The GDPR is a European regulation adopted on 27 April 2016 and entered into force on 25 May 2018. It is clarified through interpretative guidelines and decisions of the Court of Justice of the European Union.
It has three main objectives: to strengthen individuals' rights over their personal data, to make data controllers and processors more accountable, and to harmonise rules to promote a single digital market for data.
The GDPR applies to the processing of personal data, i.e. any operation involving information relating to an identified or identifiable natural person.
It applies to operators established in the European Union, regardless of where the processing takes place, as well as to operators not established in the EU when they target individuals located within the European Union.
| HOW TO COMPLY | |
|---|---|
| Lawfulness, fairness, transparency | All processing must be justified by a clear legal basis (e.g. consent, contract, legal obligation, legitimate interest). Data subjects must be informed in a clear, comprehensive and understandable manner. |
| Increased accountability of stakeholders | Data controllers and their processors must implement a proactive compliance approach (accountability), for example: keeping a record of processing activities, carrying out privacy impact assessments (PIA) in high-risk cases, appointing a DPO in certain cases, implementing appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of data. |
| Strengthened individual rights | Right of access, rectification, erasure, objection, portability, restriction of processing, and right not to be subject to automated decision-making. |
| Data Protection Authority (DPA) | In France, it is the Commission nationale de l'informatique et des libertés (CNIL). It is responsible for monitoring compliance, providing information, raising awareness, assisting organisations in achieving compliance, receiving and processing complaints, penalising breaches of the GDPR and participating in European cooperation. |
| Notification of breaches | Obligation to notify the CNIL within 72 hours in the event of a personal data breach, and the individuals concerned if the risk is high. |
The GDPR marked a major turning point for data protection by introducing the principle of accountability. From now on, every instance of data processing must be justified, documented and controlled. This rigorous requirement has made the regulation an international benchmark.
The proposal for Digital Omnibus Regulation“ could lead to adjustments to the GDPR, in particular by clarifying certain definitions, reducing obligations for small players, and facilitating the use of data for artificial intelligence and scientific research. However, these are only potential avenues, pending formal adoption by the EU institutions.