(Data Protection News & Services)
The General Data Protection Regulation (GDPR) gives data subjects rights over their own personal data, including the right of access to personal data processed by a controller (Article 15). In practice, the data subject can ask an organisation to access
Following the hundreds of million fines imposed Amazon, Google and Facebook by the CNIL and other authorities relating to their use of cookies, this article aims to review the CNIL’s practical recommendations in this area so that to help organisations to understand the requirements in France and to some degree, to the rest of the European Union.
The CNIL reminds in its recommandations that it constitutes only examples which are neither prescriptive nor exhaustive and that although they are focused on the web and mobile environment, they can also be applied to other environments (connected TV etc.).
Under the General Data Protection Regulation (GDPR), personal data transfer outside of the EEA (i.e. EU and Norway, Lichtenstein and Iceland) or to international organisations are allowed only if one of the following conditions is met:
the third country is recognised as providing an adequate level of protection via an adequacy decision adopted by the European Commission;
adequate safeguards are implemented (e.g. EU Standard Contractual Clauses, BCR, approved certification or code of conduct.);
a derogation provided for in article 49 is applicable (e.g. express consent, vital interest etc.).
Under the General Data Protection Regulation (GDPR), the controllers must determine the legal basis for each purpose of data processing operations carried out under its responsibility (i.e. data processing carried out either by itself or by its processor).
The different legal bases for processing personal data are laid down in article 6 GDPR and include, among others, consent, legitimate interest, the performance of a contract and compliance with a legal obligation.
However, where special categories of data and/or data about criminal convictions are processed, controllers must pick an additoinal legal basis among those laid down in articles 9 or 10 GDPR.
Not considering the legal basis of processing beforehand may lead to various breaches of the GPDR and in particular, breach of individuals’ rights.
The General Data Protection Regulation (GDPR), applicable since May 2018, gives the European Data Protection Authorities, since then called the Supervisory Authorities, the power to serve administrative fines of up to €20 million or 4% of the global annual turnover of the precedent financial year, whichever is higher.