Revolutionary principles of GDPR processing

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

Article 5 is, in both letter and spirit, revolutionary, if we take an honest look at the practices in force before 2018.

"Personal data must be processed lawfully, fairly and in a transparent manner with regard to the data subject" (para. 1a). While it may be agreed that the process was lawful, it must be acknowledged that the criteria of transparency and fairness were hardly taken into account. No person whose data was being captured was informed of the methods and purposes of this capture. If we must now comply with this new provision, and we must, the changes that need to be made, in terms of both perspective and practice, are considerable.

Paragraph 1b of the same Article 5 is enough to stun us, sorry, enlighten us, even more: "Personal data must be collected for specified, explicit, and legitimate purposes, and not be further processed in a manner incompatible with those purposes." In other words, a marketing director remains responsible for the data he has collected, even if its use changes over time. And this change must not be incompatible with the reasons given at the origin of the collection. The notion of "specified, explicit purposes" could in itself, if understood in the strict sense by a magistrate, reduce the personal data collected to a single use.

Paragraph 1c isn't bad either: "Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (data minimization)." No more catch-all strategies and sweeping searches to recover as much information as possible. Each operation must be calibrated according to a specific objective and that objective alone. The philosophy of the text appears again here: it is about limiting the dissemination of personal data as much as possible so that no individual can claim to have been stripped of information about them without their consent.

The retention period is also covered (by paragraph 1e of Article 5): it must not exceed "that necessary in relation to the purposes for which they are processed". This implies, let's be clear, destruction of the data after use; this is, let's admit, not our habit.

The lawfulness of processing now has a basis, recalled in Article 6, which lists six conditions, at least one of which must be met. The last four being devoted to non-commercial issues, only the first two concern us. Either "the data subject has consented to the processing of personal data for one or more specific purposes", or "the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract". It is therefore clear: to use personal information, consent or a contract is essential. For a minor under 16, an age that Member States can lower to 13 (France has just opted for a numerical majority at the age of 15), consent must be given by the holder of parental responsibility (Art. 8-1). When addressing children, terms must be chosen according to age, so that understanding is facilitated (art. 12-1).

In the event of a dispute, the burden of proof of consent lies with the controller, not with the person who considers themselves to have been harmed (Art. 7). And everything is provided for in the dense lines of the GDPR to give the supervisory authority the means to decide whether consent has indeed been given and for what.

There is no longer any room for ambiguity, which everyone has been playing on for twenty years: "If the consent of the person concerned is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a form which clearly distinguishes it from these other matters, in an intelligible and easily accessible form, and formulated in clear and simple terms" (art. 7-2). This consent can be withdrawn at any time. And it is forbidden to complicate the use of this possibility: "It is as simple to withdraw consent as to give consent" (art. 7-3).

This is not new, at least in France, but clearly reaffirmed in Article 9: processing that would reveal the racial or ethnic origins, political opinions, religious beliefs, health or sexual orientation of the persons concerned is prohibited (Art. 9-1), except in ten specific cases related to labor law or the public interest. One of these exceptions is interesting, and surprising because it departs from the protective nature of the text: when the data is "manifestly made public by the person concerned" (Art. 9-2e). In this case, so-called sensitive information can be revealed; which, given the prevailing exhibitionism, can affect many people.