Search in Blog

General regulation on data protection (RGPD) since May 25, 2018

-

As you know, when placing an order you need to provide us with the minimum information that enables us to deliver to you. Your personal data that you provide for the processing of your orders are stored in a Data centre in France, secured by the host of our e-commerce site. Your data will not be transferred, shared or sold to third parties.

You have an access 24h/24 to your information to change. If you want to delete your account, simply make the request to the customer service department by clicking : CONTACT

-

What is the RGPD ?
The general regulation on data protection (RGPD) is a new regulation of the European Union on the protection of personal data. It calls for protection measures more specific in the systems of organizations, agreements for the protection of data more nuanced, an approach that is more protective of the consumer and disclosures more detailed information on the practices of the organization in the field of protection of personal data.

The RGPD replaces the regulatory framework of the current EU relating to data protection, which was established in 1995 (commonly known as the " directive on data protection "). The Directive on Data Protection, requiring member States of the EU to integrate it into their internal law, which has led to a fragmentation of the legal landscape of data protection in the EU. For its part, the RGPD is an EU regulation having direct effect in all member States, that is to say that it is not necessary to transpose in the domestic law of the member States of the EU to produce binding effects. This will strengthen the coherence and harmonious implementation of the regulation in the EU

The processing of personal data is a broader concept within the framework of the RGPD
The RGPD regulates the way organisations process the personal data of persons who are nationals of member States of the EU. "Personal data" and "treatment" are terms frequently used in the legislation, and understand their significance in the context of the RGPD is essential to the understanding of the field of application of this regulation :

Are personal data is any information concerning an individual identified or identifiable. It is a concept that is extensive in that it includes all the information that can be used as such or combined with other data elements, can be used to identify a person. The personal data include not only the name or the email address of a person. They also incorporate other information such as financial information and even, in some cases, IP addresses. In addition, certain categories of personal data are subject to a higher degree of protection due to their sensitive nature. These categories of data is information on racial or ethnic origin of a person, his political opinions, religious or philosophical beliefs or membership of trade union organisations, its genetic data or biometric data related to his state of health, the information on the sexual life of the person or his or her sexual orientation, and the information regarding his criminal record.

The processing of personal data is the key activity from which come the obligations linked to the RGPD. Processing means any operation or set of operations performed upon personal data or sets of personal data, by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment or combination, restriction, erasure or destruction. In practical terms, this means that any process for the retention or consultation of personal data is considered processing.

Key Concepts: responsible for the treatment and sub-contractors
In the EU regulation, two types of entities may process personal data – processing managers and sub-contractors.

The responsible of the treatment (" responsible ") is the entity which alone or jointly with others determines the purposes and means of the processing. The sub-subcontractor (" subcontractor ") is the entity which processes personal data on behalf of the responsible of the treatment.

It is important to determine, activity by activity, if the entity that processes personal data is responsible, or a sub-contractor. This location allows an organization to understand the rights and obligations in respect of each of its data processing.

We perform some operations of data processing for which it is responsible, and others for which it is acting as a subcontractor. A good illustration of this dual role is the processing of transactions by payment cards through our financial partners ( Banks, Platforms payments ). The execution of such transactions requires the processing of personal data, such as the name of the card holder, the card number, the expiration date of the card and the CVC code. The data relating to the bearer of the card is transmitted by us to the financial partners through the services secure made available by the latter. The financial services provider then uses the data to complete the transaction in the system of networks of credit cards, which is a function that Stripe performs as a sub-contractor. However, Stripe also uses the data to ensure compliance with its regulatory obligations (such as procedures, Know-Your-Customer (“KYC”) and the prevention of money laundering (Anti-Money-Laundering (“AML”)), and in this role, the Stripe is a responsible treatment.

