
Here the complete recorded presentation for the speach "GDPR & AML what can go wrong" :

<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/dcloDlNi554" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>



A general presentation General Data Protection Regulation (GDPR) within the context of AML (KYC) 

GDPR and AML, what can go wrong ?


Using 'legitimate interests' as a legal basis is fraught with risks. Many data controllers tend to rely on this legal basis in situations where it is not applicable, such as when consent is explicitly required! This can lead to the risk of fines—as evidenced by the Facebook (Meta) case, which resulted in a €390 million penalty for misusing legitimate interests due to misuse of legitimate interests.

For legitimate interests to be validly used, it is necessary to conduct and pass a triple test to ensure the legality of relying on Article 6.1.f. It's important to note that when using legitimate interests, consent from individuals before processing their data is not required! Thus, this legal basis potentially opens the door to abuses, which is exactly what the triple test aims to prevent and eliminate.

Let's delve into this in detail!


## 1. The Legal Basis of "Legitimate Interests"

Article 6, paragraph 1(f) of the GDPR states:

"1. Processing shall be lawful only if and to the extent that at least one of the following applies: (...) f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless the interests or fundamental rights and freedoms of the data subject requiring protection of personal data, particularly when the data subject is a child."

This explicitly means that a data controller (DC) can collect and process personal data without obtaining consent from individuals if they believe it is legitimate to do so. This is an important element to consider as the controller will not ask permission from the data subjects to process their data, opening the possibility of abuses. With this groundwork laid, we can immediately see how situations might spiral out of control, which is why the GDPR imposes conditions for legitimate interests to be validly invoked. The triple test is structured as follows:

- A purpose test: does the controller truly have a legitimate interest?
- A necessity test: is the data processing genuinely necessary?
- A balancing test: do the individual's interests prevail over the controller's legitimate interest?

The [french CNIL highlights ](https://www.cnil.fr/fr/les-bases-legales/interet-legitime) that "this legal basis concerns processing implemented by private entities that do not significantly infringe on the rights and interests of the concerned individuals."


## 2. Examples of Legitimate Interests
Interestingly, the GDPR itself provides a series of examples of interests considered legitimate (recitals 47, 48, and 49):

- fraud prevention
- ensuring the security of network and information systems broadly (see recital 49 for detailed discussion)
- commercial prospecting

The [European Commission also reminds us](https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_fr#:~:text=Votre%20entreprise%2Forganisation%20a%20un,informations%20de%20vos%20systèmes%20informatiques)  that "Your company/organization has a legitimate interest when the processing occurs within the framework of a client relationship, when processing personal data for prospecting purposes, to prevent fraud, or to ensure the security of network and information systems."

Analyzing recital 49 of the GDPR, we observe that data processing conducted to ensure the security of information systems, based on legitimate interest, has been extensively mentioned: "The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e., the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of the related services offered or made accessible via these networks and systems, by public authorities, computer emergency response teams (CERT), computer security incident response teams (CSIRT), providers of electronic communications networks and services, and providers of security technologies and services, **constitutes a legitimate interest of the controller concerned**. It might, for instance, involve preventing unauthorized access to electronic communications networks and the distribution of malicious code, and stopping 'denial of service' attacks and damage to computer and electronic communication systems."


## 3. No Legitimate Interest for Public Authorities
It's important to note that the legal basis of legitimate interests is not applicable to public authorities; recital 47 explains why: "Given that it is up to the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities in the performance of their tasks."

## 4. How to Conduct the Triple Test
The triple test must be conducted and documented in the processing register to ensure that the organization's use of the legal basis complies with GDPR requirements. Three key steps must be taken:

### 4.1 Identify the Interests of the Controller or a Third Party and Their Legitimacy
Initially, it is crucial to clearly identify the interests and objectives pursued by the controller or a third party for which the processing is carried out. Questions to consider include:

- Why is the processing being carried out?
- What benefits are expected from the processing?
- Who benefits from the processing?
- What would be the impact if the organization could not implement the processing?

Recital 47 is helpful in this analysis: "The existence of a legitimate interest would need careful assessment, particularly to determine whether a data subject can reasonably expect at the time and in the context of the collection of personal data that processing for that purpose may take place." In the context of a commercial relationship, it is useful to consider the reasonable expectations of individuals regarding the processing of their data, such as in B2B scenarios where a client of a company can reasonably expect to be contacted by email for a commercial proposal related to an ancillary service.

The [french CNIL states ](https://www.cnil.fr/fr/les-bases-legales/interet-legitime) that "an entity's interest can be presumed legitimate if the following three conditions are met:

- the interest is clearly lawful according to the law;
- it is sufficiently clear and precise;
- it is actual and present for the concerned entity, and not fictitious."

### 4.2 The Necessity Condition
The organization must then ensure that the processing is necessary (cf. Art. 6: "the processing is necessary for the purposes of the legitimate interests"). This condition can be broken down into two parts:

- Firstly, verify that the processing indeed helps achieve the stated objective, and not in reality other aims. This condition is often problematic in cases where the organization claims to collect data for one purpose, while in reality, it uses this data for entirely different purposes. It's vital to be vigilant here, as this poses a real and significant risk of deviation.
- Secondly, ensure that there is no less intrusive way to achieve the same objective.
Questions to ponder include:

Will this processing genuinely help the organization achieve the initially stated objective?

- Is the processing proportional to this objective?
- Is it possible to achieve the same objective without processing?
- Is it possible to achieve the same objective by processing less data, or in a less intrusive manner (also see the principle of data minimization)?

### 4.3 The Balancing test

The details of Article 6 must be revisited to understand the balancing test. Indeed, the legitimate interests of the controller may justify this legal basis "unless the interests or fundamental rights and freedoms of the data subject that require protection of personal data prevail."

The balance is thus established: the controller's interests cannot override the interests, liberties, or fundamental rights of the individual concerned.

Recital 47 further elaborates on this balancing condition:

- "unless the interests or the fundamental rights and freedoms of the data subject prevail, considering the reasonable expectations of data subjects based on their relationship with the controller;"
- "The existence of a legitimate interest must be carefully assessed, particularly to determine whether a data subject can reasonably expect, at the time and in the context of the collection of personal data, that it may be processed for a given purpose;"
- "The interests and fundamental rights of the data subject might, in particular, prevail over the interest of the controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing."

The [reasonable expectations of data subjects](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679) "reasonable expectations of data subjects based on their relationship with the controller" - are thus crucial elements to consider.

The [CNIL notes](https://www.cnil.fr/fr/les-bases-legales/interet-legitime) that "the entity must balance, weigh the rights and interests at stake, and verify within this framework that the interests (commercial, security of property, fraud prevention, etc.) it pursues do not create an imbalance to the detriment of the rights and interests of the persons whose data are processed." Furthermore, "the entity must first identify all types of consequences its processing may have on the concerned individuals: on their privacy but also, more broadly, on all rights and interests covered by data protection." Then, "the entity must take into account, in the balance between its legitimate interest and the rights and interests of the people, their 'reasonable expectations'."

Additional questions to clarify these aspects include:

General context of processing:

- Are there data referred to in articles 9 or 10?
- Are these data likely to be considered particularly 'private' or sensitive by individuals?
- Are children, minors, or vulnerable individuals' data processed?
- Is data related to individuals' personal or professional capacity processed?

The relationship with concerned individuals:

- Is there a relationship with the individual?
- What is the nature of this relationship, and how has data been used in the past?
- Was data collected directly from individuals?
- What information were they given?
- How long ago was the data collected? Have there been technological or contextual changes since that would affect expectations?




How to use the legitimate interests as a lawful basis under GDPR, including challenges, conditions, and practical examples

Doing the triple test to evaluate the legitimate interests under the GDPR

An in-depth analysis of GDPR applicability to non-EU organizations, including legal obligations, case studies, and practical compliance strategies.

Does the GDPR Apply to Non-EU Organizations?


The question of how to validly obtain consent under the GDPR generates a lot of discussions, yet it is often a simple problem to deal with. There are however important considerations that need to be assessed! First: **do you really need consent ?** This is an essential first step as consent is one of the six legal basis and it's not necessarily the one required in all cases (sometimes it needs to be avoided as it can be a GDPR violation to use consent when other legal basis are required). This verification is an essential starting point (I). Once we are sure consent is required from a legal perspective then only we can create a process that will capture the consent in regard to the conditions set by the GDPR (II).

<u>**Why a valid consent is essential**</u>

National control authorities do not hesitate to **erase all personal data collected without valid consent**. In multiple cases in 2018, the french CNIL requested the erasure of +14 million - and in another case - over 60 million of prospect's data that companies did not capture with valid consent. The economical damage can be very substantial. On another side, capturing legally valid consent is not a complex task.

## I. - Consent is not generic 

**The First mistake to avoid: organizations don't need consent all the time.** This is the first thing to clearly understand: consent is needed in a few cases only.

The legal obligation GDPR imposes is to have a *legal basis*. There is *six legal basis* that allows organizations to collect and process personal data. Consent is only one of them! So, let's take a look at some real-life examples.


<table class="table table-bordered table-striped">
  <thead >
    <tr>
      <th scope="col">Consent is needed</th>
      <th scope="col">Consent is not needed</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Subscription to a newsletter</td>
      <td>When the law requires the collection of personal data, for example invoicing - as this is a legal obligation</td>
    </tr>
    <tr>
      <td>Download and receive a guide (ex: whitepaper...)</td>
      <td>In case of a sale, or a contract (e.g. online sales)</td>
    </tr>
    <tr>
      <td>More generally activities in which a person will see his personal data processed and in which the person can request anytime to stop the activity.</td>
      <td>For employment - recruitment, cv</td>
    </tr>
  </tbody>
</table>




### What is the legal basis ?

In reality, to be able to legally collect data relating to persons, the GDPR imposes one condition: the data controller has to have a legal basis. This means we have to have at least one of the following conditions as described in article 6:

- the subject has **given consent** to the processing of his data 
- the processing is **necessary for the performance of a contract** or to take steps before entering into a contract
- a **legal obligation** imposes the collection of personal data
- protection of **vital interests of the data subject** (someone is in a coma and can not give consent)
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- **legitimate interests pursued by the controller** or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data


### How to determine if the legal basis can be consent?

In practice, the need to request consent can be determined by eliminating other legal bases and as follows:

 does the law require you to collect personal data (e.g. in HR matters, like obligations existing related to retirement, in commercial matters for invoicing)? If so, then the legal basis is the legal obligation, and there is no need to ask for consent ;
- is the data collected from the perspective of a contractual relationship - for example, an e-commerce website? In this case, the legal basis is the execution of pre-contractual measures or the execution of a contract. Be careful, however, because only the data necessary for this contract can then legally be collected! For example, the subscription of a person to a newsletter following purchase will not enter the data needed for the contractual relationship, and therefore will be subject to consent ;
- are we in the two other specific cases of public interest / official authority vested in the controller or where vital interests of a data subject need to be protected (ex: a person arriving in a coma in a hospital in need of a transplant)
- Having evacuated most of the legal basis, the last question we can ask ourselves is: **can the person enter and exit the processing of his personal data at will**? If yes, we are in a typical case of consent. Otherwise, the legal basis of the legitimate interests of the data processor might apply.

