Areas of Practice

GDPR Compliance

Compliance with the GDPR requires very specific GDPR-related documentation to be in place.

Here is a range of the essential documents:

Record of processing activities

As a company processing personal data, you must keep a record of processing activities. This record is a document that allows you to monitor and keep track of all the processing operations that you carry out. This recordis also essential in case of an inspection by the Data Protection Authority.

Privacy & Cookie Policy

– The key word is “transparency” –

The GDPR provides for an obligation to inform data subjects about the data processing you carry out.

Transparency is the key word: what personal data do you process, what do you do with it, is it passed on to other entities, how long is it kept, etc. These are the questions you need to ask yourself.

Once you have defined all of your processing activitiesand purposes, you should ensure that you communicate all of this information through a Privacy Policy in clear and intelligible language.

Data subjects also have rights under the GDPR. It is therefore important to inform them of the existence of these rights and how they can exercise them.

If you use cookies on your website, you collect a certain amount of information, including personal data. Indeed, cookies make it possible to collect personal data because they can be associated with an IP address, which is itself specific to the visitor to the site. It is therefore possible to link the data collected with a specific individual.

There is a specific regulation regarding the use of cookies, but the GDPR also applies as soon as you collect personal data via cookies. Therefore, in addition to the Privacy Policy, you should also ensure that you have a Cookies Policy in place.

Contracts with partners

It is necessary to control the contracts with your partners, which are mainly your processors(but not only). The RGPD imposes specific obligations between the data controller and the subcontractors, in particular a greater accountability of the latter. Subcontracts are therefore essential in practice because a lot of data passes through your subcontractors when they process it on your behalf.

When data is transferred to other partners so that they can reuse it for their own purposes, this transfer between two entities must also be regulated. In most cases, it will be appropriate to set up contracts for joint data controllers.

Existing contracts also need to be adapted by making changes, particularly in terms of confidentiality and physical or computer security of data. Each relationship must therefore be analysed and framed, and it is not always easy to understand the role of each party.

Internal data management policies

The purpose of these policies is to establish a global vision of the flow of data within the company and to define the tasks and responsibilities of everyone in terms of data management. This type of policy is also a tool for raising awareness within the company as it allows you to inform your employees internally.

There are several types of internal policies, including:

  • Incident Management Policy: With this policy, you make your employees aware of data leaks and give them a pyramid procedure to react directly.
  • Policy on the Management of Legal Practice: This is a guide to how the company responds, often via its DPO, to data subjects’ rights requests.


Latest articles on this subject