Since the entry into force of the European regulatory text governing the processing of so-called personal data GDPR (General Data Protection Regulation) on May 25, 2018, each company established on the territory of the EU handling personal data is forced to comply with it, even if it means being inflicted with heavy penalties. In what follows, we will mainly focus on what exactly is personal data
Personal data: what are we talking about exactly?
The notion of “personal data” should be understood very broadly. Regarding the definition of personal data, data is said to be personal when it relates to an identified or identifiable individual. An actual person can be identified, either directly (last name, first name, etc.) or indirectly (telephone number, biometric data, customer number, voice, specific elements specific to their physical, mental, economic, genetic, social or cultural identity, etc.) . It should also be noted that to identify an individual, a single piece of data is more than enough in some cases and a crossing of several pieces of data in other cases.
Different types of personal informations
There are generally two types of personal data, namely sensitive data and non-sensitive data. By sensitive data, we mean by that the one that is linked to sexual orientation, ethnic and racial origin, religious or political opinions, trade union membership, infringement data … As for that which is said to be non-sensitive, that – it can be either the name and first name of the individual, or his date of birth, or his sex …
Processing of personal data: what does it consist of?
Like the notion of personal data, that of the processing of the latter is also very broad. This is an operation, or a set of operations that relates to personal data, regardless of the method used: collection, backup, conservation, organization, consultation, modification, use, distribution, etc.).for example, a database containing various information about customers (last name, first name, age, location, preference purchasing behavior, etc.) is considered to be processing of personal data. The same goes for collecting information through a questionnaire.
As soon as we process data considered to be personal in a professional capacity, we are systematically subject to the Data Protection Act. Under penalty of heavy criminal penalties, you are forced to declare your processing to the National Commission for Informatics and Freedoms (CNIL), but above all to put in place all the necessary measures allowing the company to comply with the GDPR among which includes the designation of a Data Protection Officer (DPO).