Everything you need to know about the RGPD for VSEs, SMEs and Associations

NO! No commercial or industrial sector is exempt from complying with the RGPD. Even if some professions have a deontology, a code of conduct, or even a professional secrecy, none of them escape the obligation to comply with the RGPD.

YES! Even very small companies, even one-person companies, must get their act together. Indeed they manage personal data of customers, prospects, employees and therefore the RGPD applies to protect their privacy.

YES! Even very small associations must get their act together. Indeed they manage personal data of members, contacts, collaborators and therefore the RGPD applies to protect their privacy.

YES! Even the self-employed, even micro entrepreneurs must get their act together. Indeed they manage personal data of customers, prospects, employees and therefore the RGPD applies to protect the privacy of these people.

YES! The RGPD concerns all personal data processing, even if everything is processed on paper, or if there is no use of a website or even use of the internet. The simple fact of processing personal data as part of its activity is enough to be subject to the RGPD.

The GDPR requires you, not only to be GDPR compliant, but more importantly, to be able to demonstrate it. You have to create a record to demonstrate everything you've done.

Your RGPD file must notably detail (1) what you have done for your website, (2) the security measures to protect personal data, (3) the human resources aspects, (4) how you manage the rights of the people whose data you hold, (5) the possible losses of data, (6) the various data processing operations you carry out, (7) the relationships you have with your subcontractors

This is not essential. Applications such as GDPRfolder help you to complete a file to demonstrate what you have done to comply. Nevertheless, the support of a RGPD lawyer or an expert in this field can help you if you wish.

It is recommended to put on each website a visitor information document to explain your privacy policy. Just as it is important to put a legal notice and a disclaimer.

In order for someone to subscribe to your newsletter, they must give you their email address. It is therefore necessary to get them to agree, to give their consent to your policy of managing email addresses in the context of your newsletter. You will have to ask the interested persons to accept your privacy policy and you will have to keep the proof of their consent.

If you offer a contact form on your site, the person concerned must know what you are going to do with their data. So you need to provide them with a privacy policy that they must agree to before they send you their contact request. And you'll need to keep proof of that person's consent.

NO. You cannot have a single privacy policy if you offer a newsletter, online shopping, a contact form or job postings on your site. Each of these options collects and manages personal data differently.

It is essential that people check a box that shows they have agreed to and read your privacy policy before sending their data. And if the person does not click the box, you must tell them that you cannot collect data if they do not accept your privacy policy.

Any individual has the right to ask any organization that collects data if they have data about them. And you have 30 days to respond.

If you have responded to a request for access, and the data subject considers that there are errors in the data collected, he or she may request that it be rectified. If, for example, the data subject finds that his or her date of birth is incorrect, he or she may request that it be corrected. 

An individual can ask an organization to delete the data it holds about them. But there are exceptions. If the data is collected for tax purposes by the Ministry of Finance, for example, it is not possible to request its deletion because it is collected by law. Similarly, for an e-commerce site, accounting and tax obligations may require the data to be retained even if the customer wishes to delete it.

There are some precautions to be taken: 1/ It is necessary to verify that the person exercising his rights is the right person and therefore you are obliged to verify his identity. 2/ You have one month to answer him/her and therefore it is important that you have an inventory of your databases. 3/ you must of course keep a history of the request and your response to demonstrate that you have responded.

The time limit is one month after receipt of the application and verification of the person's identity. There are some possibilities to extend the deadline when the work is disproportionate. If I ask a huge institution for all my data, they can ask me to clarify my request or have an additional two months

The GDPR only allows you to collect data in cases where you have a legal basis, be it consent of the person, a contract, etc. There are only 6 legal bases which are explained below

You can process personal data if the data subject has given you consent. You must be able to prove that you have received this consent, either on paper or via a checkbox on a website. Attention: 1/ there is no implicit consent, consent must be expressly and specifically given for the data processing that you propose to the person 2/ The person concerned can withdraw his consent at any time and without justification

This legal basis is complex and must result from the balance between the interest of the controller and the respect of the personal data of the data subjects. An example is the possibility to contact former customers to offer them similar products or services

When you sign a contract, or are in pre-contract negotiations, you may process data. For example, in the context of a recruitment you will collect a CV, interview data, etc.

