General obligation of security and confidentiality

The data controller must implement security measures for premises and information systems to prevent files from being distorted, damaged or accessed by unauthorized third parties.

He must take all the necessary measures to respect the protection of personal data from the design of the product or service.

Thus, it is required to limit the amount of data processed from the start (so-called “minimization” principle) and must demonstrate this compliance at all times.

Access to data is reserved only for designated persons or third parties who hold a special and one-off authorization (tax service for example).

The data controller must set a reasonable period of retention of personal information.

The reporting obligations are all removed, with exceptions provided for by national law (certain processing operations in the health or public security sector implemented on behalf of the State).

Information obligation

The company that holds personal data must inform the data subject of:

The identity of the person responsible for the file

The purpose of data processing

The mandatory or optional nature of the responses

The rights of access, rectification, interrogation and opposition Data transmissions.

The operator of personal data (an online merchant for example) must comply with certain obligations, and in particular:

Obtain customer agreement

Inform customers of their right to access, modify and delete the information collected

Ensure the security of information systems

Ensure data confidentiality Indicate a data retention period.