Search

This page is currently not available in English. Please refer to the French version.

Where the processing for a purpose other than that for which the personal data have been collected is not based on the data subject's consent or on a Union or Member State law which constitutes a necessary and proportionate

Where your processing operations involve "sensitive data", special conditions may apply (examples: a data protection impact assessment, additional information to be provided to the data subject, the consent of the data subject, contractual clauses, etc.). Special categories

As a controller, you shall maintain a record of processing activities under your responsibility. Similarly, your processors shall maintain a record of all categories of processing activities carried out on your behalf. However, this obligation shall not apply

Before data may be processed by the controller, a number of conditions of lawfulness must be met to ensure an adequate protection of privacy. When you process personal data, you must comply with the following principles: Principles of lawfulness, fairness

The data subject's consent is one of the conditions processing operations can be based in order to be lawful. The provisions concerning the conditions applicable to consent were further developed by the GDPR, emphasizing its "free, specific, informed

In order to be lawful, the processing operations must be based on one of the following conditions: The data subject has consented to the processing of his/her personal data for one or more specific purposes. The processing is necessary

Since 25 May 2018, the General Data Protection Regulation imposes stricter accountability obligations on private and public actors. You will be required to constantly ensure that the rules set out in the Regulation are followed and must be able to

Both you and your processors shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. These security measures shall take into account the state of the art, the costs of implementation

Only choose processors that provide sufficient guarantees to ensure the protection of the personal data processed. Conclude a contract that sets out the processor’s obligations concerning the security, the confidentiality and the protection of the processed personal data.

To demonstrate your compliance with the Regulation, you must maintain the necessary documentation. To continuously ensure the protection of the personal data you processed, you must regularly audit the actions and documentation relating to every phase of the processing operations

If the European Commission does not recognise the country to which you are transferring personal data as adequate, you must provide appropriate safeguards when transferring personal data outside the European Union.

If you have determined that the processing is likely to result in a high risk to the rights and freedoms of data subjects, you must carry out a data protection impact assessment (DPIA) for each processing operation. The DPIA allows...

The General Data Protection Regulation grants certain rights to individuals and defines their conditions and limitations. The controller has to make sure that data subjects can exercise the following rights: 1. Information to the data subject You must inform data

Privacy by design Privacy by design means implementing appropriate security measures at the earliest stages of the development of your products and services. Privacy by default The principle of privacy by default requires the adoption of measures to ensure that

The Data Protection Officer (DPO) has an important role in the legal framework created by the General Data Protection Regulation (GDPR). Articles 37 to 39 GDPR lay down the rules applicable to the designation, position and tasks of the DPO

Data controllers shall notify personal data breaches to the CNPD withing 72 hours after having become aware of them, if the violation in question is is likely to result in a risk to the rights and freedoms of natural persons.

Data breaches under the General Data Protection Regulation Controllers shall notify data breaches to the CNPD within 72 hours after becoming aware of

In accordance with European Commission Regulation (EU) No. 611/2013 of 24 June 2013, which entered into force on 25 August 2013, providers of publicly available electronic communications services, such as fixed or mobile telephone companies or Internet service providers