ALF - African Legal Factory services juridiques pour startup en Afrique > Articles > France > GDPR – learn how to comply

GDPR – learn how to comply

23 January 2024
Posted by: ALF
Category: France Personal data

No Comments

STARTUPS, LEARN HOW TO COMPLY WITH GDPR!

Bad news: not only do you have to comply with national regulations governing personal data, but potentially also with European regulations…

Good news….it’s not complicated when you’re interested, and we’re here to explain it all…

How do you know if your startup is subject to the European General Data Protection Regulation (“GDPR”)? How do you distinguish whether your startup is acting as a processor or a data controller under the GDPR? What are your obligations under the GDPR?

This article aims to help you identify whether the GDPR applies to you and what obligations you must comply with.

Step 1: PERSONAL DATA PROCESSING

The GDPR applies to ” the processing of personal data, whether wholly or partly automated, as well as the non-automated processing of personal data contained or intended to be contained in a file. “

Personal data is defined as “any information relating to an identified or identifiable natural person, directly or indirectly” .

Examples: surname, first name, date of birth, e-mail address, bank account number, IP address.
An identifiable natural person is “a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity. “(Person concerned).

Examples: employee, customer, prospect, service provider.
The processing of personal data is ” any operation or set of operations which may or may not be performed using automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction “.

Examples: recruitment management, human resources management, sales prospecting management, customer management.
So if you have to process some of these data in the context of the activities mentioned above, you are processing personal data, and in principle you must first comply with the national regulations applicable to you….
However, you potentially also have to comply with European regulations. How do you know?

STEP 2: FIND OUT IF YOUR AFRICAN STARTUP IS SUBJECT TO GDPR

The territorial scope of the GDPR is not limited to the European Union (“EU”), since it also imposes obligations on actors not located in the EU.

Your startup falls within the scope of the GDPR even when it is not established in the EU, provided that your activities are related to:

the offer of goods or services to data subjects in the EU, whether or not the goods or services are subject to a charge (e.g. an e-commerce site accessible by natural persons in the EU); or
tracking the behavior of these individuals, insofar as this behavior takes place within the EU (e.g. tracking behavior via cookies or profiling via a website).

Startups located in Africa offering goods or services directly to natural persons in the EU (e.g. online sales site), even free of charge, are therefore subject to the GDPR.

Warning : given the extraterritorial nature of the GDPR, European supervisory authorities can thus sanction companies located outside the EU, particularly during online checks of websites or during documentary checks, but also during on-site checks or at hearings.

Priority: Making the website compliant with GDPR requirements.
Now that you know whether you have to comply with GDPR regulations, step 2 is to determine what your qualification is with regard to these regulations: are you a controller or a processor of the controller?

STEP 3: IDENTIFY YOUR STARTUP’S GDPR STATUS

Pursuant to Article 4 of the GDPR:

The data controller is ” the person who determines the purposes and means of a processing operation “;
The processor is ” the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.”

A processor is therefore someone who processes personal data on behalf of, on the instructions of and under the authority of a data controller.

Warning: the GDPR imposes new obligations on processors, who must assist controllers in their duties.

Example: Companies that process the personal data of people located in the EU, on behalf of their customers, are also subject to the GDPR (e.g. e-mailing services, call centers, payroll management, etc.).

STEP 4: COMPLYING WITH YOUR GDPR OBLIGATIONS

When your startup is located outside the EU and is subject to the GDPR, it must comply with the following GDPR obligations in particular:

Appoint a representative in the EU
Your startup must designate a representative in the EU in writing (Article 27 of the GDPR). It should preferably be located in one of the EU countries where the individuals whose personal data you are processing are located. The representative’s main task is to act as a point of contact for European personal data protection authorities and data subjects.
Take into account the principles of personal data protection
by setting up processing registers and a personal data protection policy;
Contractualize relations between data controller and subcontractor
as well as with your startup’s various service providers and partners;
Ensuring the security of processed data
We ensure the security of the data we process by implementing procedures to guarantee a high level of security and by being able to react in the event of a personal data breach;
Supervise transfers of personal data outside the EU.

Warning : To put these compliance elements in place, you first need to appoint a compliance manager (and a data protection officer) within your startup, Data Protection Officer, where applicable) in charge of carrying out procedures and implementing these obligations.

