The processing of personal data is subject to a French and European legal framework for data protection (General Data Protection Regulation, Data Protection Act – RGPD). The aim of this regulation is to strengthen the rights of individuals and to make those who process data more responsible.

It is everyone’s personal responsibility to take the necessary steps to comply with this regulation before collecting personal data and processing it, in conjunction with the Data Protection Officer (DPO), and to obtain the appropriate authorisations where necessary.

What data are concerned?

All personal data as soon as it is processed.

  • Personal data: Information that makes it possible to identify a person directly (surname, first name, e-mail address, etc.) or indirectly (telephone number, IP address, etc.).
  • Processing of personal data: An operation performed on personal data. This ranges from the simple collection of data to its transformation or dissemination.

What are the principles relating to data processing?

The data contained in a processing operation must only be collected and processed for a specific, legitimate, and previously defined purpose. Only data that is relevant and necessary for the purposes of the processing operation should be collected. Once this purpose has been fulfilled, the data must be deleted and may not be kept indefinitely on file.

The persons whose data are used in a processing operation have the right to access, rectify and object to the data concerning them. Therefore, information on data processing must be easily accessible and consent must be obtained when necessary.

Finally, and in order to respect the rights of the data subjects, all necessary measures must be taken to ensure the security and confidentiality of the data.

What does this mean in practice?

Here are some everyday examples:

  • Making a photo gallery

Every person has an exclusive and absolute right to his or her image and can object to its use.

Consequently, anyone wishing to include a photograph of an individual in a photo gallery, (whether for internal or external distribution) must have their permission. This authorisation must be expressed in a clear and transparent manner, preferably in writing, specifying the rights of access and rectification that the person concerned has to his or her photograph. 

  • Making a video or taking photographs

As soon as it relates to an identified or identifiable person, the image becomes personal data. In order to take a video or photograph of a person (or a group of persons), it is therefore necessary to obtain the consent of each person photographed or filmed by informing them of their rights over this personal data. However, when the video or photograph was taken in full view of the person concerned without their having objected when they were in a position to do so, consent is presumed.

Particular attention should be paid here to the security measures taken, especially for the dissemination of images on the Internet.

  • Creating an Excel file with personal data

A file is a structured set of personal data such as a file of candidates for a competition or an Excel workbook used for the management of staff or students.

The data contained in the file may only be used for a specific and legitimate purpose in relation to the activity carried out by the person creating it. The person creating the file may only record information that is relevant and necessary to carry out his or her tasks. Failure to comply with these fundamental principles is subject to criminal sanctions.

When the files are no longer useful for the activity for which they were created, they must be permanently deleted.

  • Transferring/communicating personal data to third parties

There should be a distinction between the communication of data to authorised third parties and other third parties.

In the first case, the law allows the transfer of personal data without the right to object to it to public authorities in the context of their tasks and under certain conditions. This may be the case, for example, with the tax authorities or social bodies. In this context, it is up to the person transferring the data to ensure that the applicant is authorised. The request must specify the legislative text on which this right of communication is based and the categories of information requested.

In the second case, the consent of the data subjects must be obtained prior to the transfer of their data. The form should specify the purpose of the collection, whether it is optional or not, the recipients of the data and the procedures for exercising the rights of access, rectification, and opposition to the data. In addition to obtaining the consent of the persons concerned, the data controller must make sure the data is secure during transfer. An agreement must consequently be drawn up with the third party to govern the transfer of the data and the subsequent processing.

What are the risks if these fundamental principles are not respected?

In the event of non-compliance with the regulations in force, in addition to the risks in terms of the institution’s image, sanctions may be imposed by the Commission Nationale de l’Informatique et des Libertés (CNIL) as well as by the criminal courts. In the event of a breach of the regulation, the CNIL can impose fines of up to 20 million euros.

For any further information, you can contact the data protection officer, Mathilde Leroy, at the following address: