Personal Data Protection Regulation (GDPR): everything you need to know

Last updated on June 4, 2024 Database

Do you run a company? Are you a website owner or an expert in personal data processing? It's crucial to understand the implications of the General Data Protection Regulation (GDPR) on your activities. It comes into force on European territory on May 25, 2018.

What is GDPR ?

GDPR provides a framework for the processing of personal data within theEuropean Union (EU). It follows on from the French Data Protection Act of January 6, 1978. It gives citizens greater control over how their personal data is used.

GDPR has been set up for : 

  • Harmonizing rules in Europe ;
  • Providing an identical legal framework for professionals. Thanks to the regulation, they can develop their digital activities, while establishing a relationship of trust with users. 

What are the objectives of GDPR ?

Discover the three main objectives of the General Data Protection Regulation: 

  • Increasing people's rights. GDPR creates a right to portability of personal data. It includes specific provisions for minors.
  • Make the various parties involved in data processing accountable. This applies to data controllers and subcontractors alike.
  • Making regulation credible. How can we do this? By stepping up cooperation between data protection authorities. In particular, they will be able to adopt joint decisions and toughen penalties for transnational processing.

Who must apply GDPR ?

Any organization, regardless of size, location or activity, can be affected by GDPR. The regulation applies to all organizations, both public and private, processing personal data, whether or not on their behalf, if :

  • They are established in one of the member states of the European Union;
  • Their business directly targets European residents.

For example, a company based in Italy exporting its products to Tunisia must comply with GDPR. This is because it is based in the European Union. Similarly, a Japanese-based company with a French-language e-commerce store delivering products to France must comply with the law.

The General Data Protection Regulation also applies to subcontractors: hosting companies, software integrators, communications agencies and so on. The latter process personal data on behalf of another entity (company, local authority or association). 

Good to know : Who should appoint a DPO?

Companies carrying out data processing and subcontractors are required to appoint a Data Protection Officer (DPO) if :

  • Their business is in the public sector;
  • Their main activity requires regular, systematic and large-scale monitoring of people ;
  • Their main activity is the processing of sensitive data, or data linked to criminal convictions such as offenses or misdemeanors.

In particular, the DPO is responsible for advising the company on the implementation of a privacy impact assessment (PIA). This is carried out when data processing poses a risk to the rights and freedoms of individuals. The aim is to assess the origin, nature, particularity and seriousness of the risk.

Who is responsible for implementing GDPR ? 

In France, the Commission Nationale de l'Informatique et des Libertés (CNIL) oversees the protection of personal data. Created in 1978, this independent administrative authority acts on behalf of the State. It is not, however, placed under the authority of the government or a ministry. 

The CNIL is made up of a college of 18 elected or appointed members and a team of 25 government contract staff. It is organized around five departments

  1. Legal support department (DAC).
  2. Directorate for the Protection of Rights and Sanctions (DPDS).
  3. Technology and Innovation Department (DTI).
  4. Public Relations Department (DRP).
  5. Administrative and Financial Department (DAF).

The 18 members of the CNIL include : 

  • Four members of parliament, two deputies and two senators;
  • Two members of the Economic, Social and Environmental Council (CESE), the Republic's third constitutional assembly;
  • Six representatives of the highest courts, two conseillers d'État, two conseillers à la Cour de cassation and two conseillers à la Cour des comptes;
  • Five qualified personalities. The President of the National Assembly appoints one. The President of the Senate appoints another. The Council of Ministers appoints the last three;
  • The Chairman of the Commission d'accès aux documents administratifs (CADA).

Good to know : What are the CNIL's four missions?

  1. Informing, protecting rights. As part of its general information mission, CNIL responds to requests from individuals and companies alike. It ensures that citizens have proper access to the data contained in data processing concerning them. In the event of difficulty in exercising their rights, they can submit a complaint to the CNIL.
  2. Supporting compliance, advising. To help organizations comply with the regulation, CNIL offers a comprehensive toolbox.
  3. Anticipating and innovating. Through its Digital Innovation Laboratory (LINC), CNIL contributes to debates on the ethical challenges of digital technology. It participates in the development of technological solutions that protect privacy.
  4. Control and sanction. It ensures that the regulations are properly implemented in the field. In 2022, 345 checks were carried out. If necessary, it can also issue formal notices or impose penalties on organizations.

What are the 5 main principles of personal data protection?