Consent is frequently used in marketing - for example, to subscribe to a newsletter, where a person can start and stop the processing of his data at will (eg. the unsubscribe link).



## II. - You legally need consent? Here's how to get one!

If you are in a situation where you need consent, congratulations because it's quite an easy task to get one! Let's clarify one element first **a checkbox is not needed for consent**. It can be useful if an organization wants to ensure that the person stopped and thought about what he or she agreed on, and expressed clearly agreement. But it's not necessary. In reality, we need two essential elements. Let's look at the legal definition, given by article 4.

> ‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her

So to acquire consent, two elements must be there: a positive act by the person, and the person must be informed of what will be done with their data.

### First condition: you need a positive action from the person herself

For consent to be validly collected, a positive act by the person is first required. In clear terms, it means **the person herself needs to do an action to manifest he/she agrees** to the processing of his/hers personal data. 

<u>**Here are examples of valid actions**</u>

- a person clicks on a button
- a person checks a check box
- a person signs a contract
- a person says "yes I agree", or "agreed"

<u>**Here are examples of invalid actions**</u>
- someone else presses a button
- a checkbox is pre-checked
- the person did not add her email herself in a form
- the person stayed silent

In fact, this is a very old legal problem: can silence equals acceptance? In clear terms the question is, can a person be legally obliged to do something in the case she stayed silent? The GDPR answer is absolutely not (it would open to significant abuses otherwise)!

For consent to be valid, **the person must therefore perform a positive act themselves** - such as entering their personal data themselves in a collection form or clicking a button.

<u>**One action is enough**</u>

However, the GDPR does not necessarily require a set of multiple actions, like for example checking a checkbox AND then clicking on a button. A checkbox can be the manifestation of a positive act, **but it's not mandatory** and there are plenty of ways to get the user to make an action other than filling a checkbox. For example, a person who adds his email address himself in a form will perform a positive act, sufficient to meet the requirement of the GDPR.

What is important is that the action comes from the person himself. For instance, it would be unlawful to collect emails on forums and send commercial advertisements (no clear affirmative action from the person to agree to such processing).

### Second condition: the person must be informed

To get a valid consent, the GDPR has added other legal conditions that we can summarize as follows: the person whose data is processed must be clearly informed of what will be done with their data.

This is essential, otherwise, how could he/she consent to anything? From a legal point of view, the GDPR imposes several additional conditions, to ensure consent given is well informed:

- the data subject must express a **manifestation of free will, uncoerced and uninfluenced** (e.g. a person who is forced to give his consent does not consent validly; we typically find this type of situation in matters of labor law in which the employer can impose the processing of personal data - in such cases, consent cannot be used as a legal basis. It is however possible to ask for consent in matters of employment law, but it must be ensured that the choice of the person is truly free). Beware, therefore, of the balance of power that can block the acquisition of consent
- the **consent must be specific**: the data subject must consent to something specific, such as receiving a newsletter. It's not possible to ask to consent to "any processing of personal data" for example.
- the consent must be informed: in general, the data controller has to clearly detail on the collection form what will be done with the personal data
- consent must be **unequivocal**, the data controller must not seek to mislead the person for example as to the reality of the processing carried out on this data, and inform him clearly of what is done with his data

The G29 has written <a href="https://ec.europa.eu/newsroom/article29/item-detail.cfm?item_id=623051">very detailed consent guidelines</a> on these matters.


## Processes to implement

One risk for organizations who collect personal data is to fail to collect a valid consent. Avoiding this scenario is, however, relatively simple, provided that specific consent acquisition processes are put in place. 

If you are uncertain about how to build these processes head up to <a href="https://www.legiscope.com">Legiscope</a> as these step-by-step processes are already built and the platform will help you automate a lot of other compliance tasks and save considerable amounts of time.








The GDPR requires obtaining the consent of individuals before processing their personal data in certain cases, here's how to do that

Tutorial: how to get a valid GDPR consent






Achieving compliance with the General Data Protection Regulation (GDPR) is essential for e-commerce businesses operating within the European Union or handling the personal data of EU residents. The GDPR, which came into effect on May 25, 2018, has set a new standard for data protection, emphasizing transparency, accountability, and the rights of individuals. For e-commerce companies, adherence to GDPR is not merely a legal obligation but also a critical component in building and maintaining customer trust throughout the data processing chain.

The e-commerce sector, characterized by the extensive collection and processing of personal data, faces unique challenges in aligning with GDPR requirements. From managing customer information and processing transactions to handling third-party integrations and cross-border data transfers, e-commerce businesses must implement robust data protection measures. Failure to comply with GDPR can result in substantial fines and reputational damage, underscoring the importance of a proactive approach to data privacy.

This guide provides a comprehensive, step-by-step framework for e-commerce businesses to achieve and maintain GDPR compliance. Drawing on over two decades of operational experience in privacy regulations within France and Europe, this article offers practical insights, legal references, and actionable strategies to navigate the complexities of GDPR. By implementing these measures, e-commerce companies can not only ensure compliance but also foster trust and loyalty among their customers.

## I. - Data Collection and Consent Management

At the heart of GDPR compliance lies the principle of lawful data processing, which mandates that personal data must be collected and processed based on a valid legal basis. For e-commerce businesses, the most common legal bases are consent and the necessity for contract performance. Ensuring that data collection practices are transparent and that consent is obtained in a clear and unambiguous manner is paramount.

The GDPR mandates that consent must be freely given, specific, informed, and unambiguous. This means that e-commerce platforms must implement mechanisms that allow users to provide explicit consent for each specific purpose of data processing. For instance, when collecting email addresses for marketing purposes, businesses must ensure that users opt-in voluntarily and are informed about how their data will be used. This aligns with the principles outlined in [How to Get Valid Consent under GDPR](https://www.legiscope.com/blog/how-to-get-valid-consent-gdpr.html).

A notable case highlighting the importance of proper consent management is the Google case, wherein the French data protection authority, CNIL, fined Google €50 million for lack of transparency, inadequate information, and lack of valid consent regarding personalized ads. This case underscores the need for e-commerce businesses to implement robust consent mechanisms that not only comply with legal requirements but also respect user preferences and privacy.

To effectively manage consent, e-commerce businesses should integrate consent management platforms that track and document user consents. Regular audits of consent records and ensuring that users have the ability to withdraw consent at any time are critical steps in maintaining compliance. Additionally, adopting a privacy by design approach, as discussed in [Privacy by Design](https://www.legiscope.com/blog/privacy-by-design.html), ensures that data protection measures are embedded into the core operations of the business, thereby enhancing overall security and trust.

## II. - Data Security and Protection Measures

Ensuring the security of personal data is a fundamental requirement under the GDPR, as outlined in Article 32. E-commerce businesses must implement appropriate technical and organizational measures to safeguard data against unauthorized access, loss, or breaches. This encompasses a wide range of practices, from encryption and pseudonymization to regular security assessments and staff training.

One of the critical aspects of data security is the implementation of encryption protocols for data at rest and in transit. Encrypting sensitive information, such as payment details and personal identifiers, minimizes the risk of data breaches and unauthorized access. Furthermore, regular security assessments and penetration testing help identify and mitigate potential vulnerabilities within the e-commerce platform.

The British Airways case serves as a stark reminder of the consequences of inadequate data security. In 2019, British Airways was fined £183 million by the UK Information Commissioner's Office (ICO) following a data breach that compromised the personal and financial details of approximately 500,000 customers. This case highlights the dire repercussions that can result from failing to implement and maintain adequate security measures, emphasizing the need for continuous vigilance and improvement in data protection practices.

Moreover, e-commerce businesses should adopt a comprehensive incident response plan to effectively manage and respond to data breaches. This includes promptly notifying relevant supervisory authorities and affected individuals in accordance with Article 33 and 34 of the GDPR. By establishing clear protocols and ensuring that all stakeholders are aware of their roles in the event of a breach, businesses can mitigate the impact of incidents and maintain trust with their customers.

Another essential aspect of data protection is the minimization of data collection and retention. E-commerce platforms should only collect data that is absolutely necessary for the specific purposes of processing and ensure that it is retained only for as long as required. Adhering to the principles of [Data Minimization](https://www.legiscope.com/blog/data-minimization-gdpr.html) helps reduce the risk of unauthorized access and potential breaches, thereby reinforcing the overall security posture of the business.

## III. - Cross-Border Data Transfers and Third-Party Processing

In the globalized landscape of e-commerce, businesses often engage in cross-border data transfers and utilize third-party service providers for various functions such as payment processing, marketing, and logistics. The GDPR imposes strict regulations on such data transfers to ensure that personal data remains protected regardless of where it is processed. Understanding and complying with these regulations is crucial for maintaining GDPR compliance.

Under Chapter V of the GDPR, cross-border data transfers are permitted only when adequate safeguards are in place. This may include the use of Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or ensuring that the recipient country has been deemed to provide an adequate level of data protection by the European Commission. E-commerce businesses must conduct thorough assessments to determine the legality of transferring personal data outside the EU and implement the necessary safeguards as outlined in [Cross-Border Data Transfers](https://www.legiscope.com/blog/cross-border-data-transfers.html).

A significant case illustrating the complexities of cross-border data transfers is the Schrems II case, where the Court of Justice of the European Union invalidated the EU-US Privacy Shield framework. This decision emphasized the need for e-commerce businesses to reassess their data transfer mechanisms and ensure compliance with the latest legal standards. As a result, many businesses have had to renegotiate contracts and adopt alternative safeguards to continue transferring data internationally.

In addition to cross-border transfers, e-commerce businesses must carefully manage their relationships with third-party processors. Under Article 28 of the GDPR, data controllers are required to ensure that third-party processors provide sufficient guarantees to implement appropriate technical and organizational measures. This includes conducting due diligence, establishing clear contractual obligations, and regularly monitoring the processors' compliance. Insights on [Article 28 GDPR](https://www.legiscope.com/blog/article-28-gdpr.html) provide further guidance on managing third-party relationships effectively.

