Le General Data Protection Regulation (GDPR) (Regulation 2016/679) is a European law which establishes a harmonised legal framework for the protection of personal data citizens of theEuropean Union (EU) and theEuropean Economic Area (EEA).
Adopted on 27 April 2016 which came into force on 25 May 2018In France, the RGPD applies directly in all Member States, without the need for transposition legislation. In France, the French Data Protection Authority (CNIL) ensures that it is applied and helps players to achieve compliance. In Germany, it is the BfDI that oversees its application, and in Spain the AEPD.
🎯 Main objectives
- Strengthening individual rights to give citizens greater control over their data and limit abuse.
- Empowering organisations (companies, public authorities, associations, etc.) that collect and process this data: imposing an obligation of transparency and security on organisations.
- Harmonising the rules in Europe The aim is to facilitate the free circulation of data while ensuring a high level of protection.
- Adapting the law to digital issues Responding to the risks associated with new technologies (big data, AI, mass surveillance).
🔑 Fundamental principles
The RGPD is based on 7 structuring pillars to ensure transparent, ethical and secure data processing:
- Legality, loyalty and transparency
Data must be processed on a legal basis (consent, contract, legal obligation, etc.), fairly and with clear information for the data subject. - Purpose limitation
Data must only be collected for specific, explicit and legitimate purposes and must not be used subsequently in an incompatible manner. - Data minimisation
Only data that is strictly necessary for the defined purposes should be collected. - Data accuracy
Data must be accurate and, where necessary, updated to avoid any processing based on incorrect information. - Limiting conservation
Personal data must only be kept for as long as is necessary for the purposes for which it was collected, unless required by law. - Integrity and confidentiality
Appropriate technical and organisational measures must be put in place to guarantee the security, integrity and confidentiality of data. - Accountability
Organisations must be able to demonstrate their compliance with the RGPD through the implementation of internal policies (training, etc.) and rigorous documentation of processing operations (registers, audits, etc.).
🌍 Scope of application
The RGPD has a extraterritorial scope.
It applies to any organisation, whether public or private, within or outside the EUif it :
- Processes personal data of EU residents.
- Offers goods or services (free or paid) to these people.
- Monitors their behaviour (for example, by tracking browsing patterns or targeting advertising).
This means that even companies based outside the EU (in the United States, China, etc.) are affected if they process the data of European citizens.
He therefore applies at subcontractors (hosting companies, cloud service providers) as well as to data controllers, even if the treatment is free (e.g. social networks, mobile applications).
👥 Strengthened rights for individuals
The RGPD gives European citizens a greater control on their personal data by granting them a number of fundamental rights:
- Right of access obtain confirmation of the existence of data concerning them and receive a copy within 1 month (free of charge, unless misused).
- Right of rectification request the correction of inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") In certain cases, demand that the data be deleted.
- Right to restrict processing Request a temporary or permanent restriction on data processing (e.g. during a dispute).
- Right to data portability retrieve data in a structured format and transfer it to another data controller (e.g. export Spotify playlists)
- Right to object oppose the processing of data, particularly in the case of commercial prospecting.
- Right not to be subject to an automated decision To refuse that a decision with legal or significant effects be based exclusively on automated processing (including profiling).
🛡️ Obligations for organisations
To comply with the RGPD, organisations must put in place a number of measures, including measures and procedures :
- Documentation :
- Hold a data processing register (mandatory for companies with more than 250 employees or handling sensitive data).
- Writing AIPD (impact assessments) for high-risk activities (e.g. facial recognition).
- Governance :
- Designate a DPO (Data Protection Officer) if processing activities are large-scale or sensitive (health, justice).
- Signing treatment agreements with subcontractors to define their obligations.
- Security :
- Implement technical measures (anonymisation, encrypted backups) and procedures (access managementalerts in the event of a fault).
- Notify the competent authority of data breaches within 72 hours.
- International compliance :
- Using Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR) for transfers outside the EU.
🚨 Penalties for non-compliance
Data protection authorities, such as the CNIL in France, have the following powers powers of investigation and sanction.
Penalties can be particularly severe:
- Up to 10 million euros or 2 % of annual worldwide sales for certain offences.
- Up to 20 million euros or 4 % of annual worldwide sales for the most serious breaches (e.g. failure to respect individuals' rights or lack of legal basis for processing).
Patches Fines supplemented by injunctions (e.g. to suspend illegal treatment) or daily penalty payments.
National authorities cooperate via the one-stop shop mechanism A multinational company reports to a lead authority (e.g. the CNIL for Apple in Europe).
👉 Examples of penalties :
- 746 million against Amazon (2021) for non-compliant advertising tracking.
- 1.2 billion against Meta (2023) for illicit data transfers to the United States.