  1. Purpose. The person responsible for a file has the right to record and use information on individuals only for a specific, legal and legitimate purpose. 
  2. Proportionality and relevance. The data collected must be relevant and strictly necessary for the purpose of the file.
  3. The retention period limit. It is not permitted to keep data on individuals in a file indefinitely. Depending on the type of information recorded and the purpose of the file, a precise retention period must be established.
  4. Security and confidentiality. The person responsible for the file must ensure the security of the information held. He or she must ensure that only authorized persons have access.
  5. Individual rights. These enable citizens to retain control over their data. The data controller must explain how to exercise these rights. If they choose to exercise their rights, individuals must receive a response within a maximum of one month. 

Good to know : What rights do people have to their personal data?

  • The right to access data concerning them;
  • The right of rectification and opposition ;
  • The right to portability ;
  • The right to be forgotten ;
  • The right to notification ;
  • The right to compensation for material or non-material damage ;
  • Group action.

Personal data protection: 6 best practices 

Discover our tips for your company to ensure compliance GDPR.

  1. Collect only the data you need to achieve your goal

It is essential to collect data for a well-defined and legitimate purpose. You do not have the right to further process them for any other purpose. For example, a file of candidates for recruitment purposes may not be used to distribute promotional offers.

To comply with GDPR, you can rely on the principle of minimization. This reduces the amount of information collected to that which is necessary to achieve the objective.

  1. Demonstrating transparency

Citizens must be able to retain control over the data that concerns them. This means informing them in advance about how their data will be used. Information must be both : 

  • Consistent with collection situations and media;
  • Accessible and understandable.

It is forbidden to collect information about them without their knowledge. 

  1. Facilitating the exercise of people's rights

You are obliged to organize the means by which your prospects and customers can exercise their rights. They must be able to do so by sending a simple e-mail to a dedicated address. If they do so, you must respond to their requests as quickly as possible. 

  1. Establish precise retention periods for data

It is forbidden to keep your targets' personal data indefinitely. They should only be kept for as long as is necessary to achieve the desired objective. After that, they should be destroyed, anonymized and/or archived. All this in compliance with the regulatory obligations applicable to the conservation of public archives.

  1. Guaranteeing the security of personal data

Physical and IT security, secure premises, cabinets and workstations, rigorous management of authorizations and access rights... All measures aimed at securing data must be taken. They need to be adapted to the sensitivity of the information or the risks to individuals in the event of a security incident.

  1. Adopt a continuous approach to compliance

On a regular basis, it is important to check whether : 

  • There have been no major changes in treatments; 
  • The procedures and safety measures in place are respected;
  • Adaptation is required.

Emailing: how to obtain consent from recipients?

As part of an e-mailing campaign, the consent of the recipient of an advertising message is obtained through the .opt-in. Please note that if the recipient does not say "yes", this should be considered as a "no". The prospect's or customer's consent is obtained through a statement such as: "[] I accept that my e-mail address be used to receive offers from company X by e-mail."

When sending e-mails, think double opt-in. Unlike the classicopt-in , this method is based on two steps: 

  • The recipient of the advertisement expresses his satisfaction;
  • He confirms his wish to receive advertising messages by clicking on a link sent by e-mail.

With Dataventure, collect profiles opt-in using various levers: 

  • Cliclead. This type of campaign meets visibility, traffic and lead acquisition objectives. Collection is 100% dedicated to CPL content. There is no address sharing. The clic-lead solution offers a high collection volume, definable in advance.
  • Premium co-registration. This solution enables you to collect leads with high added value. The campaign is positioned on a page dedicated to your brand. It is accompanied by a visual highlighting your offer. You are free to set the qualification questions.
  • Co-registration. Ideal for collecting affinity profiles at controlled costs
  • Co-sponsoring. This massive, cost-effective collection solution offers the lowest cost per profile on the market. Every month, you benefit from the potential of hundreds of thousands of opt-in profiles collected.

Dataventure monetizes the group's collection media Dataventure. Every month, more than 3 million e-mail addresses are collected for major advertisers. Dataventure is one of France's leading profile collectors opt-in.

What are the advantages of double opt-in ?

Choosing the double opt-in brings many benefits to companies: 

  • Confirmation that e-mail address is valid ;
  • Improving the quality of the mailing list ;
  • Compliance with data protection regulations ;
  • Reducing the number of complaints ;
  • Better brand image.

Data deletion, warnings, formal notices, suspension of data flows... If you fail to comply with the provisions of GDPR, you risk heavy administrative penalties. Depending on the category of infringement, fines can rise to €10 or €20 million. In the case of a company, they range from 2% to 4% of worldwide annual sales. 

Would you like to set up secure, tailor-made customer acquisition operations? Let Dataventure support you. Our experts offer you the best GDPR friendly solutions for your traffic andcustomer acquisition needs.

Discover our other articles

Start a project

If you want to get a free consultation without any obligations, fill in the form below and we'll get in touch with you.