General obligation of security and confidentiality


The data controller must implement security measures for premises and information systems to prevent files from being distorted, damaged or accessed by unauthorized third parties.


He must take all the necessary measures to respect the protection of personal data from the design of the product or service.


Thus, it is required to limit the amount of data processed from the start (so-called “minimization” principle) and must demonstrate this compliance at all times.


Access to data is reserved only for designated persons or third parties who hold a special and one-off authorization (tax service for example).


The data controller must set a reasonable period of retention of personal information.


The reporting obligations are all removed, with exceptions provided for by national law (certain processing operations in the health or public security sector implemented on behalf of the State).


Information obligation


The company that holds personal data must inform the data subject of:


The identity of the person responsible for the file


The purpose of data processing


The mandatory or optional nature of the responses


The rights of access, rectification, interrogation and opposition Data transmissions.


The operator of personal data (an online merchant for example) must comply with certain obligations, and in particular:


Obtain customer agreement


Inform customers of their right to access, modify and delete the information collected


Ensure the security of information systems


Ensure data confidentiality Indicate a data retention period.