code sanctions data retention for a period longer than that declared by 5 years of imprisonment and a fine of €300,000. 

III. Regarding the management of personal data

III.1°) The person responsible for a file must guarantee the rights of the person whose data has been collected

The person whose data has been collected has a right to access, rectifier, and opposition.

Right of access: the person whose data has been collected can ask the person responsible for a file directly if he has any information concerning him (website, store, bank, etc.) and request that all of this data be. Exercising the right of access makes it possible to check the accuracy of the data and, if necessary, to have it rectified or erased.

Right of rectification: the person whose data has been collected may request the rectification of inaccurate information concerning him. The right of rectification supplements the right of access. It prevents an organization from processing or disseminating false information about the person whose data has been collected. 

Right of opposition: the person whose data has been collected can oppose, for legitimate reasons, to be included in a file. In terms of prospecting, in particular commercial, this right can be exercised without having to justify a legitimate reason; in this case, the person whose data has been collected may object to the data concerning him being disseminated, transmitted, or stored.

How to hire remote developers: Everything you need to know

III.2°) The manager of a file must optimize its relationship with third parties

The question of file ownership is often asked, but it is a “wrong” question.

Indeed, the central question is not so much to know who “holds” the customer’s data, but who can use this data, since ultimately, apart from the case in which the company transfers its customer file (or in the case where the company itself is transferred), this question of ownership is ultimately not very important.

What counts, ultimately, is to provide in the relationship with its network (therefore in the contract) who can use the data and how. Failing this, the risk is that the ownership of the customer file compiled by the member will be attributed to him (without the head of the network being able to access or use it).

To avoid any discussion, it is recommended to provide clarity in the contracts on how customer data will be fed back to the head end and that the head end will be able to use them (both during the contract and afterward).

This requires that the collection of data upstream by the network member has been done correctly, that is to say, in particular, by informing the customer that the head of the network will use his data.

Simplified implementation for certain processing of personal data

Some processing of personal data set up by employers is exempt from impact analysis.

The General Data Protection Regulation (GDPR), adopted at the European level and entered into force on May 25, 2018, applies to any company that collects or processes personal data on its behalf or on behalf of a third party.

Personal data allows, on its own or by crossing it with other data, to identify a person directly (surname, first name) or indirectly (telephone, email, address, photo, voice, physical characteristics, fingerprints…). As soon as it gathers this type of information, a file (paper or digital) is considered as a processing of personal data. It must therefore be constituted and managed by the GDPR.

A company that implements processing “likely to create a high risk for the rights and freedoms of individuals” (management of alerts and reports in professional matters, rating of individuals, constant video surveillance, etc.) must first analyze the impact on data protection.

Conversely, some treatments are exempt from this process. The National Commission for Computing and Liberties (CNIL) has just published a non-exhaustive list of these processing operations. Employers, therefore, do not have to carry out an impact analysis for:

– processing implemented solely for human resources purposes and under the conditions provided for by the applicable texts, for the sole management of the personnel of companies that employ less than 250 people, except the use of profiling (payroll management, training management, reimbursement of professional expenses, follow-up of annual evaluation interviews, use of communication tools without the use of profiling or biometrics …);

– processing established for the sole purpose of managing physical access controls and schedules for calculating working time, but on condition that it is not a biometric device and excluding processing of data that reveal sensitive or highly personal data.

In addition: supplier relationship management processing (processing allowing administrative operations related to contracts, orders, receptions, invoices, payments, etc., to be carried out) is also exempt from impact analysis. Establish payment vouchers, financial and turnover statistics by the supplier, maintain documentation on suppliers, etc.).

Protect your information if you are going to sell an old phone.

The future of humanity in the hands of 6G

How digital transformation is shaping the automotive industry

Are robots about to rule the world 2023 ?

Simplified Data Processing and Communication

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *