• Right to object in advance, without the need to give reasons (except for commercial prospecting for which such a right of objection is provided for in Article 21 of the RGPD)

• Data processing on the fly, in real time

• Pseudonymization or anonymization "at short notice" (a notion that was present in the Data Protection Act and has disappeared with the RGPD)

• Implementation of "dashboards" allowing data subjects to manage their preferences in a precise and immediate way

• Partitioning of data between several entities, so that none of them can access all the data

It is up to the data controller to verify on a case-by-case basis whether the application of these measures allows for a balance between its legitimate interests and the rights and interests of data subjects: if such is the case, the balance, the processing may be based on legitimate interest. If not, another legal basis must be sought, for example, consent.

When it comes to the GDPR, best is sometimes the enemy of good.

Thus, launching all your GDPR compliance projects at the same time (for example, when you decide to raise funds), without prioritizing them and without dedicating internal resources, is generally a bad idea.

Most of the time, the documentation remains in draft form and is never finalized, due to a lack of internal arbitration, and/or the applicable rules are not relayed to the operational staff, so the audit report remains a dead letter.

So, to start, identify first 3 strategic projects, such as:

• The cookie banner on your e-commerce site if in 2022 it still states that "This site uses cookies to improve your experience and optimize our sites and services. I accept".

• The privacy policy if the GDPR information on your site is limited to a "Personal Data" clause in your T&C.

• To the archiving of your data if you keep everything in active database since the creation of your company ... in 2008.

In general, if you need to verify the identity of an individual, simply looking at an ID is sufficient.

A copy of the ID may be retained only when the following cumulative conditions are met:

• Legal provisions require that a copy of an ID be stored (for example, banks are required to verify the identity of their customers in the context of the fight against money laundering and to keep a copy of the documents relating to this identity for five years from the closing of the accounts or the termination of their relationship) or you justify the need for it to pre-constitute evidence in case of litigation.

  With regard to requests to exercise rights under the GDPR, the request for an identity document should not be systematic and should only be made in case of reasonable doubt.

• The identification document is kept for a maximum of 6 years.

• The copy of the ID is kept in an intermediate archive and not in an active data base.

• You implement enhanced security measures to minimize the risk of identity theft in case of data leakage, for example, 𝑣𝑖𝑎 a limitation of the quality of the scanned image (black and white copy and not in color, limited number of pixels), the integration of a watermark with the date of collection and the identity of the organization or encryption.

In this regard, see the CNIL's "commercial management" guidelines, p. 6

. Mistake n°1: not providing a separate document from your GTCs or TOS

The GDPR provides that the information given to data subjects must be easily accessible.

As a result, information related to data protection must be easily distinguishable from information that is not specifically related to privacy.

In concrete terms, this means that the insertion of a "personal data" clause in your GTC or TOU is not enough: you must have a confidentiality policy or a "privacy" charter separate from your GTC or TOU.

. Error n°2 : publishing incomplete information

The privacy policy must be exhaustive and contain all the information listed in articles 13 and 14 of the GDPR.

In practice, if you have not updated your privacy policy since the GDPR came into force, your information mentions are probably incomplete, as the GDPR has added new mentions compared to those that were required until 2018 by the Data Protection Act.

. Mistake #3: using legal or technical jargon that makes the information incomprehensible to the general public

-Information must be written in "clear and simple" terms and be easily "understandable", according to Article 12 of the GDPR.

In practice, this means avoiding legal or technical terms, as well as vague and abstract formulas, and favoring short and simple sentences, with a well-structured layout thanks to clearly hierarchical bullets and paragraphs.

No. The pronouncement of a sanction by the CNIL is not subject to the prior intervention of a formal notice.

In this sense, see for example the sanction pronounced by the CNIL against the company FREE on December 28, 2021:

"The company is surprised that it has not been given prior formal notice to correct the breaches at the origin of the disputed facts (...)".

CNIL's response: "the restricted panel notes first of all that it is clear from the provisions of Article 20 of the French Data Protection Act, as amended by Act No. 2018-493 of June 20, 2018, that the supervisory authority has a range of corrective measures, adapted to the specific characteristics of each case, which may be combined and may or may not be preceded by a formal notice. Corrective measures can be taken directly in all cases.

The restricted panel also notes that the Constitutional Council (Cons. const., June 12, 2018, No. 2018-765 DC) has not expressed any reservation with regard to the possibility for the president of the CNIL to initiate a sanction procedure without a prior formal notice. Finally, the restricted panel recalls that the Council of State ruled (CE, October 9, 2020, Société SERGIC, n° 433311) that "it clearly results [from the provisions of Article 20 of the amended Act of January 6, 1978], that the pronouncement of a sanction by the restricted panel of the CNIL is not subordinated to the prior intervention of a formal notice to the data controller or its subcontractor by the president of the CNIL [...]" (§ 25-26).

. Misconception #1: Consent is required to process data

False - consent is one of the six legal bases provided for in Article 6 of the GDPR.

The GDPR does not establish a hierarchy between these legal bases and there is no general pre-eminence of consent over the other legal bases.

Data controllers may carry out processing based on another legal basis, for example, the performance of a contract or their legitimate interest.

-Please note that although the GDPR does not establish a hierarchy between these legal bases, in certain cases, the legal basis is provided for by specific provisions. This is, for example, the case for commercial prospecting: Article L. 34-5 of the French Post and Electronic Communications Code imposes the obligation to obtain the consent of the person concerned before sending commercial prospecting by e-mail or SMS.

. Received idea n° 2 : to collect a valid consent, it is enough to provide a box to be checked without being pre-checked, whatever the context of the collection

False - consent must be free, i.e. the person must not suffer any negative consequences in the event of refusal. However, in some contexts, individuals are rarely able to freely refuse or revoke their consent.

For example, processing in the context of recruitment operations may rarely be based on the consent of applicants, since refusal on their part could affect their chances of obtaining a job.

. Conventional wisdom #3: Once the individual has given consent, any type of data can be collected, regardless of whether or not it is necessary for the service requested

False - the processing must have a legal basis AND comply with the principle of data minimization, i.e. the data controller is only required to collect data that is strictly necessary.

For example, a weather application cannot collect a user's exact geolocation to display the weather at the city level, even if the user has consented.

. Mistake n° 1: systematically requiring proof of identity

A systematic request for proof of identity constitutes a breach of Article 12 of the GDPR, when there is no reasonable doubt about the identity of the person making the request.

In this sense, see for example the sanction pronounced by the CNIL against the company CARREFOUR FRANCE on November 18, 2020.

. Error n°2: not responding to the request

You must inform the customer of the measures taken following his request, as soon as possible and in any case within one month of receiving the request.

Thus, taking into account the request and deleting the customer's data without informing him is not compliant with the GDPR.

In this sense, see for example the sanction pronounced by the CNIL against the company FREE MOBILE on 28 December 2021 §74.

Tip: to ensure that requests to exercise rights are identified as such by your teams, prefer a dedicated email address, such as privacy@nomdelasociété.com, to a generic address, such as contact@nomdelasociété.com.

. Mistake n° 3: deactivating the customer's account without deleting their data from the active database

Following an objection request, you must either (i) delete the customer's data or (ii) sort and archive it when it is needed to meet your legal obligations or preserve your legal rights.

It is not sufficient to deactivate the account, so that the customer no longer receives marketing messages, while continuing to keep their data in the active database.

On 3 February, the CNIL published two guidelines on commercial management and management of unpaid bills.

To remember:

1. Legal bases

The guidelines identify the legal bases for the most common processing operations.

For example:

- loyalty programs => contract performance

- after-sales service => performance of the contract

- sales statistics => legitimate interest

- commercial prospecting by electronic means (by e-mail or SMS) in B2C => consent

- management of unpaid invoices => execution of the contract

-Good to know: these are the legal bases that must be included in your privacy policy.

2. Retention periods

Customer data used for commercial prospecting purposes can be kept in an active database during the commercial relationship, then for a period of 3 years from the end of the commercial relationship.

Data relating to prospects used for commercial prospecting purposes may be kept in an active database for a period of 3 years from their collection or from the last contact from the prospect (for example, a click on a hypertext link in an e-mail).

These are also the retention periods that should a priori be included in your privacy policy (and implemented)

3. Unpaid

Processing relating to the management of unpaid debts implies the implementation of specific guarantees, namely

- reinforced information of the persons concerned, in several stages (at the time of the conclusion of the contract, when the unpaid debt occurs as well as at the time of the registration on the exclusion list);

- a limited period of retention of data relating to the person concerned, i.e. a maximum deletion period of 48 hours after the payment has been made and 5 years from the date of the unpaid invoice, if it is not paid in full.

Following a recent decision of the Austrian authority, the Cnil has just confirmed that Google Analytics is not compliant with the GDPR due to insufficient supervision of personal data transfers to the United States.

As a result, the CNIL has issued a formal notice to a website manager and has announced that it has initiated other formal notice procedures against website managers using Google Analytics.

However, the use of audience measurement and analysis tools remains possible and the CNIL lists on its website several compliant solutions.

The CNIL reminds us of the rules applicable to commercial prospecting by publishing educational sheets and an infographic on the transmission of data to partners for B2C prospecting operations.

The key points to remember :

1 . B2B prospecting by e-mail or SMS

The consent of the professional contacted is not necessary and the legitimate interest can be retained if :

- the purpose of the solicitation is related to his profession/speciality; and

- at the time of the collection of the e-mail address, the contacted professional was informed that his e-mail address will be used for electronic prospecting purposes and was given a simple and free opportunity to object to it.

2. B2C prospecting by e-mail or SMS

Advertising is possible provided that the persons have given their consent before being canvassed.

Consent must be free, specific, informed and unambiguous and requires, in order to be valid, a positive action by the person concerned (for example, a dedicated checkbox that is not pre-ticked). Acceptance of general terms and conditions of use is insufficient.

As an exception, consent is not required if the person being canvassed is already a customer of the company and if the canvassing concerns similar products or services provided by the same company.

In this case, the prospecting may be based on the legitimate interest of the company and the person must, at the time of the collection of his or her e-mail address

- be informed that his or her e-mail address will be used for prospecting purposes;

- be able to object to this use in a simple and free manner when the data is collected and at any time, in particular at the time of each sending of a prospecting e-mail.

-Attention: this exception cannot be used when no sale or service has been made, including when the customer has created an online account.

3) Transmission to partners

The transmission, with or without payment, of personal data of customers or prospects to partners who wish to use them for commercial prospecting purposes by electronic means (e-mail or SMS) is subject to the consent of the persons concerned.

Error n° 1: sending prospecting emails to people who have created an account on the site but have not made a purchase, without obtaining their prior consent.

Error n°2: not defining the duration of the storage of personal data of its customers and prospects or storing them for longer periods than those defined, without the effective duration being adapted to the purposes for which the data are processed.

For example, in this case, the company kept :

- the personal data of customers who had not placed an order for 5 years;

- the personal data of persons who have not logged into their customer account for 5 years.

Error n° 3: not informing its customers and prospects of all the information listed in article 13 of the GDPR (in particular the contact details of the DPO, the retention periods, the legal basis for the processing and all the rights that people have under the RGPD).

Error n° 4 : not deleting personal data (in particular e-mail addresses) of customers who have made a request for deletion and simply deactivating access to their account, in order to block the sending of commercial prospecting.

Error n° 5 : not ensuring the security of personal data, notably by not imposing the use of a strong password when creating an account on its website.

Error n° 6 : automatically depositing cookies, including advertising cookies, as soon as the user arrives on the site, without prior consent.

Recording a telephone exchange with a consumer can be done in a GDPR-compliant manner, provided the following conditions are met:

1- The recording must pursue a legitimate purpose (e.g., to provide evidence of a contract, to train staff, to improve the quality of customer service) and be necessary to achieve it.

For example, the CNIL considers that the recording of a telephone conversation is not necessary to establish proof of the formation of a written contract, since this proof can be based on the production of documents required by law.

2- Respect for the principle of data minimization: telephone recordings may not be permanent or systematic, except by law. The recording of a telephone conversation cannot be triggered by default, in an automated manner, for all telephone calls and for all conversations.

3- Transparency: the persons concerned by the recording (prospect, customer, employee, service provider) must be informed in a concise, understandable and easily accessible way of the way in which their data is processed.

4- Security: security measures must be taken to prevent unauthorized persons from accessing information that they do not need to know. In particular, strict management of authorizations and computerized traceability methods must be put in place so that it is possible to know which employees are accessing the recordings and when.

5- Retention periods: recorded conversations must be kept for a limited time. For example, the CNIL recommends that recordings of calls in the workplace be kept for a maximum of six months, unless a text imposes a specific duration or particular justification.

6️- Register: the recording device must be entered in the register of processing activities.

To learn more, links in first comment to two sheets published CNIL on this topic.

Translated with www.DeepL.com/Translator (free version)

On April 15, 2022, the CNIL fined DEDALUS BIOLOGIE 1.5 million euros, in particular for security defects that led to the leakage of medical data of nearly 500,000 people.

The CNIL found 3 breaches against the subcontractor:

1- Failure to comply with the data controller's instructions

The CNIL recalls that the processor is required to comply with the instructions of the data controller.

In this case, the CNIL considers that DEDALUS BIOLOGIE has processed data beyond the instructions given by the laboratories responsible for the processing, by extracting a volume of data greater than that required in the context of a migration.

2- Failure to ensure the security of personal data

The CNIL considers that DEDALUS BIOLOGIE has committed technical and organizational failures in terms of security, which led to the data breach.

More specifically, the CNIL criticizes the subcontractor for: the lack of a specific procedure for data migration operations, the lack of encryption of personal data stored on the problematic server, the lack of automatic data erasure after migration to the other software, the lack of authentication required from the Internet to access the public area of the server, the use of user accounts shared between several employees on the private area of the server, the lack of a supervision procedure and the lack of security alerts on the server.

3- Failure to comply with the obligation to provide a formal legal framework for the processing carried out on behalf of the data controller

The restricted formation underlines that "the fact that the obligation resulting from article 28, paragraph 3, of the GDPR is incumbent on both the controller and the processor has no bearing on the existence of the processor's own responsibility".

In this case, a breach of Article 28, paragraph 3, of the RGPD is retained since the GTC proposed by DEDALUS BIOLOGIE and its maintenance contracts did not contain the information required by Article 28-3 of the GDPR.

Notes: The above obligations are not exhaustive. The GDPR imposes others, the processors being in particular required to assist the controller (for example, to answer the requests for exercise of the rights of data subjects and to respect the obligations envisaged in articles 32 to 36 of the GDPR), to alert it if it considers that an instruction which it receives constitutes a violation of the applicable regulation, to keep a register of processor, etc.