Legal basis for the processing of personal data in the RGPD
It is then necessary to determine whether a processing activity of particular data is in accordance with the RGPD. In application of the RGPD, each operation of data processing performed by a manager or a subcontractor, must rest on a legal basis. The RGPD recognizes six legal bases for processing of personal data of nationals of member States of the EU (in the RGPD, reference is made to persons who are nationals of member States of the EU under the title of " person concerned "). These six foundations listed in paragraphs a to f of article 6(1) of the RGPD, are :

The person concerned has
AGREED
to the processing of their personal data for one or more specific purposes ;
The treatment is
NECESSARY TO The PERFORMANCE Of A CONTRACT
to which the person concerned is party or the performance of pre-contractual measures taken at the request thereof ;
The processing is necessary for the
COMPLIANCE With A LEGAL OBLIGATION
to which the controller is subject ;
The processing is necessary to
THE SAFEGUARDING OF VITAL INTERESTS
of the individual concerned or of another person ;
The processing is necessary for the execution of a mission
In the PUBLIC INTEREST
or under
The EXERCISE OF PUBLIC AUTHORITY
vested in the controller ; or
The processing is necessary for the purposes of
LEGITIMATE INTERESTS
pursued by the controller or by a third party, unless that override the interests or fundamental rights and freedoms of the person concerned which require protection of personal data.
There are similarities between the list of treatments allowed under the RGPD and that of the directive on data protection. In contrast, there are also significant differences.

Compared to the regime applicable under the empire of the directive on the processing of the data, the changes made by the RGPD that generate the most discussion relate to the tightening of the requirements that must be in the consent (the first element of the list above). The conditions of consent in the directive, which include elements such as (i) the consent must be verifiable, (ii) the application for authorization must be clearly separate from other matters, (iii) the person concerned must be informed of his right to withdraw his consent to treatment. In addition, consent the more onerous (" explicit consent ") must be collected in case of treatment of sensitive data.

Another important element to stress is the legitimate interest (item 6 of the list above). When she founded the processing of personal data on a " legitimate interest ", the organization who relies on it must be aware that it must engage in a balancing of interests in relation to the aim pursued around this criterion. In order to satisfy the principle of liability laid down by the RGPD, an organization must document its compliance with the review of the balance of interests which specifies the method that she followed and the arguments on which it relied to conclude that the review of the weighing of interests is satisfied.

Rights of individuals under the RGPD

In application of the directive on data protection, EU nationals were entitled to certain basic rights in relation to their personal data. The rights of these nationals continue to be applicable under the empire of the RGDP, which introduces elements of clarification. The table below compares the rights of nationals under the directive on the protection of data and the RGPD.

RIGHT OF THE PERSON CONCERNED DIRECTIVE ON DATA PROTECTION RGPD
REQUEST FOR ACCESS TO DATA The individual has the right to know whether personal data concerning him are processed, what are they and how they are processed. The field of application of this right has been extended by the RGPD. For example, when making a consultation request, the individual should receive further information, including information on their rights in terms of protection of personal data in application of the RGPD, which had not previously existed, such as the right to data portability.
RIGHT Of OPPOSITION An individual can prohibit a number of data processing operations when it has persuasive reasons. Individuals can also oppose the processing of their data for purposes of direct marketing. The RGPD has extended the scope of application of this law in comparison to the directive on data protection.
RIGHT OF RECTIFICATION OR ERASURE Individuals may request that the incomplete data are supplemented or that incorrect data are corrected in order to ensure that the processing of personal data is in accordance with the principles applicable to the protection of data. The position of the RGPD is materially the same, but the RGPD added procedural protections additional.
RIGHT TO RESTRICTION OF PROCESSING No right to the limitation of the treatment. However, the directive on data protection gives individuals the right to request the blocking of their personal data where the processing operations are not in compliance with the data protection principles, for example, when the data are incomplete or inaccurate. The RGPD gives individuals the right to request the limitation of the processing of their personal data in certain circumstances, including when the individual disputes the accuracy of the data.
RIGHT TO ERASURE (RIGHT TO be FORGOTTEN) Individuals have the right to request the erasure of their personal data if the processing operations are not compliant with the data protection principles. Therefore, this law is very restrictive. The RGPD, which has considerably reinforced this right. For example, the right to be forgotten can be exercised when personal data are no longer needed for the purpose for which they were collected, or the individual withdraws their consent to treatment and no other legal basis does not support the continuation of the treatment.
RIGHT TO DATA PORTABILITY. The directive on data protection does not explicitly mention the "data portability" as a right of the person concerned. The member States of the EU may be integrated additional rights similar to the right to portability in their domestic law Individuals may request that personal data held by a data controller to be given or to be forwarded to another responsible treatment.