FREQUENTLY ASKED QUESTIONS/GDPR - What are the duties of the controller for the compliance with GDPR?/


What are the obligations of the controller in respect of the compliance with the GDPR ?

As a first step, the GDPR introduces the obligation to keep a register of treatment activities which lists the information relating to the characteristics of the treatments implemented by the controller. This obligation is only necessary in certain cases.

In this register, a sheet dedicated to the management of customers must include the following elements:

  • the identity and contact details of the controller,
  • the fiinalities of the processing
  • the categories of data subjects
  • the categories of personal data
  • categories of recipients
  • transfers to a third country or an international organization
  • the deadlines for deletion
  • the general description of the technical and organizational security measures/li>

The controller must define a data retention policy in his office. Personal data may only be stored for the time necessary to fulfill the purpose of collecting them

Article 13 of the GDPR provides the information to be provided by any controller to its customers or prospects, namely:

  • the identity and contact details of the controller (the firm)
  • the contact details of the data protection officer when there is one
  • the objective pursued (management and follow-up of the files of his clients)
  • the legal basis of the processing (contractual or pre-contractual performance at the request of the client)
  • the legitimate interest if it is the legal basis of the treatment
  • the recipients of the data (subcontractors, bailiffs, etc.)
  • transboundary flows
  • data retention period
  • rights available
  • li>
  • the conditions for the exercise of these rights
  • the right to withdraw one's consent if it is the legal basis of the treatment
  • the right to introduce a claim to a supervisory authority
  • information on the regulatory or contractual nature of the processing when it comes to the legal basis of the treatment

It is It is also necessary to check that access to the premises where the files are stored is sufficiently secure, but also to check the security of the information system on which the files are stored in digital format (firewalls, robust passwords for access them, authorizations, etc.).