1. Data governance
Designate a Data Protection Officer
Designate a Data Protection Officer
Record all data transactions carried out by your company
Ensure you respect all theirs rights
Respect the security and confidentiality of personal data
Institute process, politics and organizational measures
In order to cope with technological evolutions and the use of personal data, the GDPR consists to:
Personal data: any information related to a physical person identified or identifiable directly or indirectly, by reference to an identification number or to one or more elements to it.
WARNING: Legal entities are not affected by the definition of personal data, which only covers individuals.
Thereupon, all data related to commercial partners (name, headquarters, RCS number, ie) should not be considered as personal data.
Data processing: any manipulation of data (automatized or not).
Examples: registration, consultation, remote access, organization, adaptation/modification, broadcast, destruction, erasure, structuration, collection, archiving, transfer, etc.
Processing controller: physical or legal entity which determines the purpose of the treatment (reason for which the processing is realized) and the means of the treatment (measures implemented to obtain the purpose).
Examples of purposes: management of human resources, recruitment, access control to the premises, management of a client’s database, commercial prospection.
Examples of means: computer hardware, informatics material, software, associated services, financial information, etc.
Processing processor: physical or legal entity which processes personal data on behalf of the controller
Some previous rights have been confirmed by the GDPR:
Rights created by the GDPR:
GDPR gives national control authorities the power to impose administrative penalties in case of violation of the rules of protection of personal data, according to a gradual system of financial penalties, depending on the severity of the offence.
For the administrative penalties, those can range from 10 to 20 million of euros depending on the category of offence.
For companies, the administrative penalties can be from 2% to 4% of the global annual sales of the previous financial year, whichever is the higher.
Other sanctions can include: law suit for compensation, injunction to comply, warning, publication of the sanction, damage resulting from tarnished reputation, etc.
In this context, it is necessary for Production companies to have data protection tools in place to ensure compliance with the regulatory provisions which come in effect on May 2018.
According to the GDPR, you are required to designate a Data Protection Officer (DPO) if:
Even if the designation of a DPO is not compulsory in regard to your structure and the personal data processing, it is prudent to designate a data manager to be in charge of the personal data governance (information mission, advice and internal control procedures).
You are responsible for recording all data transactions carried out by your company.
The objective is 1/to anticipate the potential risks; 2/ to ensure a transparency of yourdata processing in case of compliance control.
A specific database form is not provided by the GDPR so you are free to create your own.
As a first step, we recommend creating a detailed excel table.
Be aware that if you are processor, you also must create a register in order to list the controller, the categories of personal data collected for each controller, information about you (name, contact, representative, DPO etc.), information related to a transfer of the data to a third party/an international organisation and a description of the technical and organisational security measures.
The data subjects (employees, clients, etc.) have specific rights (information, opposition, access, rectification, erasure, portability, etc.).
The right of erasure is to request to the controller the erasure of the data without undue delay when:
The right of portability is the right to acquire data contained within an existing format or received from a third party when:
Following these steps will ensure you are in compliance with all individual rights for the processing of personal data.
For that, you should receive claims of the individuals concerned.
Your company should establish data protection policy and internal procedures to ensure the processing and management of the data subject’s requests.
To ensure this, it is recommended to:
Assign a person in charge of handling the request as well as communicating any delay or change in process.
As controller, you are liable of the security of personal data. Consequently, you must implement tools/work with qualified providers in order to ensure the security of the collected personal data.
In case of data security breach, you must notify the supervisory authority and the data subjects no later than 72 hours after becoming aware of it without undue delay.
Be aware that it is possible to hold both controller and processor positions. This is the case for example, when you are responsible for the categorization of collecting the data, its purpose, and storage duration (quality of controller), and at the same time have access to the client’s database in order to manage it (quality of processor).
Controllers and processors should communicate to put into their contractual agreements some principal points:
The processor should provide the controller all necessary information to demonstrate conformity and compliance in the case of an audit.
Areas of responsibilities of the controller and the processor should be defined in writing. It has been indicated that an electronic format is considered valid. In this case, adjustments should be made to former contracts.
Due to the liability principle imposed by the GDPR, you have to be able to prove that you have established process, policies and organizational measures to respect the GDPR.