STARTUPS, LEARN HOW TO COMPLY WITH RGPD!
Bad news: not only do you have to comply with national regulations governing personal data, but potentially also with European regulations…
Good news….it’s not complicated when you’re interested, and we’re here to explain it all…
How do you know if your startup is subject to the European General Data Protection Regulation (“GDPR”)? How do you distinguish whether your startup is acting as a processor or a data controller under the RGPD? What are your obligations under the RGPD?
This article aims to help you identify whether the RGPD applies to you and what obligations you must comply with.
Step 1: PERSONAL DATA PROCESSING
The RGPD applies to ” the processing of personal data, whether wholly or partly automated, as well as the non-automated processing of personal data contained or intended to be contained in a file. “
Personal data is defined as “any information relating to an identified or identifiable natural person, directly or indirectly” .
Examples: surname, first name, date of birth, e-mail address, bank account number, IP address.
An identifiable natural person is “a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity. “(Person concerned).
Examples: employee, customer, prospect, service provider.
The processing of personal data is ” any operation or set of operations which may or may not be performed using automated processes and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction “.
Examples: recruitment management, human resources management, sales prospecting management, customer management.
So if you have to process some of these data in the context of the activities mentioned above, you are processing personal data, and in principle you must first comply with the national regulations applicable to you….
However, you potentially also have to comply with European regulations. How do you know?
STEP 2: FIND OUT IF YOUR AFRICAN STARTUP IS SUBJECT TO RGPD
The territorial scope of the GDPR is not limited to the European Union (“EU”), since it also imposes obligations on actors not located in the EU.
Your startup falls within the scope of the RGPD even when it is not established in the EU, provided that your activities are related to:
- the offer of goods or services to data subjects in the EU, whether or not the goods or services are subject to a charge (e.g. an e-commerce site accessible by natural persons in the EU); or
- tracking the behavior of these individuals, insofar as this behavior takes place within the EU (e.g. tracking behavior via cookies or profiling via a website).
Startups located in Africa offering goods or services directly to natural persons in the EU (e.g. online sales site), even free of charge, are therefore subject to the RGPD.
Warning : given the extraterritorial nature of the RGPD, European supervisory authorities can thus sanction companies located outside the EU, particularly during online checks of websites or during documentary checks, but also during on-site checks or at hearings.
Priority: Making the website compliant with RGPD requirements.
Now that you know whether you have to comply with RGPD regulations, step 2 is to determine what your qualification is with regard to these regulations: are you a controller or a processor of the controller?
STEP 3: IDENTIFY YOUR STARTUP’S RGPD STATUS
Pursuant to Article 4 of the RGPD:
- The data controller is ” the person who determines the purposes and means of a processing operation “;
- The processor is ” the natural or legal person, public authority, department or other body that processes personal data on behalf of the controller.”
A processor is therefore someone who processes personal data on behalf of, on the instructions of and under the authority of a data controller.
Warning: the RGPD imposes new obligations on processors, who must assist controllers in their duties.
Example: Companies that process the personal data of people located in the EU, on behalf of their customers, are also subject to the RGPD (e.g. e-mailing services, call centers, payroll management, etc.).
STEP 4: COMPLYING WITH YOUR RGPD OBLIGATIONS
When your startup is located outside the EU and is subject to the RGPD, it must comply with the following RGPD obligations in particular:
Appoint a representative in the EU
Your startup must designate a representative in the EU in writing (Article 27 of the RGPD). It should preferably be located in one of the EU countries where the individuals whose personal data you are processing are located. The representative’s main task is to act as a point of contact for European personal data protection authorities and data subjects.
Take into account the principles of personal data protection
by setting up processing registers and a personal data protection policy;
Contractualize relations between data controller and subcontractor
as well as with your startup’s various service providers and partners;
Ensuring the security of processed data
We ensure the security of the data we process by implementing procedures to guarantee a high level of security and by being able to react in the event of a personal data breach;- Supervise transfers of personal data outside the EU.
Warning : To put these compliance elements in place, you first need to appoint a compliance manager (and a data protection officer) within your startup, Data Protection Officer, where applicable) in charge of carrying out procedures and implementing these obligations.
WHY MUST YOU COMPLY WITH THE RGPD?
In order to avoid financial penalties provided for by the RGPD as well as criminal convictions!
Compliance with the RGPD Regulation meets a twofold challenge:
- financial and reputational, since sanctions can reach up to 20 million euros or 4% of worldwide annual sales, whichever is higher, and be made public.
- commercial, because it’s a business asset and a way of standing out from the competition.
For example: in France, the Penal Code provides for criminal penalties of up to 5 years’ imprisonment and a €1.5 million fine for corporate bodies.