Series: RGPD in 3 questions

Kaufhold & Reveillaud, Avocats has identified the three most recurring questions asked by its clients in relation to the European Data Protection Regulation (EDPR). Answers below.

1) Is it compulsory to appoint a Data Protection Officer (DPO)?

The appointment of a DPO is often optional. A simple data protection contact is sufficient. KR can help with this.

However, it is mandatory to appoint a DPO for :

1. Public authorities and organizations (e.g. public institutions, ministries, etc.).
2. Organizations whose core activities consist of processing operations which, due to their nature, scope and/or purposes, require regular and systematic large-scale monitoring of the data subjects (e.g. Internet access providers, telephone operators).
3. Organizations whose core activities involve large-scale processing of special categories of “sensitive” data (i.e. biometric, genetic, health, sex life, racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership) or data relating to criminal convictions and offenses.

2) What are the consequences of the Brexit on the RGPD?

The UK’s national data protection authority, the Information Commissioner’s Office or ICO, has reported that the GDPR has been in force since May 25, 2018 in the UK as in all EU member states.

So, for as long as the procedure for the United Kingdom’s exit from the European Union has not been completed, the United Kingdom remains a member state of the European Union.

The UK Data Protection Act 2018 (DPA 2018), which is currently supplementing and adapting the RGPD in the UK, will continue to apply.

The provisions of the GDPR will be incorporated directly into UK law if the UK leaves the EU without an agreement to apply alongside the DPA 2018.

Finally, it’s worth noting that the ICO has already made it clear that a high level of personal data protection will be maintained in the UK in the post-Brexit phase. Indeed, the UK government intends to incorporate the RGPD into the 2018 DPA at the time of Brexit. So, in practice, there will be little change to the fundamental data protection principles, rights and obligations contained in the RGPD.

3) Is it compulsory to obtain the consent of the person concerned?

No.

According to the GDPR, the consent of the person whose personal data is processed is not required if the data is collected:

• For the performance of a contract (e.g. employment contract, etc.) or pre-contractual measures (e.g. quotation, etc.).
• To comply with a legal obligation (e.g. register of beneficial owners, etc.).
• To safeguard a person’s vital interests (e.g. in the event of an epidemic, etc.).
• For the performance of a mission of public interest or public authority (e.g. tax authorities, etc.).
• For a legitimate interest (e.g. to prevent fraud, etc.) unless the interests or fundamental freedoms of the data subject prevail.

If the processing does not meet one of the above conditions, the data subject’s consent is required.

The GDPR team at Kaufhold & Reveillaud, Avocats will be happy to answer any questions you may have on the subject.