The law may allow data processing to be carried out. For example, the Ministry of Finance has a legal obligation to process your tax data. 

The law may entrust a mission of public interest either to a public or to a private actor. In this case, it is imperative to refer to the regulation that entrusts this mission to the data controller when informing the data subjects.

This is a very limited case, when the life of the person is in danger it is allowed to collect and process data without consent. 

When you notice a loss or theft of data (cybercrime, loss of a laptop, mistakenly sending confidential information to the wrong person, etc.) you must analyze the consequences of this fact.

YES! You have a maximum of 72 hours to make a decision which will depend on the seriousness of the incident. You have three possible reactions: 1/ you consider that the incident is not serious and you do nothing (example a lost laptop which is found the next day) 2/ The incident is serious and you must contact the national data protection authority 3/ The incident is very serious and may have consequences for the people concerned.

If you consider the incident to be serious, or if you have any doubt about its seriousness, you should contact the national data protection authority within 72 hours. There is a reporting form on the website of this authority.

Only if there are serious consequences for the persons concerned, for example in case of disclosure of medical data. In this case you must inform all the persons concerned.

NO! It is mandatory to appoint a DPO for public sector bodies, for large organizations, for those who process a large amount of data. For SMEs, self-employed, NGOs, associations it is not mandatory to appoint a DPO.

The DPO is independent of management, a bit like an auditor. He has a role of advice and control of the respect of the RGPD, he helps the organization to be in conformity.

NO! It is even forbidden because it would create a conflict of interest between management decisions on the one hand and the obligation to comply with the RGPD on the other hand. No member of the management can be DPO of his organization.

There are advantages and disadvantages to each. An internal DPO knows the company well but will have less experience and is likely to be influenced by his colleagues. An external DPO knows the company less well but has more experience as DPO and is more independent from the company.

It is mandatory for organizations with less than 250 employees unless the organization carries out processing that involves risks for data subjects or concerns sensitive data.

The register includes the description of the processing, the personal data concerned, the security measures, the purposes of the processing, its legal basis, the possible recipients of the data, etc. All this data will allow you to have a good overview of the processing you are doing and how you are complying with the GDPR.

YES, even in cases where the register is not compulsory, the data protection authorities recommend that it be completed because it provides a good overview of the data processing carried out.

The GDPR considers a processor to be an organization that you entrust with data to process according to your instructions. For example, you run an email campaign and you entrust your customer list to a vendor to manage the email campaign.

YES! You are responsible for the choice of your subcontractors and therefore if they do not comply with the RGPD, you can be held responsible in relation to the data subjects.

YES! The RGPD imposes the signature of a specific contract including the rights and obligations of the subcontractor and in particular his obligation to respect the RGPD.

You are also responsible for the choice of your non-European subcontractor. In this case, specific security measures must be taken because some countries pose problems, such as the United States. As an example, Google Analytics has been declared contrary to the RGPD and it is therefore mandatory to choose another solution under penalty of being held responsible and risking sanctions.

Many people may ask you if you comply with the RGPD: your customers, your suppliers, during tenders, and of course the data protection authorities. And don't forget that not only does the RGPD require you to be compliant, but also to be able to demonstrate it, hence the interest of the RGPD file.

Important fines that can go up to 20 million euros or 4% of the annual turnover. But don't forget the damage to your reputation when it is known that you don't respect the personal data that people entrust to you

YES! Even if there is a lot of talk about the millions of euros imposed on large groups like Google, there have already been many fines imposed on SMEs, associations and even self-employed workers. 

The CNIL is the Commission Informatique et Liberté, which is the French authority in charge of monitoring compliance with the RGPD and which has control powers and can impose fines. 

The European Data Protection Supervisor is composed of the 27 national data protection authorities and its main role is to issue recommendations regarding the application of the GDPR.

The DPA is the Belgian data protection authority

the CNPD is the Luxembourg data protection authority

A DPIA is a data protection impact analysis (often called DPIA). It is a risk analysis that is mandatory in certain cases such as the processing of large amounts of sensitive data

The European Data Protection Board is the English name of the EDPS.