The GDPR (General Data Protection Regulations) is a European legislation of 27 April 2016, applicable from 25 May 2018. Its rules have been incorporated into French law and led to the revision of the Data Protection Act on 20 June 2018.
It protects every EU resident.
To whom is it applicable and where ?
All organisations (companies, associations, administrations, local authorities, etc.) installed in the EU must apply the GDPR. But be careful, any non-EU organisation sending services and products-even free-to EU residents must comply with them as well.
What's the point ?
The text aims to harmonize the rights of all EU Member States on the protection of personal data. It thus aims to better protect people by strengthening their rights over their data and makes everyone responsible for processing the data.
Why this text?
Data protection is not new, but the expansion of digital and new technologies, as well as the massive exploitation of data for commercial purposes have led the legislator to want to:
- inform the citizen about the use of his data (principles of transparency and loyalty);
- strengthen the protection of privacy (principles of legal justification to deal with personal data, and proportionality between treatment of the given and the objective pursued);
- and, in the face of digital risks (cyber-attacks, faults...), increase data security.
How does it protect us?
The GDPR now places the burden on organizations to manage the risks associated with the use of personal data (accountability). Organizations are therefore responsible and must demonstrate their compliance with the new rules. In the same vein, they must also notify the CNIL of any violation of personal data.
The text also facilitates the exercise of individuals' rights and European regulatory authorities have organised themselves to facilitate remedies in the event of non-compliance with rights (single window or one-stop shop).