General obligation of security and confidentiality
The data controller must implement security measures for premises and information systems to prevent files from being distorted, damaged or accessed by unauthorized third parties.
He must take all the necessary measures to respect the protection of personal data from the design of the product or service.
Thus, it is required to limit the amount of data processed from the start (so-called “minimization” principle) and must demonstrate this compliance at all times.
Access to data is reserved only for designated persons or third parties who hold a special and one-off authorization (tax service for example).
The data controller must set a reasonable period of retention of personal information.
The reporting obligations are all removed, with exceptions provided for by national law (certain processing operations in the health or public security sector implemented on behalf of the State).
The company that holds personal data must inform the data subject of:
The identity of the person responsible for the file
The purpose of data processing
The mandatory or optional nature of the responses
The rights of access, rectification, interrogation and opposition Data transmissions.
The operator of personal data (an online merchant for example) must comply with certain obligations, and in particular:
Obtain customer agreement
Inform customers of their right to access, modify and delete the information collected
Ensure the security of information systems
Ensure data confidentiality Indicate a data retention period.