WHY MUST YOU COMPLY WITH THE GDPR?

In order to avoid financial penalties provided for by the GDPR as well as criminal convictions!

Compliance with the GDPR Regulation meets a twofold challenge:

financial and reputational, since sanctions can reach up to 20 million euros or 4% of worldwide annual sales, whichever is higher, and be made public.
commercial, because it’s a business asset and a way of standing out from the competition.

For example: in France, the Penal Code provides for criminal penalties of up to 5 years’ imprisonment and a €1.5 million fine for corporate bodies.

Please do not hesitate to contact us if you have any questions.

References :

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC;

Guidelines, recommendations and best practices published by the European Data Protection Committee (EDPS);

Guidelines of the Article 29 Working Party (G29) approved by the EDPS ;

Guidelines from European data protection authorities (e.g. the Commission Nationale de l’Informatique et des libertés (CNIL) in France, the Information Commissioner’s Office (ICO) in the UK, and the Agencia de Protection de Datos (APD) in Spain).

Form : I would like to be assisted in my personal data protection compliance project

By filling in this contact form, African Legal Factory collects and processes your personal data as data controller in order to answer all your questions. You have the right to access, rectify, object to, delete, limit and port your data, and to give instructions on what to do with your data after your death. For further information on the processing of your personal data, please consult our Privacy Policy. [Privacy Policy]

Cookie	Duration	Description
__stripe_mid		Stripe sets this cookie to process payments.
__stripe_sid		Stripe sets this cookie to process payments.
_abck		This cookie is used to detect and defend against replay attempts. This cookie manages interaction with online robots and takes appropriate action.
ak_bmsc		This cookie is used by Akamai to optimize site security by distinguishing between humans and robots.
bm_sz		This cookie is set by the Akamai Bot Manager provider. This cookie is used to manage interaction with online bots. It also contributes to fraud prevention.
cookielawinfo-checkbox-analytics		Defined by the GDPR Cookie Consent plugin, this cookie is used to record user consent for cookies in the "Analytics" category .
cookielawinfo-checkbox-functional		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Functional" category.
cookielawinfo-checkbox-indispensable		The cookie is set by the GDPR cookie consent plugin to record the user's consent for cookies in the "Indispensable" category.
cookielawinfo-checkbox-necessary		Defined by the GDPR Cookie Consent plugin, this cookie is used to record the user's consent for cookies in the "Necessary" category .
cookielawinfo-checkbox-others		Defined by the GDPR Cookie Consent plugin, this cookie is used to store user consent for cookies in the "Other" category.
CookieLawInfoConsent		Saves the state of the default button for the corresponding category and the state of the CCAC. It only works in coordination with the primary cookie.
redux_blast		This cookie is necessary for the operation of certain WordPress theme elements that make the website appear in the most optimal way for the visitor's device.

Cookie	Duration	Description
_ga		The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also tracks site usage for the site analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_5BN1MYEN2Y		This cookie is set by Google Analytics.
_gat_gtag_UA_157972103_1		Defined by Google to distinguish users.
_gid		Installed by Google Analytics, the _gid cookie stores information about how visitors use a website, while creating an analytical report of site performance. The data collected includes the number of visitors, where they come from and the pages they visit anonymously.
CONSENT		YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
last_pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
last_pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_first_visit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_landing_page		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_session_limit		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
pys_start_session		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.

Cookie	Duration	Description
_mcid		This is a Mailchimp functionality cookie used to evaluate UI/UX interaction with its platform.
bm_sv		This cookie is required for Akamai's cache function. A cache is used by the website to optimize the response time between the visitor and the website. The cache is usually stored on the visitor's browser. User bandwidth results are stored in this cookie to ensure that the bandwidth test is not repeated for the same user multiple times for the Akamai cache function.
cookies.js		No description available.
m		This cookie is set by stripe.
mailchimp_landing_site		This cookie is set by MailChimp to record the page the user visited for the first time.
pysTrafficSource		Anonymous cookie used to facilitate the "PixelYourSite" plugin that manages our analytics services.
stm_lms_courses_watched		No description
wmc_current_currency		save currency settings.
wp_woocommerce_session_b80c8f798ec84ed7476594d4acafc57c		Contains a unique code for each customer, so you know where to find the basket data in the database for each customer.