Introduction : The main principles of the GDPR.
Today we will discuss the principles of the GDPR. When we talk about GDPR principles, these are key principles that structure all personal data protection law. These principles are at the heart of the General Data Protection Regulation, they address key issues in terms of governance. How do we ensure compliance of a structure such as a company, an association, a public entity etc…
There are three important things to note when discussing the principles of the GDPR, let’s explore them together.
What is personal data?
Today, it’s an extremely broad concept, it’s a name, it’s a first name, but it can also be data that is directly or indirectly identifiable. Note that, in relation to technological evolution, today, a certain number of data points put together allow for the identification of individuals. And that is why it is necessary to be extremely careful when talking about data to know whether we are talking about personal data or not. When talking about the right to data protection, the principles of the GDPR, there is also the notion of processing personal data. And it is these famous processing operations that must be compliant with the right to data protection. A processing operation is the collection of data, the conservation of data, but it is also the destruction of data. At each time, these different processing operations must be compliant with the right to data protection and notably to these principles of the GDPR.
What are the principles of the GDPR?
The principle of legality of data processing: There is a primary principle of legality, it must be that the processing is legal, that it complies with a law, a regulation or contractual provisions, etc.
The principle of purpose: I collect data for one purpose; I cannot use it for another purpose, that is the principle of purpose.
The principle of relevance: There is a principle of relevance, for example, I collect data within the framework of an educational program or I collect data to organize an event. I must then only collect the data that is relevant, without exceeding the limits and collecting a mass of data that would be unnecessary and, in any case, disproportionate.
The principle of accuracy: Regarding the principle of accuracy, we align with the notion of data quality. I collect data, ensuring it is up-to-date and of quality to prevent errors in the processing of this personal data.
The principle of data retention: There is also a principle of data retention, it is necessary to always provide for a retention period, a defined period. I need to know how long I will keep informal data, in relation to the retention period of the data.
The principle of data security: The final principle is the principle of data security, meaning that I collect data, I retain it, I destroy it, and at each time, I must implement specific security measures in terms of data security. Today, this is a point that is extremely important, we see it for example through the sanctions pronounced by the CNIL. In most of the sanctions, there have been defects in terms of data security.
The fundamental principles are structuring elements.
Each data controller, that is the entity which collects, processes personal data, and has responsibility for such processing, must at all times be able to demonstrate how such measures have been implemented.
What tools have been deployed in terms of data security? What have you done? What measure have you actually taken to establish retention periods that are limited? How can you justify the legal basis for your processing?
If you are unable to demonstrate compliance with these provisions, you may incur penalties. This principle of accountability is now a central one that permeates throughout the GDPR. And it is an element that must be taken into account, we are no longer in a regime with prior declaration formalities. Rather, at any time, you must ensure your compliance and make sure that it is effectively implemented and conforms to these principles.
General Data Protection Regulation: Who is concerned?
I am now going to speak to you about the rights of the data subjects within the context of personal data protection. So, what does “the rights of the data subjects” mean? It refers to the various rights that each person can exercise in different situations.
For example: a situation in which a person is a consumer, a situation in which a person is a student, a situation in which a person benefits from a service or for an employee. There are extremely different situations in which, as soon as there is processing of personal data, each person will be able to exercise certain rights.
It is not an absolute right, each right will be assessed according to the time when the data was collected.
For example, rights will not be exercised in the same way, when I have given my consent for the processing of my health data, than when it concerns a student who has registered in an association in order to access certain activities.
Regarding these rights, I will address 5 specific aspects.
What are these so-called rights of the persons concerned?
There are several rights:
- There is the right to have access to this data and to know which data is being processed.
- There is the right to rectification of data, my data has been incorrectly collected, there are errors, errors that are detrimental to me, I want them to be corrected.
- There is the right of opposition to the processing of data when I do not want my data to be subject to processing.
- There is the right to request their erasure.
- The right to data portability is a new right that has been incorporated by the GDPR. If you change providers, for example, in the context of telecommunications or insurance, you can request the portability of your personal data.
- It is also possible to request the limitation of the processing of personal data that has been or may be carried out.
Here are the main rights of the persons concerned, of each person concerned within the meaning of the GDPR.
Ensure the effectiveness of data protection law.
The second aspect is: What is the objective? The objective is to guarantee the effectiveness of the right to the protection of personal data. I have a number of rights within the framework of this European legislation, within the framework of national legislation, and I must be able to assert them, I must be able to exercise them. Much is talked about, using the English term “empowerment”, because we have a number of rights and we must be able to have them enforced.
In order to ensure a genuine guarantee of the right to the protection of personal data, as it should not be forgotten, the right to the protection of personal data is a fundamental right.
The exercise of one’s rights and the deadlines set by the GDPR.
The exercise of those rights means that a procedure must be followed. This means that today there are deadlines that are framed by the GDPR. For example: I am a consumer, I notice that my data has been used in a way that is not in accordance with the information that was provided to me. I write, I contact, and normally, I must be responded to within a one-month period.
In certain cases, when requests are more complex, the deadline may be extended to 3 months. In any event, the key point is that today, on the one hand, a response is required. And secondly, there are deadlines that are framed; if no response is received within the deadlines, any person can write to a supervisory authority, notably the CNIL, to complain about the lack of response.
The procedures for informing and transparency regarding personal data.
What we have just seen also means that there must be information and transparency towards the individuals concerned. Again, it is also necessary to keep in mind that this information and this transparency must adapt to all contexts. That is, whenever your data is collected, recorded or kept, whether by a private or public entity, within the context of your professional life or in the case of your daily life, there must always be arrangements for information and transparency.
And there again, we have a framed list of information that must be provided.
It means: Who collects my data? Who is the data controller? Who is the data protection officer? How can I exercise my rights? Which is the competent authority if I am not satisfied with the answer I receive? Why are my data being connected? (principle of purpose). What is done with them? To whom are my data communicated? Who are the recipients of this data? Can they be transferred outside of the European Union?
And above all, for how long will we keep them?
Once again, this is something that can be relatively complex to implement. On the one hand, you need to provide this information, and on the other hand, you also need to deploy it concretely. For the person who deploys the information, who informs, you need to ensure they are sure and convinced that they are delivering the right information. And above all, that it is followed by facts in practice, that there is an effective governance in terms of personal data protection.
The manner in which this personal information is communicated
There is an important question today which is how we provide all of this information. We have lists, we have deadlines, but the way in which we inform is very important. And the CNIL and other data protection authorities have reiterated this.
This is not about providing an information catalogue, but it is also necessary to address, each time, according to the different types of public. There are aspects that are close to legal design, therefore the way in which information is communicated, the way in which information is provided, are key questions. And it is very important again to ensure how this information is provided.
What is personal data?
I am now going to tell you about personal data. We often hear about GDPR, the Law on Informatique et Liberté in France, and data protection law. But what is personal data?
What is being discussed when we talk about personal data? The most important thing to note is that it is an evolving concept. It is very difficult today to decree once and for all what constitutes personal data or what does not constitute personal data.
A personal data, for example, is the name, surname, data which are associated with Mr. Dupont or Mrs. Durand. Data on his address, his family situation,… And all the data that may derive from them.
Thus, there are several categories when we speak of personal data. For example, civil status data, categories that will be linked to family data, etc. When we speak of personal data, we also refer to sensitive data.
The sensitive data
In the category of personal data, there are also data that must be subject to a more careful examination and whose collection, in certain cases, is prohibited. For example, data revealing sexual life, religious affiliation, ethnic origin, trade union membership, etc.
The principle is that the collection and processing of this data is prohibited, except for exceptions, and these exceptions are regulated, they are the subject of a certain number of specific provisions. This is the case, for example, for health data.
So, I was saying earlier that the concept of personal data is an evolving one. With technological progress, you can start with a certain number of databases in which you have no name, no first name, nothing that can be identifying. And you can end up with data that is clearly identifiable.
That is the reason why, today, there are a number of elements, doctrines or elements brought by the European Data Protection Board in Brussels which clearly demonstrates the need to exercise vigilance in this area.
These elements allow you to verify each time whether it is indeed personal data or not. This is a key point because if it is personal data, you must apply data protection law. If it is not the case, you must not apply this provision.
And one should not create situations in which fraud phenomena would arise. Situations in which its protective provisions would not be applied, allowing for a regime to be favored that would be less protective.
The concepts of data anonymization or pseudonymization
Finally, when it comes to personal data, there are also the notions of data anonymization or pseudonymization. In some cases, it is possible to encode the data in order to provide additional guarantees, particularly in terms of data security. When you pseudonymize them, as long as it is not definitive, it remains personal data and it must be protected as personal data. Conversely, when you anonymize data, it is no longer personal data and in those cases, you no longer need to implement the protective measures related to personal data.
Nevertheless, one must be extremely vigilant, it must be an effective anonymization, with mechanisms that have been subject to verification or audit measures. Therefore, as we see, personal data are data whose nature and scope are extremely broad, and this calls for a precise and detailed examination.
GDPR and the fundamental right to the protection of personal data in Europe
Today, we are talking a lot about the GDPR, very often we cite the GDPR, this General Data Protection Regulation. What is it about? How could we describe it today or at least break it down quickly? I’m going to talk to you about the GDPR in 10 points to explain what it is about and what its objectives are.
Firstly, what is important to note is that this General Data Protection Regulation aims to ensure the fundamental right to data protection. We have a General Data Protection Regulation, we have a GDPR because we have a fundamental right to the protection of personal data in Europe, and therefore this right of European citizens must be ensured.
The GDPR, a European regulation.
Second point, this is a European regulation, meaning that this regulation applies in all countries of the European Union. Unlike other regulations, the different countries of the European Union have the possibility to retain certain elements of their legislation. Nevertheless, it is a European regulation therefore applicable throughout Europe.
Third point, the objective of this regulation is to ensure the same level of data protection in Europe. That is, to ensure that: if I am an employee, I travel from one country to another, my rights as an employee regarding data protection remain the same. Similarly, if I am a consumer, I go to a European country, the level of protection of my rights should remain the same.
Fourth point, the GDPR are principles, a certain number of principles, it must be that when we collect data it is for a specific purpose. There is a principle of data retention, it must be implemented measures in terms of data security.
Therefore, GDPR consists of principles, but GDPR also includes rights, a certain number of rights for the individuals concerned. The right to access their data, the right to request the erasure of their data, the right to request data portability. Thus, a corollary of the fundamental right to data protection, GDPR also includes these rights that each person must be able to exercise.
The roles and obligations of the various actors concerning personal data.
This regulation also establishes a certain number of roles. That is, the GDPR sets out the obligations incumbent upon the data controller, namely the one who collects, the one who processes, the one who retains, and the one who destroys the data, as well as those of its subcontractors or recipients of such data. Therefore, the regulation always establishes the obligations of each actor.
GDPR also entails strengthened roles for supervisory authorities with regard to personal data protection. For the CNIL in France, but also for all supervisory authorities in Europe. That is to say, they must have effective means to guarantee the rights of the individuals concerned. In order to ensure, once again, the same level of protection of personal data throughout Europe.
The transfer of personal data outside the EU
The GDPR also provides a framework for transfers outside of the European Union of personal data. The GDPR provides an enhanced level of data protection in Europe, but when these data are exported, the level of protection must be the same.
Regardless of whether these data are transferred to the United States, South Africa or India, each time data are transferred, the exporter of the data must explain the measures it has implemented to ensure the level of protection of these data.
The GDPR also entails strengthened sanctions, primarily financial penalties, which can reach up to 4% of a company’s global turnover. Therefore, these sanctions are significantly greater than those previously issued. And again, with the strengthened role of supervisory authorities such as the CNIL in France, this enables them to issue dissuasive sanctions.
The GDPR is a global reference.
What is GDPR today? It is also a key text worldwide. Increasingly, it has become a reference in the world. It is a text that is used by all major groups of companies, a text that also serves as a reference when legislation is developed in other countries. For example, there have been references such as GDPR in California, which inspired the California law on data protection. Therefore, it should not be forgotten that today GDPR is this international reference.
Health data and implications?
Now, I am going to tell you about health data and the implications, for example in the field of research, regarding the processing of health data today.
Today, we are experiencing an explosion of health data.
Whether it be the data we will collect through connected watches, through a certain number of wellness and sports applications, or even all the data we can collect just in terms of health via mobile phones. The data which will be collected obviously at the medical level, in any case the uses and treatments are exponential.
Therefore, second point, there are genuine issues regarding the processing of this data. Knowing that this data processing is often carried out on an international scale.
For example: I will use an application that has been developed in the United States or Asia, where the processing of my data falls within the context of a clinical trial conducted by an American sponsor with sites in Europe and Asia and a European CRO.
There are therefore extremely varied situations, often international in nature, which imply implementing the appropriate tools in terms of personal data protection.
The sensitive nature of health data
Notably, health data are sensitive data, which means that these sensitive data, within the meaning of the GDPR, benefit from a specific treatment.
Generally, their processing is prohibited, unless it falls within certain exceptions, in which case processing of health data may be permitted, notably for public health purposes.
However, there are a certain number of treatments for which it is precisely necessary to be able to demonstrate that one is indeed compliant with the rules regarding the protection of personal data.
It is truly essential to keep in mind the sensitive nature of this data. The fact that each data controller, each structure that implements special processing operations, must be able to demonstrate that it is fully compliant with GDPR or the applicable national laws. In France, the Act on “Informatique et Liberté” has a specific framework for the processing of health data.
The CNIL’s reference methodologies for data protection.
Third point, there are specific characteristics for rules concerning data protection for health data. And these rules are complementary to existing rules. That is, there are a certain number of provisions, for example, within the context of clinical research, within the context of the conduct of clinical trials on personal data.
And superimposed upon these are specific rules regarding data protection. Within the context of research, for example, the CNIL has implemented reference methodologies, of which there are 6. These different methodologies, adapted to particular types of research, always provide for the obligations that must be respected by data controllers.
So, beyond the obligation to declare compliance with its rules to the CNIL within the framework of these methodologies, there are, of course, a number of other tools to implement. I am thinking, for example, of impact assessments as referred to in the GDPR, having a data protection officer, and precisely documenting a number of security measures concerning personal data.
Another example of the areas in which the CNIL has intervened is the establishment of health data warehouses. Today, the establishment of these warehouses and the retention of large amounts of health data constitute real challenges in terms of personal data protection.
Therefore, the CNIL has established a repository concerning health data. This is an important repository for hospitals, for clinics, to be able to use this data. It allows to frame the purposes: the reasons why this data is processed or not – How it is used – How people will be informed?
In certain specific instances, when a project does not fall within the scope of established CNIL methodologies, the concerned organization always has the possibility of submitting a specific request to the CNIL, explaining why and how it intends to conduct the project. It will then need to provide all the elements to justify its compliance.
These are key elements, it requires each time to be able to identify the situation in which an organization, a collectivity or a company is going to intervene. It also requires to explain why and how and to document these different elements.
We are dealing with the interplay of several frameworks, for example, in the context of clinical trials, where we have on the one hand GDPR, but we also have a European regulation on clinical trials which provides for references to GDPR and data protection law. With the need at all times to be able to create an articulation that is coherent.
For example, we have documentation from the European Commission that explains how to interpret certain concepts. We will not interpret the concept of consent in clinical trials and in relation to personal data protection in the same way.
Health data and the principle of liability
It is essential, once again, to keep in mind the principle of responsibility. The fundamental principle that permeates all data protection law and the GDPR. Therefore, at all times, depending on the different types of projects, it will be necessary to be able to demonstrate, from beginning to end of the project, that the principles of the GDPR have been applied. That they have been implemented and that they have been correctly deployed. If a retention period of 15 years has been planned, we are able to prove that at the end of 15 years the data will be destroyed, deleted, anonymized etc. So, it is important once again to keep this principle of responsibility in mind!