To enhance compliance in this area, e-commerce businesses should maintain an up-to-date record of all data processing activities involving third-party processors and cross-border transfers. Regular reviews and audits of these records help identify potential risks and ensure that all data transfers adhere to the required legal frameworks. Leveraging tools and platforms, such as [Legiscope's GDPR compliance platform](https://www.legiscope.com), can streamline the management of cross-border data transfers and third-party processing, reducing operational overhead while ensuring robust compliance.

## IV. - Responding to Data Subject Rights and Breaches

The GDPR enshrines a range of rights for data subjects, empowering individuals to have greater control over their personal data. For e-commerce businesses, it is essential to establish processes that facilitate the exercise of these rights, including the rights to access, rectification, erasure, and data portability. Effectively managing these rights not only ensures legal compliance but also enhances customer trust and loyalty.

Under Articles 15 to 20 of the GDPR, individuals have the right to access their personal data, request corrections, demand the deletion of data, and obtain copies of their data in a portable format. E-commerce platforms must implement user-friendly mechanisms that allow customers to easily exercise these rights. This includes setting up clear procedures for handling data access requests, ensuring timely responses, and maintaining records of all interactions. Resources such as [Data Portability Right](https://www.legiscope.com/blog/data-portability-right.html) provide valuable insights into facilitating these processes.

Furthermore, the GDPR requires businesses to have robust procedures in place for handling data breaches. According to Articles 33 and 34, businesses must notify supervisory authorities within 72 hours of becoming aware of a breach and inform affected individuals without undue delay when the breach poses a high risk to their rights and freedoms. The case of Equifax serves as a pertinent example, where a data breach affecting millions of individuals resulted in substantial fines and legal repercussions. This underscores the importance of having an effective incident response plan and ensuring that all employees are trained to recognize and report breaches promptly.

In addition to breach response, e-commerce businesses should regularly review and update their privacy policies to reflect current data processing practices and ensure transparency with customers. Clear and comprehensive privacy notices help inform users about how their data is collected, used, and protected, thereby fostering trust and compliance. Implementing a culture of accountability, as emphasized in [Principle of Accountability under GDPR](https://www.legiscope.com/blog/principle-accountability-gdpr.html), ensures that data protection is integrated into every aspect of the business operation.

Moreover, appointing a Data Protection Officer (DPO) can significantly enhance an e-commerce company's ability to manage data subject rights and respond to breaches effectively. As discussed in [GDPR DPO Position](https://www.legiscope.com/blog/gdpr-dpo-position.html), a DPO oversees data protection strategies, ensures compliance with GDPR, and serves as a point of contact for both regulators and data subjects. Utilizing [Legiscope's compliance software](https://www.legiscope.com) can further aid in automating and managing these responsibilities, ensuring that businesses remain vigilant and responsive to data protection obligations.

## Conclusion

Achieving GDPR compliance is a multifaceted endeavor that requires e-commerce businesses to adopt a comprehensive and proactive approach to data protection. From meticulous data collection and consent management to robust security measures and effective handling of data subject rights, each aspect plays a crucial role in ensuring compliance and building trust with customers. The significant fines imposed in cases like Google, British Airways, and Equifax highlight the severe consequences of non-compliance, reinforcing the imperative for businesses to prioritize data privacy.

Practical steps such as conducting regular data protection impact assessments, appointing a dedicated Data Protection Officer, and leveraging compliance platforms like [Legiscope](https://www.legiscope.com) can streamline the implementation process, reduce operational risks, and enhance overall data management practices. Furthermore, staying informed about evolving legal requirements and industry best practices through resources like [GDPR Surveys](https://www.legiscope.com/blog/gdpr-survey.html) and [GDPR DPO Tasks](https://www.legiscope.com/blog/gdpr-dpo-tasks.html) ensures that e-commerce businesses remain compliant in a dynamic regulatory landscape.

Ultimately, GDPR compliance is not just about adhering to legal obligations but also about fostering a culture of privacy and accountability. By embedding data protection into the core business strategy and operations, e-commerce companies can differentiate themselves in the marketplace, offering customers the assurance that their personal data is handled with the highest standards of care and integrity. Embracing GDPR as a foundation for data privacy will not only safeguard businesses against legal risks but also contribute to long-term success and customer loyalty.

Comprehensive guide for e-commerce businesses to achieve GDPR compliance, including legal references, case studies, and practical implementation tips.

A step by step guide to e-commerce compliance under the GDPR


The General Data Protection Regulation (GDPR) is a regulation in the European Union in the field of data protection. It replaces the Data Protection Directive 95/46/EC, which was introduced in 1995. The GDPR was adopted on April 14, 2018, and came into force on May 25, 2018. The GDPR regulates the handling of personal data by controllers and processors.


The regulation sets out strict rules about how personal data must be collected, used, and protected. It gives individuals the right to know what personal data is being collected about them, the right to have that data erased, and the right to object to its use.

The regulation applies to any company that processes the data of individuals in the EU, regardless of whether the company is based inside or outside the EU.

## 7 principles of GDPR 

The 7 principles of GDPR are:

1. Lawfulness, fairness and transparency
2. Purpose limitation
3. Data minimisation
4. Accuracy
5. Storage limitation
6. Integrity and confidentiality
7. Accountability


1. Lawfulness, fairness, and transparency

The law requires that data processing activities be carried out in a lawful, fair, and transparent manner. This means that individuals must be informed of the purposes for which their data will be used, and they must be given a chance to object to its use if they so choose.

2. Purpose limitation

The law restricts the use of personal data to the specific purpose(s) for which it was collected. This principle ensures that data is not used for any other purpose that the individual has not consented to.

3. Data minimization

The law requires that data be collected and processed only to the extent necessary to achieve the specific purpose for which it was collected. This principle helps to protect individuals from having their data used for purposes that they did not consent to, or that are not necessary for the purposes for which it was collected.

4. Accuracy

The law requires that personal data be accurate and up-to-date. This principle helps to ensure that individuals are not unfairly disadvantaged by incorrect or outdated data.

5. Storage limitation

The law requires that personal data be kept for no longer than is necessary for the purpose(s) for which it was collected. This principle helps to protect individuals from having their data stored for longer than is necessary, or from having it used for purposes that it was not collected for.

6. Integrity and confidentiality

The law requires that personal data be protected from unauthorized access, disclosure, or destruction. This principle helps to ensure that individuals’ data is safe and secure, and that their privacy is respected.

7. Accountability

The law requires that data controllers be held accountable for their compliance with the GDPR. This principle helps to ensure that individuals’ rights are respected and that data controllers are transparent in their handling of personal data.


## Fines 

Under the GDPR, fines for non-compliance can be up to 4% of a company’s global annual revenue or €20 million (whichever is greater). In addition, companies can be ordered to stop processing data, and ordered to delete data that has been processed unlawfully.

Some specific examples of cases where companies have been fined for GDPR violations include:

- Google was fined €50 million by the CNIL (the French data protection authority) in January 2019 for a lack of transparency, inadequate information, and lack of valid consent regarding the use of personal data for advertising purposes.

- In July 2019, the British Airways was fined £183 million (around $230 million) by the UK’s Information Commissioner’s Office (ICO) for a data breach that affected 500,000 customers.

- In December 2018, the Marriott International was fined €110 million (around $124 million) by the ICO for a data breach that affected 339 million customers.




The General Data Protection Regulation (GDPR) is one of the most important regulation in the European Union in the field of data protection

What is GDPR ?


The concept of 'legitimate interests' as a legal basis under the General Data Protection Regulation (GDPR) is often misunderstood and misapplied, leading to unnecessary legal risks. This is evident in cases such as the notable sanction against Facebook (now META), which faced a fine of 390 million euros for [improper application of legitimate interests European Court of Justice Decision] (HTTPS:/ /curia.europa.eu/juris/document/document.jsf?text=&docid=275125&pageindex=0&doclang=fr&mode=req&dir=&occ=first&part=1&cid=1652408).

To appropriately invoke legitimate interests under Article 6(1)(f) of the GDPR, it is imperative to conduct a thorough **triple test**. This test ensures the legality of processing activities under the specified legal basis and aims to prevent potential abuses, especially since obtaining explicit consent from data subjects is not required in this context.


## 1. Understanding "Legitimate Interests"

According to Article 6(1)(f) of the GDPR:

"The processing is lawful only if and to the extent that at least one of the following applies:
f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child."

These provisions allows data controllers to collect and process personal data without obtaining consent, provided they have a legitimate reason to do so. However, to prevent potential misuse, the GDPR adds additional requirements for invoking legitimate interests. These are encapsulated in the following triple test:

- Objective Test: Does the controller have a legitimate interest in processing the data?
- Necessity Test: Is the processing of data genuinely necessary for the stated purpose?
- Balance Test: Do the interests of the data subject outweigh the legitimate interest of the controller?

The French Data Protection Authority (CNIL) emphasizes that this legal basis is applicable to processing activities by private entities that do not significantly harm the rights and interests of the data subjects [CNIL Guidelines] (https://www.cnil.fr/fr/les-bées-legales/tert-legitime)



## 2. Practical Examples of Legitimate Interests under the GDPR

The GDPR provides specific instances where legitimate interests can be considered a valid legal basis for data processing. These examples, highlighted in Recitals 47, 48, and 49 of the GDPR, include:

- Fraud Prevention: A key area where legitimate interests are often invoked, highlighting the necessity of processing personal data to protect against fraudulent activities.
- Network and Information System Security: As elaborated in Recital 49, ensuring the security of network and information systems is a paramount concern. This involves processing personal data as strictly necessary to safeguard against accidental or unlawful events that compromise the integrity, availability, and confidentiality of stored or transmitted data.
- Commercial Prospecting: The use of personal data for business development and marketing purposes, within certain limits, can be justified under legitimate interests.

The [European Commission further clarifies](https://commission.europa.eu/law/law-topic/data-protection/reform/rules-business-and-organisations/legal-grounds-processing-data/grounds-processing/what-does-grounds-legitimate-interest-mean_fr#:~:text=Votre%20entreprise%2Forganisation%20a%20un,informations%20de%20vos%20systèmes%20informatiques) that legitimate interests may be applicable when processing occurs in the context of a customer relationship, for purposes such as marketing, fraud prevention, or ensuring the security of network and IT systems.

If we analyze Recital 49 of the GDPR, we observe that the processing carried out to ensure the security of information systems, based on legitimate interest, has been extensively mentioned: 'The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring the security of the network and information, that is, the ability of a network or an information system to withstand, at a given level of confidence, accidental events or illegal or malicious actions that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of the related services offered or made accessible via these networks and systems, by public authorities, Computer Emergency Response Teams (CERT), Computer Security Incident Response Teams (CSIRT), providers of networks and electronic communications services, and providers of technology and security services, constitutes a legitimate interest of the data controller concerned. This could involve, for example, preventing unauthorized access to electronic communication networks and the distribution of malicious code, stopping 'denial of service' attacks, and addressing damage to computer and electronic communication systems.


## 3. No Legitimate Interest for Public Authorities

It is important to remember that the legal basis of legitimate interests cannot be used by public authorities; Recital 47 explains why: "Considering that it is the responsibility of the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities in the performance of their tasks."


### 4.1 Identifying the Interests of the Data Controller or a Third Party and Their Legitimacy

Firstly, it is necessary to clearly identify the interests and objectives of the data controller or third party under which the processing is operated. The following questions can be asked:

- Why is the processing being carried out?
- What benefits are expected from the processing?
- Who benefits from the processing?
- What would be the impact if the organization could not implement the processing?

Recital 47 is useful in this analysis: "The existence of a legitimate interest would need careful assessment, including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place." In the context of a business relationship, it is useful to consider the reasonable expectations of individuals regarding the processing of their data. For example, in a B2B context, it is reasonable for a customer of a company to expect to be contacted by email for a commercial proposal related to an ancillary service.

The [french CNIL indicates](https://www.cnil.fr/fr/les-bases-legales/interet-legitime)  that "the interest pursued by an entity can be presumed if the following 3 conditions are met:

- The interest is manifestly lawful in view of the law;
- It is determined clearly and precisely;
- It is real and present for the concerned entity, and not fictitious.


## 4.2 The Condition of Necessity

The organization must then ensure that the **processing is necessary** (see Art. 6: "the processing is necessary for the purposes of legitimate interests").

This condition can be broken down into two points:

On one hand, it is necessary to verify that the processing actually achieves the intended purpose, rather than serving other objectives. This condition often poses problems in cases where an organization claims to collect data for one purpose, while in reality, it uses the data for entirely different purposes. Attention must be paid to this as it represents a real and significant risk of deviation.
On the other hand, it is necessary to ensure that there is no less intrusive means of achieving the same objective than implementing the processing.
Therefore, the following questions can be asked:

- Will this processing actually help the organization achieve the initially stated objective?
- Is the processing proportionate to this objective?
- Is it possible to achieve the same objective without the processing?
- Is it possible to achieve the same objective by processing less data, or by processing the data in a less intrusive manner (also consider the principle of data minimization)?

The fundamental interests and rights of the data subject could, in particular, prevail over the interest of the data controller when personal data are processed in circumstances where data subjects do not reasonably expect further processing.

Generally, "necessary" means that the processing must be a targeted and proportionate means of achieving the stated objective. Again, the legal basis of legitimate interests cannot be relied upon if there is another reasonable and less intrusive means to achieve the same result.



### 4.3 The Balancing Condition

To understand the balancing test, we need to revisit Article 6. Indeed, the legitimate interests of the data controller (DC) may justify this legal basis "unless the interests or fundamental freedoms and rights of the data subject that require protection of personal data prevail."

Thus, a balance is established: the interests of the DC cannot override the interests, freedoms, or fundamental rights of the data subject.

Recital 47 adds further elements to the analysis of this balancing condition:

- "unless the interests or fundamental freedoms and rights of the data subject prevail, **taking into account the reasonable expectations of the data subjects based on their relationship with the controller**"
- "the existence of a legitimate interest should be subject to careful assessment, particularly **to determine whether a data subject can reasonably expect, at the time and in the context of the collection of personal data, that it may be processed for a particular purpose**"
- "The interests and fundamental rights of the data subject may, in particular, prevail over the interest of the data controller when personal data are processed **in circumstances where data subjects do not reasonably expect further processing**"

The reasonable expectations of the data subjects - [in English](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679) "reasonable expectations of data subjects based on their relationship with the controller" - are thus essential elements to consider.

The CNIL [states that](https://www.cnil.fr/fr/les-bases-legales/interet-legitime) "the entity must therefore strike a balance, a weighing of the rights and interests at stake, and verify in this context that the interests (commercial, security of goods, fraud prevention, etc.) it pursues do not create an imbalance to the detriment of the rights and interests of the individuals whose data is processed." Then "the entity must first identify all kinds of consequences that its processing may have on the data subjects: on their privacy but also, more broadly, on all the rights and interests covered by the protection of personal data." Finally, "The entity must then take into account, in the weighting between its legitimate interest and the rights and interests of the persons, their 'reasonable expectations'."

A series of questions can be posed to clarify these aspects:

- **General Context of Processing**
    - Are there any Article 9 or 10 data involved?
    - Are these data likely to be considered particularly "private" or sensitive by the individuals?
    - Are data of children, minors, or vulnerable individuals being processed?
    - Are data related to the personal or professional capacity of individuals being processed?

- **Relationship with the Data Subjects**
    - Is there a relationship with the individual?
    - What is the nature of this relationship, and how have the data been used in the past?
    - Were the data collected directly from the individuals?
    - What information were they provided with?
    - How long ago were the data collected? Are there any technological or contextual changes since then that would affect expectations?

## 5. Key Texts

The aforementioned Article 6.

- Recital 47 "The legitimate interests of a data controller, including those of a data controller to whom personal data may be disclosed, or of a third party, may constitute a legal basis for processing, unless the interests or fundamental rights and freedoms of the data subject prevail, taking into account the reasonable expectations of the data subjects based on their relationship with the data controller. Such a legitimate interest could exist, for example, where there is a relevant and appropriate relationship between the data subject and the data controller in situations such as where the data subject is a client of the data controller or is in the service of the data controller. In any case, the existence of a legitimate interest should be subject to careful assessment, particularly to determine whether a data subject can reasonably expect, at the time and in the context of the collection of personal data, that it may be processed for a particular purpose. The interests and fundamental rights of the data subject may, in particular, prevail over the interest of the data controller when personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is the responsibility of the legislator to provide by law the legal basis for the processing of personal data by public authorities, this legal basis should not apply to processing carried out by public authorities in the performance of their tasks. The processing of personal data strictly necessary for fraud prevention purposes also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as being carried out for a legitimate interest."

- Recital 48 "Controllers that are part of a group of undertakings, or institutions affiliated with a central body, may have a legitimate interest in transmitting personal data within the group of undertakings for internal administrative purposes, including the processing of personal data of clients or employees. The general principles for the transfer of personal data, within a group of undertakings, to an enterprise in a third country remain unaffected."

- Recital 49 "The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e., the ability of a network or an information system to withstand, at a given level of security, accidental or unlawful events that compromise the availability, authenticity, integrity, and confidentiality of stored or transmitted personal data, as well as the security of the related services offered or made accessible via these networks and systems, by public authorities, Computer Emergency Response Teams (CERT), Computer Security Incident Response Teams (CSIRT), providers of networks and electronic communication services, and providers of technology and security services, constitutes a legitimate interest of the data controller concerned. This could involve, for example, preventing unauthorized access to electronic communication networks and the distribution of malicious code, and stopping 'denial of service' attacks and damage to computer and electronic communication systems."



A Comprehensive Guide to Using 'Legitimate Interests' as a Legal Basis under the GDPR, Including Challenges, Conditions, and Practical Examples

How to Conduct the Triple Test to Assess the Legitimate Interests of the Data Controller (GDPR)


GDPR data storage compliance is essential for businesses committed to protecting personal information and maintaining customer trust. The [General Data Protection Regulation (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj) establishes strict protocols on how organizations should collect, store, and manage personal data. Adhering to GDPR data storage requirements not only helps avoid substantial fines but also reinforces your organization's reputation. Non-compliance can lead to severe legal repercussions and significant damage to your brand’s credibility.

This guide provides actionable insights and best practices to assist organizations in developing effective data retention policies. Whether you are a startup or a multinational corporation, you will find the necessary tools to ensure compliance and safeguard sensitive information. Implementing these strategies allows businesses to handle personal data responsibly, mitigate risks associated with data breaches, and adhere to regulatory standards. Prioritizing GDPR data storage compliance ensures legal adherence, enhances operational efficiency, and builds customer confidence.

### Key Takeaways

- GDPR mandates the secure storage of personal data and prohibits retention beyond necessary periods.
- Establishing a comprehensive data retention policy is crucial for maintaining compliance.
- Regular data audits and impact assessments are vital for ongoing GDPR adherence.
- Choosing GDPR-compliant data storage solutions mitigates risks and ensures data protection.
- Respecting data subject rights is fundamental for lawful data processing and storage.

### Understanding GDPR Data Storage Requirements

The GDPR outlines specific principles that govern the storage of personal data, ensuring organizations handle information responsibly and protect individual privacy rights. Key principles related to data storage include data minimization, storage limitation, integrity and confidentiality, and accountability. These principles form the foundation of GDPR compliance and must be diligently applied to all data storage practices.

Data minimization requires organizations to collect only the data essential for their defined purposes. By avoiding excessive data collection, businesses can reduce storage burdens and lower risks associated with retaining unnecessary information. This practice not only ensures compliance but also improves operational efficiency by focusing resources on critical data management tasks.

The storage limitation principle dictates that personal data must not be retained longer than necessary for the purposes for which it was collected. Organizations must establish clear retention periods based on the data's purpose and ensure timely deletion or anonymization once the data is no longer needed. Adhering to this principle helps prevent data accumulation, reduces storage costs, and aligns with GDPR mandates.

Integrity and confidentiality demand that organizations implement appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. This involves deploying advanced encryption techniques, establishing robust access controls, and conducting regular security assessments to ensure data remains secure and unaltered. Ensuring data integrity and confidentiality not only complies with GDPR but also safeguards against potential data breaches and cyber threats.

### Legal Obligations and Responsibilities

Compliance with GDPR data storage requirements is mandatory for organizations operating within the EU or handling data of EU citizens. Failure to adhere can lead to severe legal repercussions, including hefty fines and reputational damage. Understanding and implementing necessary measures to achieve compliance is essential for safeguarding your organization against potential legal challenges.

Data controllers determine the purposes and means of processing personal data, while data processors manage data on behalf of controllers. Both roles carry distinct responsibilities concerning data storage and protection to ensure GDPR compliance. Clearly defining these roles fosters accountability and facilitates effective data management across the organization.

Non-compliance with GDPR can incur substantial fines, reaching up to €20 million or 4% of an organization's global annual turnover, whichever is higher. Notable cases include the [British Airways GDPR Fine](https://eur-lex.europa.eu/eli/reg/2016/679/oj), the [Marriott GDPR Penalty](https://eur-lex.europa.eu/eli/reg/2016/679/oj), and the [H&M GDPR Violation](https://eur-lex.europa.eu/eli/reg/2016/679/oj). These instances highlight the financial and reputational consequences of failing to comply with GDPR data storage requirements.

### Best Practices for GDPR-Compliant Data Storage

Achieving GDPR data storage compliance requires implementing best practices that ensure data is managed securely and efficiently. The following strategies are essential for maintaining compliance and protecting personal data.

Implementing robust encryption is a foundational security measure. Encrypting personal data both at rest and in transit ensures that, even if data is intercepted or accessed without authorization, it remains unreadable and secure. Advanced encryption standards, such as AES-256, are recommended for formidable data protection, aligning with GDPR's stringent security requirements. Regularly updating encryption protocols and conducting encryption audits are critical for maintaining data security.

Restricting access to personal data solely to authorized personnel is imperative. Utilizing role-based access controls (RBAC), multi-factor authentication (MFA), and conducting regular access reviews can prevent unauthorized data access and bolster security. These measures ensure that only individuals who need access to data can obtain it, mitigating the risk of internal breaches and maintaining data integrity.

Conducting regular data audits helps organizations inventory stored data, assess its relevance, and verify compliance with retention schedules. Audits are pivotal in identifying and rectifying potential vulnerabilities in data storage practices. Establishing a routine audit schedule and utilizing automated audit tools can enhance the efficiency and accuracy of data audits.

### Implementing a GDPR Data Retention Policy

A meticulously defined data retention policy is vital for GDPR compliance. It outlines how long different types of personal data are stored and the methods employed for their secure disposal. Implementing an effective data retention policy involves several critical steps that ensure consistent and compliant data management practices across the organization.

Conducting a comprehensive data inventory is the initial step. Organizations should audit all personal data collected and stored, categorizing it based on type, source, purpose, and sensitivity. Understanding the data held is fundamental for determining appropriate retention periods and ensuring responsible data management.

Defining explicit retention periods for each data category based on legal requirements, business needs, and GDPR principles is essential. For instance, financial records might need to be retained for seven years to comply with tax laws, while marketing data may only be kept for a few years. Establishing specific timeframes aids in maintaining compliance and efficient data management.

### Technical Implementation of GDPR-Compliant Data Storage

Ensuring GDPR compliance in data storage requires the integration of robust technical solutions and security measures. The following technical implementations are crucial for maintaining compliance and safeguarding personal data.

Selecting appropriate data storage solutions is paramount. Opt for storage providers that offer built-in security features and compliance certifications. Cloud storage providers such as [AWS](https://aws.amazon.com), [Microsoft Azure](https://azure.microsoft.com), and [Google Cloud](https://cloud.google.com) offer GDPR-compliant services with extensive security controls. Evaluating providers based on their compliance capabilities ensures that data storage practices meet legal standards and organizational requirements.

Deploying advanced encryption techniques fortifies data security. Utilizing strong encryption protocols like AES-256 for data at rest and TLS for data in transit ensures that personal data remains protected against unauthorized access. Encryption acts as a critical barrier against data breaches, aligning with GDPR's stringent security standards.

Implementing these technical measures secures data and ensures that organizations can efficiently manage and access data in compliance with GDPR standards. Regularly updating security protocols, conducting vulnerability assessments, and utilizing automated security tools are vital for maintaining effective data protection strategies.

### Industry-Specific GDPR Data Storage Guidelines

Different industries have unique data storage needs and regulatory requirements. Tailoring GDPR data storage practices to align with specific industry standards is essential for compliance and effective data management. Below are guidelines tailored to various sectors to help organizations implement industry-specific GDPR data storage strategies.

In the healthcare sector, organizations handle highly sensitive personal data, including health records. GDPR mandates stringent data protection measures to ensure patient privacy. Key guidelines include encrypting patient data both at rest and in transit, implementing robust access controls to restrict data access to authorized personnel only, and conducting regular data protection impact assessments (DPIAs) to identify and mitigate risks.

Financial institutions manage vast amounts of personal and transactional data. GDPR compliance in the finance sector involves ensuring data integrity and accuracy through regular audits, implementing robust encryption and security measures to protect financial data, and establishing clear data retention policies that adhere to regulatory mandates, such as retaining financial records for a specified number of years.

E-commerce businesses collect substantial customer data to facilitate transactions and improve user experience. GDPR compliance in e-commerce entails secure data storage systems that protect customer information, transparent data processing policies, and mechanisms for customers to exercise their data rights, such as accessing, correcting, or deleting their data.

### Case Studies and Real-World Examples

Analyzing real-world examples offers valuable insights into effective GDPR data storage compliance. The following case studies highlight successful implementations and the lessons learned from these endeavors.

A leading healthcare provider adopted AES-256 encryption for all patient records, both at rest and in transit. By integrating encryption into their data storage systems, they ensured that sensitive health information remained secure and compliant with GDPR requirements. Additionally, they enforced stringent access controls, limiting data access exclusively to authorized medical staff.

A major financial institution overhauled its data retention policies to align with GDPR. They conducted a thorough data inventory, categorizing personal data based on type and purpose. By establishing clear retention periods and automating data deletion processes, they minimized the risk of retaining unnecessary data.

An e-commerce company streamlined its data collection practices by adopting a data minimization approach. They limited data collection to essential information required for transactions and customer service. Implementing clear and concise consent mechanisms ensured customers were informed and provided explicit consent for data processing.

## FAQ

**Q: What is GDPR data storage?**

GDPR data storage refers to the methods and practices organizations must follow to store personal data in compliance with the [General Data Protection Regulation (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj). This includes ensuring data security, implementing appropriate retention policies, and maintaining data integrity.

**Q: How long can I store personal data under GDPR?**

Under GDPR, personal data should not be kept longer than necessary for the purposes for which it was collected. The retention period varies depending on the type of data and its intended use. Organizations must define and document retention periods based on legal, regulatory, and business requirements.

**Q: What are the penalties for non-compliance with GDPR data storage?**

Non-compliance with GDPR data storage can result in significant fines, up to €20 million or 4% of an organization's global annual turnover, whichever is higher. Additionally, organizations may face legal actions, reputational damage, and loss of customer trust.

**Q: What measures can I implement to secure stored data?**

To secure stored data, organizations should implement strong encryption, access controls, regular data audits, data anonymization techniques, and robust backup and recovery systems. Additionally, conducting regular security assessments and employee training can enhance data protection.

**Q: Do I need a Data Protection Officer (DPO) for data storage compliance?**

Whether you need a DPO depends on the nature and scale of your data processing activities. Organizations that conduct large-scale processing of sensitive data or systematically monitor individuals are required to appoint a DPO. The DPO oversees GDPR compliance, including data storage practices.

## Conclusion

Achieving GDPR data storage compliance is essential for protecting personal data, maintaining customer trust, and avoiding significant penalties. By understanding GDPR principles, implementing best practices, conducting regular audits, and utilizing the right technical solutions, organizations can effectively manage their data storage processes in accordance with GDPR requirements.



Ensure GDPR data storage compliance in 2024 with our comprehensive guide. Discover best practices, legal obligations, and strategies to protect personal data and maintain customer trust.

Comprehensive GDPR Data Storage Compliance Guide 2024


One of the fundamental principles of data protection law, which has been further strengthened under the EU's General Data Protection Regulation (GDPR), is the requirement that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This principle, known as "purpose limitation," is enshrined in Article 5(1)(b) of the GDPR.

## I - Understanding the Purpose Limitation Principle

The purpose limitation principle is a cornerstone of the GDPR and serves to protect data subjects by ensuring that their personal data is only used in ways that they would reasonably expect and have been informed about. It consists of two key components:

1. **Data must be collected for specified, explicit and legitimate purposes:** This means that at the time of data collection, the controller must clearly and specifically define the purposes for which the data will be processed. These purposes must be legitimate, meaning they must be in accordance with the law and not violate the rights and freedoms of data subjects.

2. **Data must not be further processed in a manner that is incompatible with those purposes:** Once personal data has been collected for a specified purpose, it should not then be repurposed and processed in a way that is incompatible with the original purpose. If the controller wishes to process the data for a new purpose, they must either obtain fresh consent from the data subject or ensure that the new purpose is compatible with the original purpose.

## II - Specifying Purposes

When specifying the purposes of processing, controllers need to be clear, unambiguous, and specific. Vague or general descriptions such as "improving user experience," "marketing purposes," or "future research" will not suffice. Instead, purposes should be granular and clearly articulated, for example:

- "To process your order and arrange delivery of products"
- "To send you our monthly newsletter containing product updates and special offers"
- "To analyze website usage data to identify areas for improvement in site navigation and content"

Importantly, these specified purposes must then be communicated to data subjects in a clear and transparent way, typically through privacy notices or policies at the point of data collection.

## III - Compatible Purposes

The GDPR recognizes that it's not always possible or practical to obtain fresh consent from data subjects every time a controller wants to process their data for a new purpose. Therefore, the Regulation allows for further processing without new consent where the new purpose is deemed "compatible" with the original purpose.

To determine whether a new processing purpose is compatible with the original purpose, controllers should take into account factors such as:

- Any link between the original and new purposes
- The context in which the data was collected and the reasonable expectations of data subjects
- The nature of the personal data, particularly whether it involves special categories of data or criminal offense data
- The possible consequences of the new processing for data subjects
- The existence of appropriate safeguards, such as encryption or pseudonymization

Where a controller determines that a new processing purpose is compatible, they should still update their privacy notice to inform data subjects of this additional purpose.

## IV - Incompatible Purposes and Fresh Consent

If a controller wishes to process personal data for a purpose that is incompatible with the original purpose, they will generally need to obtain fresh consent from the data subject. This new consent must meet all the requirements of the GDPR, meaning it must be freely given, specific, informed and unambiguous.

There are some limited exceptions to this requirement for fresh consent, such as where the processing is necessary for compliance with a legal obligation, to protect the vital interests of the data subject, or for the performance of a task carried out in the public interest. However, these exceptions are narrowly defined and controllers should be cautious about relying on them without a clear justification.

## V - Enforcement and Penalties

Failure to comply with the purpose limitation principle can result in significant penalties under the GDPR. Supervisory authorities such as the UK's Information Commissioner's Office (ICO) have the power to issue fines of up to €20 million or 4% of a company's global annual turnover, whichever is higher, for infringements of this and other key principles of the Regulation.

In addition to financial penalties, non-compliance can also lead to reputational damage, loss of customer trust, and even legal action from affected data subjects. It's therefore crucial that controllers take their obligations around purpose specification and compatible processing seriously.

## Conclusion

The purpose limitation principle is a fundamental tenet of the GDPR that aims to give data subjects control over how their personal information is used. By requiring controllers to specify clear, legitimate purposes for processing and ensuring that any further processing is compatible with those original purposes, the Regulation seeks to promote transparency and prevent misuse of personal data.

To comply with this principle, controllers must carefully consider and clearly articulate the purposes for which they collect and process personal data, communicate these purposes to data subjects, and implement robust processes to assess the compatibility of any new processing purposes. By doing so, they can not only avoid costly penalties but also build trust with customers and uphold the fundamental rights and freedoms of individuals.

Article 5 of the GDPR lays out key principles related to the purposes for which personal data can be processed.

The Purposes of Processing under the GDPR

Discover essential data privacy principles to protect personal information and ensure GDPR compliance. Learn best practices and strategies for effective data governance.

Data Privacy Principles: Comprehensive Guide


It is important to ensure GDPR compliance when collecting personal data, as numerous sanctions have been imposed in this regard (see 14 GDPR Sanctions You Must Know). However, it is quite easy to implement minimal rules and avoid the risk of a fine.

In most cases, collecting data through a questionnaire, form, or web survey will trigger the application of the GDPR due to the use of the user's IP address (which is considered a personal data under the GDPR).

Therefore, there are certain important obligations to implement to ensure compliance (I). We will then see some practical examples (II).

## I. - Key Obligations to Comply With

There are a number of important obligations to comply with: adding the processing activity to the registry, minimizing collected data, and displaying GDPR information notices.

### Step 1: Add the Processing Activity to the Registry

As soon as an organization sets up an activity that processes personal data (under the GDPR = any data that allows the identification of individuals, directly or indirectly), the organization must reference this activity in a registry.

Note, __the data processed is not referenced, but the activity itself (e.g., conducting customer satisfaction surveys)__. The reason for this is that it then allows for knowing where the personal data processed by the organization are and subsequently verifying their compliance (e.g., their security, the periods during which the data are processed, etc).

Typically, a [GDPR compliance management software](https://www.legiscope.com) is used for this - and for the example of [Legiscope](https://www.legiscope.com), the software already offers a series of pre-written and GDPR-compliant standard data collection and processing activities; so one can simply import this type of processing into the registry:

<img src="/img/questionnaire.png" />

Once the activity is imported, it will be automatically added to the registry and the description of the processing activity will be compliant with the [requirements of Article 30 for the creation of the registry](https://www.donneespersonnelles.fr/registre-rgpd).

Indeed, the organization must detail:

* a) the name and contact details of the data controller and, where applicable, the joint controller, the representative of the data controller, and the data protection officer; 
* b) the purposes of the processing;
* a description of the categories of data subjects and the categories of personal data;
* the categories of recipients;
* transfers of personal data;
* the envisaged time limits for the erasure of the different categories of data;
* a general description of the technical and organizational security measures

It is possible to write this documentation manually, but the task is laborious for each treatment [and here](https://www.legiscope.com), the drafting has been pre-performed entirely:

<img src="/img/questionnaire-detail.png" />

Once the activity is added to the registry, it is then necessary to minimize the collected data.

### Step 2: Minimize Collected Data

The GDPR requires the collection of the minimum amount of data from the data subjects (Art. 5):

> adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimization)

Therefore, it is necessary to reflect on the questions asked and ensure that they are adequate in relation to the objectives of the processing.

For example, **for a company operating a home cleaning service**:

* the quality of the cleaning: rating from 1 to 10
* the punctuality of the person: rating from 1 to 10
* the politeness of the person: rating from 1 to 10
* the name of the client or their identifier

These data are indeed objectively necessary for evaluating the service. Note that the data here are well minimized by using a rating from 1 to 10 and carefully avoiding a free text field which would open the possibility for clients to enter all sorts of data (comments unrelated to the work performed).

This is an important element of implementation.


### Step 3: Display GDPR Information Notices

GDPR information notices are also important to display to the user, as this is part of the transparency obligations that organizations have when collecting personal data - [the french CNIL has very detailed prescriptions in this regard](https://www.cnil.fr/fr/conformite-rgpd-information-des-personnes-et-transparence).

To simplify things, it is necessary to clearly inform the user about what is done with their data, the reason for collecting it, and a series of other information such as the duration for which the data will be retained.

Legal notices can be generated automatically using GDPR compliance management software or drafted manually.



### Step 4: Is Consent Necessary?

It is not necessarily required to obtain the consent of individuals whose data is processed if the questionnaire is part of a service provided by the organization.

Indeed, [what the GDPR requires is to have a legal basis](https://www.donneespersonnelles.fr/article_6-rgpd). Consent is one legal basis, but it is not the only one!

Article 6 of the GDPR provides 6 legal bases that authorize the collection of personal data:

* The consent of the individuals
* The contract, or pre-contractual measures
* A legal obligation
* The protection of vital interests of a person
* Public interest / public authority
* The legitimate interests of the data controller

In this respect, it is perfectly conceivable for the evaluation of a service, to rely on the "contractual" legal basis. That being said, beyond a service provided, consent will be the most appropriate legal basis for any general questionnaire (see here [how to collect valid consent under the GDPR](https://www.donneespersonnelles.fr/consentement-rgpd-valable))


## II. - Practical Example

To conclude, here is a practical example of a GDPR-compliant service evaluation questionnaire:

<img src="/img/exemple-questionnaire-rgpd.png" />






How to design a questionnaire that is compliant with the GDPR and ensures data collection in accordance with the law

How to Create a GDPR Compliant Questionnaire (Surveys, Satisfaction Inquiries, etc.)


The GDPR introduced an interesting new concept to ensure the protection of personal data : the notion of *"privacy by design"*. In fact, to be completely exact, the GDPR distinguishes two ideas : the idea of ​*privacy by design* and the idea of *​privacy by default*. These concepts originally came from the Commissioner of the Canadian Agency for the protection of personal data (Dr. Anne Cavoukian) who developed a series of principles in 2010 to take privacy into account straight from the design of processing systems.

The GDPR welcomed this idea but from a rather specific angle. Therefore it's necessary to understand these concepts(1) before clearly looking at their impmentation in the GDPR that really differs (2). Finally we will look implementation in practice (3).

## I. - What is privacy by default and privacy by design ?

The principle is quite simple : <u>privacy by design</u> is the idea that the **protection of privacy must be taken into account at the very moment of designing an IT system**. For Apple for example, it's the idea that the company need to propose an option to encrypt hard drives to it's users. So, in the event of loss or theft, encryption will keep personal data confidential.

This concept differs from <u>privacy by default</u>, which is the idea that - when protection measures are set, they must be activated by default. In the case of Apple, it means that in the settings, the checkbox "encrypt the data on my hard drive" should be checked by default - as soon as the laptop is delivered to the user, in order to avoid any additional effort which might not systematically be carried out.

<u>**The details of the Canadian proposal and the 7 principles**</u>

Let's take a look at the [Canadian proposal](https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf) of 2010 and the principles of data protection by design and default originally set : 

1. "Proactive not reactive—preventative not remedial. Anticipate, identify, and prevent invasive events before they happen; this means taking action before the fact, not afterward."
2. "Lead with privacy as the default setting - Ensure personal data is automatically protected in all IT systems or business practices, with no added action required by any individual."
3. "Embed privacy into design - Privacy measures should not be add-ons, but fully integrated components of the system."
4. "Retain full functionality (positive-sum, not zero-sum) - Privacy by Design employs a “win-win” approach to all legitimate system design goals; that is, both privacy and security are important, and no unnecessary trade- offs need to be made to achieve both."
5. "Ensure end-to-end security - Data lifecycle security means all data should be securely retained as needed and destroyed when no longer needed."
6. "Maintain visibility and transparency—keep it open - Ensure stakeholders that business practices and technologies are operating according to objectives and subject to independent verification."
7. "Respect user privacy—keep it user-centric - Keep things user-centric; individual privacy interests must be supported by strong privacy defaults, appropriate notice, and user-friendly options."

In summary, here are the rules to take into account when designing an information system :

1. Anticipate privacy risks 
2. Enable all privacy-protecting options by default
3. Plan for privacy as a central function 
4. Do not limit system functionality in return for privacy protection
5. Ensure end-to-end IT security
6. Maintain the transparency of the processing carried out by the IS
7. Respect the privacy of users and provide this as an additional benefit offered to users

However the GDPR took a completly different direction for implementation of these ideas.

### II. - What are the obligations imposed by Privacy By Design in the GDPR?

Unfortunately, as good as these ideas were, the GDPR took a completly different direction for their implementation - despite the title of art. 25 was kept the same: *Data protection by design and by default*. 

Let's look at the detail of article 25 :

> 1.Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, *the controller shall*, both at the time of the determination of the means for processing and at the time of the processing itself, *implement appropriate technical and organisational measures*, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing *in order to meet the requirements of this Regulation* and protect the rights of data subjects.<br />
> 2.The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

Upon reading article 25.1, we can legitimately wonder what it really brings in terms of legal obligations :

- if we summarize main obligation laid down by art. 25.1 we can establish that _“the controller implements (…) measures (…) in order to meet the requirements of this regulation”_. To sum up: the law requires the data controller to comply with the law. It doesn't add very much.
- Article 25.2 does not really do any better, as it indicates that the data controller ensures to collect the minimum amount of personal data. This might seem like a new rule of law, but it's not. It's a reminder of the principles set by article 5.1, which already imposes the controller to collect the minimum amount of data.

It is common, when faced with such a problem, to analyze the recitals of the text in order to determine what the intention of the legislator was. Recital 78 of the GDPR adds a bit more details to the article 25 :

> The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

These provisions in mind, it is now difficult to find real new obligations that don't already exist within the GDPR : 
- principle of minimization (already set by art. 5) 
- principle of minimization over time (again set by art. 5)
- principle of data security (set by art. 5 and mostly art. 32)
- respect for the rights of individuals (art. 12 et seq.) etc.

The conclusion we could reach here is that we are confronted with a legislative bug, as article 25 just imposes obligations that were already set by other provisions. We could argue that these obligations make a specific distinction about the moment of implementation (when the IT systems are desgined). But the scope of the general obligations already apply to that :  *Ubi lex non distinguit, nec nos distinguere debemus*

In realty, there's a specific category of persons that should have been targetted by the principles Privacy By Design: software editors. This is an real missing actor in the GDPR as if they do not process personal data, they have no obligation whatsoever in regard to the design of their systems. In reality, that's what the GDPR tried to aim at. GDPR targets Controllers, Processors, joint controllers, but never specifically software editors, or producers of IT equipements and it's a missing category, to which the principles set out in Article 25 should really be applied to. GDPR choose not to target these intermediaries who provide the tools to operate the data processing. As a result, the obligations set by article 25 are a bit of a miss. It is likely that the next revision of the regulations - probably around 2035-2040 - will address that issue.

In the meantime, we must do our best to try to give meaning to the intention of the legislator.

### III. - Operational actions that can be taken to implement privacy by default and privacy by design

Fortunately, even if the article 25 lacks structure, it's possible to build a clear step by step processes to implement the principles of privacy by design : 

For example let's take the one requirement : transparency. This can be translated into a operational process:

- Clarity – Information delivered to the user shall be in clear and plain language, concise and intelligible 
- Semantics – Communication should have a clear meaning to the audience in question (ex : children)
- Accessibility - Information shall be easily accessible for the data subject (materially, user should not have to do efforts to access the inforamtion about the processing activity)
- Contextual – Information should be provided at the relevant time and in the appropriate form
- Relevance – Information should be relevant and applicable to the specific data subject
- Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity
- Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups
- Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject
- Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.

Controllers should then do the work of translating each requirement into operational tools, or [use our pre-built templates inside Legiscope](https://www.legiscope.com)



The GDPR introduced a new concept of privacy by design that must be implemented in all IT projects, here's the details about the legal obligation and how to implement

Implementing Privacy By Design (GDPR)






In the rapidly evolving landscape of data protection, the principle of **storage limitation** under the General Data Protection Regulation (GDPR) occupies a central role in safeguarding individuals' personal data. This principle mandates that organizations retain personal data only for as long as necessary to fulfill the specific purposes for which it was collected, thereby preventing the indefinite storage of sensitive information. The importance of storage limitation extends beyond mere regulatory compliance; it embodies the core values of transparency, accountability, and respect for privacy, which are essential for fostering trust between organizations and their stakeholders.

The GDPR’s emphasis on storage limitation reflects a broader commitment to responsible data management in an era characterized by frequent data breaches and the misuse of personal information. Adhering to storage limitation not only mitigates the risk of substantial fines imposed by regulatory authorities but also enhances an organization’s reputation by demonstrating a steadfast commitment to upholding privacy rights. Implementing effective storage limitation strategies enables companies to balance operational efficiency with the ethical management of personal data, thereby reinforcing customer trust and loyalty in a competitive marketplace.

Operationalizing the principle of storage limitation requires a nuanced understanding of both legal requirements and practical business processes. This article explores the legal foundations and significance of storage limitation, examines strategies for its effective implementation, and analyzes enforcement actions through notable case studies. By delving into these aspects, organizations can develop comprehensive approaches to manage data retention in compliance with GDPR and other relevant regulations, thereby ensuring both legal adherence and the preservation of stakeholder trust.

## I. - Legal Foundations and Importance of Storage Limitation

The principle of storage limitation is enshrined in [Article 5(1)(e) of the GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj), which stipulates that personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." This provision is a cornerstone of the GDPR's broader objective to protect individuals' privacy and ensure the responsible handling of personal data. By limiting the duration of data retention, the GDPR seeks to minimize risks associated with prolonged data storage, such as unauthorized access, data breaches, and the exploitation of outdated or irrelevant information.

The importance of storage limitation is further underscored by its interplay with other GDPR principles, including [data minimization](https://eur-lex.europa.eu/eli/reg/2016/679/oj) and accuracy. While data minimization focuses on collecting only the data necessary for specified purposes, storage limitation ensures that the collected data is not retained beyond its intended use. This synergy between principles reinforces a comprehensive data protection framework that promotes responsible data management practices. Moreover, by enforcing storage limitation, the GDPR addresses the dynamic nature of data processing activities, where the relevance and necessity of data can evolve over time.

Internationally, the principle of storage limitation is mirrored in various data protection laws, highlighting its universal recognition as a fundamental aspect of privacy protection. For instance, the [California Consumer Privacy Act (CCPA)](https://oag.ca.gov/privacy/ccpa) grants California residents the right to request the deletion of their personal information, aligning closely with the GDPR’s stipulations. Similarly, Brazil's [Lei Geral de Proteção de Dados (LGPD)](https://www.gov.br/governo/pt-br/acompanhe-o-governo/noticias/governo-brasileiro-adota-nova-lei-de-protecao-de-dados-pessoais) emphasizes the necessity of defining retention periods based on the purpose of data processing, reflecting the GDPR’s emphasis on necessity and proportionality.

Understanding and adhering to the storage limitation principle is crucial for organizations aiming to build and maintain trust with their customers and stakeholders. By demonstrating a commitment to responsible data retention practices, organizations not only comply with legal obligations but also enhance their reputation as trustworthy custodians of personal data. This trust is integral to sustaining long-term relationships with customers, partners, and regulatory bodies, thereby contributing to the organization's overall success and resilience in a data-driven world.

## II. - Practical Implementation Strategies

Effective implementation of the GDPR’s storage limitation principle necessitates a strategic approach that integrates comprehensive data management practices with legal compliance. The first step in this process involves conducting a thorough data audit to identify the types of personal data collected, the purposes for which it is used, and the corresponding retention periods. A well-executed data audit forms the foundation for developing clear and actionable data retention policies that align with both regulatory requirements and the organization's operational needs.

Developing robust data retention policies is essential for ensuring compliance with the storage limitation principle. These policies should clearly define retention periods for different categories of data, establish secure deletion procedures, and assign specific roles and responsibilities to relevant team members or departments. By tailoring data retention policies to the organization's unique data processing activities, businesses can ensure that data is retained only for as long as necessary and that it is disposed of securely once it is no longer needed. Regular reviews and updates of these policies are crucial to maintaining their relevance and effectiveness in response to evolving business practices and regulatory changes. Insights on [updating data retention policies](https://www.legiscope.com/blog/updating-data-retention-policies.html) can aid organizations in maintaining compliance over time.

Incorporating advanced data management practices further enhances the effectiveness of storage limitation strategies. Techniques such as data anonymization and pseudonymization play a critical role in protecting personal data by rendering it non-identifiable or replacing identifying information with pseudonyms. These methods not only reduce the risks associated with data breaches but also facilitate compliance with the GDPR by minimizing the impact of potential unauthorized access. Additionally, leveraging automated data deletion tools can streamline the process of enforcing retention policies, ensuring consistency and reducing the likelihood of human error. 

Training and awareness programs are integral to the successful implementation of storage limitation practices. Employees must be educated on the importance of data retention policies, their roles in maintaining compliance, and the procedures for data deletion. Regular training sessions and updates help reinforce these practices and ensure that staff remain informed about any changes in data protection regulations. Moreover, maintaining thorough documentation of data retention policies, data audits, and compliance measures provides evidence of due diligence, which is invaluable during regulatory inspections or audits.

Organizations seeking to streamline their GDPR compliance processes can benefit from solutions like the [Legiscope GDPR compliance platform](https://www.legiscope.com), which automates various aspects of data retention management. This compliance software saves organizations significant time and resources while ensuring adherence to legal requirements. By integrating with a software into their data management frameworks, organizations can enhance their operational efficiency and focus on core business activities without compromising on data protection standards.

## III. - Enforcement, Compliance, and Case Studies

The GDPR establishes a robust enforcement framework designed to ensure adherence to principles like storage limitation. Regulatory authorities possess the authority to impose substantial fines on organizations that fail to comply with these principles, serving both as deterrents and as reminders of the importance of responsible data management. Analyzing high-profile enforcement actions provides valuable insights into the practical implications of non-compliance and underscores the critical need for organizations to prioritize data retention policies.

One notable case is the sanction against **British Airways**, where the company was fined £20 million for inadequate data protection measures, including improper data retention practices. The breach compromised the personal and financial details of over 400,000 customers, highlighting the severe consequences of failing to implement effective storage limitation strategies. This case emphasizes the necessity for organizations to proactively manage their data retention practices to prevent large-scale data exposures and the accompanying financial and reputational damages.

Another significant enforcement action involved **Google DeepMind**, where the Information Commissioner’s Office (ICO) raised concerns regarding the retention of personal health data beyond its intended purpose. The case highlighted the risks associated with retaining sensitive information unnecessarily and underscored the importance of clear data retention policies. It served as a stark reminder that even organizations with robust data management frameworks must remain vigilant in ensuring that data is not held longer than required, particularly when dealing with highly sensitive information.

**Marriott International** faced substantial fines due to a massive data breach that revealed data was kept longer than necessary, thereby increasing the potential impact of the breach. This case underscored the importance of aligning data retention practices with GDPR requirements to minimize the risks associated with prolonged data storage. The enforcement actions against Marriott highlighted the interconnectedness of data retention and overall data protection strategies, demonstrating that inadequate storage limitation can exacerbate the consequences of data breaches.

These cases collectively illustrate the far-reaching implications of non-compliance with the GDPR’s storage limitation principle. They serve as critical lessons for organizations, emphasizing the need for proactive data management, comprehensive retention policies, regular data audits, and robust compliance frameworks. Adopting best practices, such as integrating storage limitation considerations into [Data Protection Impact Assessments (DPIAs)](https://eur-lex.europa.eu/eli/reg/2016/679/oj), engaging stakeholders, leveraging technology for compliance, and fostering continuous monitoring and improvement, can significantly mitigate the risks of non-compliance.

Organizations can also utilize resources from the [Legiscope blog](https://www.legiscope.com/blog.html) to stay informed about the latest developments in data protection and to gain further guidance on implementing effective storage limitation strategies. By learning from these enforcement actions and adopting comprehensive compliance measures, organizations can ensure that they uphold the GDPR’s storage limitation principle, thereby protecting both their operations and the privacy rights of individuals.

## Conclusion

The GDPR’s storage limitation principle is a fundamental aspect of data protection, essential for ensuring that personal data is managed responsibly and ethically. By restricting the retention of personal data to what is necessary for its intended purposes, organizations not only comply with legal requirements but also build and maintain the trust and confidence of their stakeholders. Effective implementation of storage limitation involves conducting comprehensive data audits, developing clear retention policies, and integrating advanced data management practices such as anonymization and pseudonymization.

Enforcement actions against non-compliant organizations underscore the critical importance of adhering to the storage limitation principle. These cases highlight the need for proactive data management and the benefits of adopting robust compliance frameworks. Practical tools and resources, such as the [Legiscope compliance software](https://www.legiscope.com), can significantly aid organizations in automating and streamlining their data retention processes, ensuring ongoing compliance and operational efficiency. 

Technological innovations, including data lifecycle management tools, artificial intelligence, and blockchain, offer powerful solutions to enhance storage limitation practices. As the data protection landscape continues to evolve, organizations must stay abreast of emerging trends and integrate ethical considerations into their data management strategies. Ultimately, the principle of storage limitation is not merely a regulatory obligation but a strategic imperative that contributes to the overall integrity and sustainability of an organization's data processing activities. By embracing this principle, companies can ensure the privacy rights of individuals are respected, thereby safeguarding their operations and reputation in the digital age.

An in-depth analysis of the GDPR's storage limitation principle, including legal references, case studies, and practical implementation tips to build trust in data processing.

The GDPR’s Storage Limitation Principle: Ensuring Responsible Data Retention


Beware not to confuse the DPO the **"Data Protection Officer"** (GDPR) and the **"Data Privacy Officer"** (not a GDPR concept)! And the reason is that the GDPR has a very specific view of the DPO : **the data Protection officier is NOT in charge of ensuring compliance with the GDPR**. That's the role of the Controller, not the DPO! Let's clarify this important distinction, often misunderstood by businesses who designate a DPO and discover after that the need additionnal staff to ensure compliance.

## I. - The DPO is not responsible for compliance

Within the GDPR, the Data Protection Officer has a very specific function, which is to **act independently from the Controller and ensure the GDPR is correctly implemented**. The DPO belongs in a way to the control departement. He's here to ensure the work is done properly, he's not here to do the work in the first place. A simple way to view the DPO is to see him as an employee of a data protection authority, but paid by the Controller of course.  

<u>**Why the DPO is fundamentaly independant**</u>

To understand why the DPO was created, we have to come back to the EU directive 95/46 (the directive that basically created data protection rules in Europe in 1995, before the GDPR was adopted as a regulation). This directive set the following structure : 

- before carrying out any data processing operation an organization had to inform the supervisory authority 
- with two exceptions to that rule : 
 - for certain types of processing activities that were unlikely to "affect adversely the rights and freedoms of data subjects" (no risks), no information was needed ;
 - or, in the case where the Controller had a "Data Protection Official" (at the time), who *ensured independently* the compliance of the processing activities to the law, no formality was needed either.

And this is a very important paradigm because the role of the DPO in the GDPR, inherits from this. Structurally, his duties are to ensure *independently* that the regulation is applied in the organization, and causes no substantial risks to data subjects. The DPO is here to review the work, not to do the work in the first place! 

This structure was established at a time  when mostly big businesses were conducting data processing activities (in 1995...): banks, insurances, hospitals, etc. And the legislator assumed these businesses had :
- an IT team to handle the processing activities
- a legal teams to handle the compliance 
- and therefore could easily appoint an independent official within the structure that could verify independently that everything was done according to the legislative plan

There are a lot of consequences of this position : 
1. The DPO is always independent from the Controller: he can not be sanctionned by the Controller for doing his work. He can not receive instructions from the Controller either. The DPO has to be properly informed of all processing operations (as well as  have all qualifications necessary to handle compliance work). 
2. The DPO can not be liable for the Controller's non-compliances: it is the Controller who assumes the compliance and all legal risks of his operations. The DPO is there only to verify that the work is done properly and offer a review of where the Controller is in terms of data privacy.


## II. When do organizations really need a DPO?

There are 3 cases in which the appointment of a DPO is mandatory:

1. when the controller is a public authority or a public body, with the exception of courts acting in the exercise of their judicial function
2. when the organization's core activities require regular and systematic tracking of people on a large scale
3. when the activities of the organization consist of large-scale processing of health data, for example (more generally Article 9 or 10 data)

**In all other cases, the appointment of a DPO is optional**. However, it's practically always necessary to have a person in charge of the compliance inside the organization.


### A. - Who can be apointed as DPO?

Anyone who at least has taken a [two days training on GDPR compliance](https://www.legiscope.com). The training of the DPO is an obligation to be able to perform these functions.

### B. - The Tasks of the DPO

The data protection officer shall have at least the following tasks:
1. *Inform and advise* the controller or processor and the employees who carry out the processing on their obligations under this Regulation and other provisions of Union or national law. Member States on data protection;
2. *Monitoring compliance with the GDPR, including with regard to the distribution of responsibilities, awareness and training of staff involved in processing operations, and audits
3. *Provide advice* on data protection impact assessment and verify its execution under Article 35
4. *Cooperate with the supervisory authority*
5. *Act as a contact point* for the supervisory authority on matters relating to the processing, including the prior consultation referred to in Article 36, and carry out consultations, where appropriate, on any other matter.

In general, the DPO also assists in the creation and updating of the register of processing activities.The DPO has to perform his tasks with due regard to the risk associated with processing operations.

### C. - Position of the DPO

The Controller has a certain number of duties regarding the DPO, he has to :

- ensure the DPO is involved in all issues which relate to the protection of personal data ;
- support the DPO in performing his tasks, by providing all necessary resources to carry out his mission as well as all access to personal data and processing operations, and tools to maintain his or her expert knowledge.

The DPO *does not receive any instructions regarding the exercise of those tasks*. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

Data subjects may contact the data protection officer about all issues related to the processing of their data and to the exercise of their rights under this Regulation.

The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks. He may fulfill other tasks and duties however, the controller has to ensure that any such tasks and duties do not result in a conflict of interests.

The DPO - the Data Protection Officer, is the person in charge of GDPR compliance management. Details on his functions and missions

Role and missions of the Data Privacy Officer (GDPR)


Transferring personal data across borders is essential in today's globalized business environment. However, when data moves beyond the European Economic Area (EEA), it introduces specific legal obligations under the GDPR. Non-compliance can lead to significant fines—as seen in cases like Schrems II. This article explores what constitutes a cross-border data transfer, the legal framework governing these transfers, notable cases, and provides practical tips to ensure compliance.

## 1. Understanding Cross-Border Data Transfers

A cross-border data transfer occurs when personal data is transmitted from an entity within the EEA to a recipient outside the EEA. This can happen in various ways, such as providing personal data to third parties located in non-EEA countries, allowing remote access to data stored within the EEA by entities outside it, using cloud services with servers outside the EEA, or sharing data within a multinational company from its EEA branches to those outside. It's important to recognize that even storing data on servers located outside the EEA can constitute a cross-border transfer, regardless of where the data is accessed from.

Organizations must be vigilant in identifying such transfers to ensure they comply with GDPR requirements. Failure to do so can result in significant legal and financial repercussions. The complexity of modern data flows means that businesses must have a clear understanding of where their data resides and who has access to it.

## 2. Legal Framework Under the GDPR

The GDPR sets out strict rules for transferring personal data to third countries or international organizations to protect the fundamental rights and freedoms of individuals. The key provisions are found in Articles 44 to 50.

Under **Article 45**, personal data can be transferred to a third country if the European Commission has decided that the country ensures an adequate level of protection. Countries with adequacy decisions include Andorra, Argentina, Canada (commercial organizations), Japan, New Zealand, Switzerland, and Uruguay. This means that data transfers to these countries are treated similarly to intra-EEA transfers, simplifying compliance for organizations.

In the absence of an adequacy decision, **Article 46** allows transfers if the controller or processor has provided appropriate safeguards. These include Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), and approved codes of conduct or certification mechanisms. These safeguards aim to ensure that the transferred data enjoys the same level of protection as within the EEA. Organizations must carefully implement these safeguards and often need to assess the legal environment of the recipient country to ensure that the safeguards are effective.

As a last resort, **Article 49** provides for specific derogations where data transfers can occur without adequacy decisions or appropriate safeguards. These include explicit consent from the data subject, transfers necessary for the performance of a contract, or transfers necessary for important reasons of public interest. Reliance on these derogations should be limited and carefully considered, as they are exceptions rather than the rule, and overuse may attract regulatory scrutiny.

## 3. Notable Cases and Their Implications

Understanding past cases helps organizations grasp the importance of compliance and the potential consequences of non-compliance.

### 3.1 The Schrems II Decision

In July 2020, the Court of Justice of the European Union (CJEU) delivered a landmark judgment in the Schrems II case (Case C-311/18). The court invalidated the EU-U.S. Privacy Shield framework, stating that U.S. surveillance laws did not provide adequate protection for personal data of EU citizens.

**Implications of Schrems II**:

Organizations can no longer rely on the Privacy Shield for data transfers to the U.S. They must assess whether the law in the recipient country ensures adequate protection and may need to implement supplementary measures. This includes conducting Transfer Impact Assessments to evaluate the legal environment of the third country before transferring data. The case underscores the need for organizations to thoroughly assess their data transfer mechanisms and ensure compliance with GDPR requirements. Failure to do so can result in the suspension of data transfers and significant operational challenges.

### 3.2 CNIL's Sanction Against Google

In January 2019, the French Data Protection Authority (CNIL) fined Google LLC €50 million for lack of transparency, inadequate information, and lack of valid consent regarding personalized advertising.

**Key Takeaways from the CNIL Decision**:

Organizations must provide clear and accessible information about data processing activities. Consent must be specific, informed, and unambiguous. Pre-ticked boxes or vague statements are insufficient. This case highlights the significant financial and reputational risks associated with non-compliance and emphasizes the importance of transparency and valid consent under the GDPR. It serves as a reminder that large organizations are not exempt from regulatory action.

## 4. Practical Tips for GDPR Compliance

Organizations can take several steps to ensure compliance with GDPR when transferring data across borders.

Firstly, assess the legal basis for transfer. Verify if the destination country has an adequacy decision from the European Commission. If not, implement appropriate safeguards such as SCCs or BCRs to provide legal protection for the data transfer. It's crucial to ensure that these safeguards are properly incorporated into contracts and that all parties understand their obligations. Limit the use of derogations and rely on them only when absolutely necessary, ensuring they are applied correctly and documented thoroughly.

Secondly, conduct Transfer Impact Assessments (TIAs). Evaluate the legal and regulatory environment of the recipient country to identify potential risks to data protection. This includes analyzing local laws that may affect the protection of personal data, such as surveillance laws or laws requiring disclosure of data to authorities. Document these assessments to demonstrate due diligence and accountability. TIAs should be revisited periodically or when there are significant changes in the legal environment.

Thirdly, enhance technical and organizational measures. Protect data during transit and storage using strong encryption protocols. Implement robust data minimization practices by transferring only the data necessary for the intended purpose. Restrict access to personal data to authorized personnel through stringent access controls and regularly review access rights. Employ measures such as pseudonymization or anonymization where appropriate to reduce the risk associated with data transfers.

Additionally, update contracts and policies. Use the latest version of SCCs approved by the European Commission in contracts with processors and controllers outside the EEA. Clearly define data protection obligations with third parties and processors, including responsibilities for data security, breach notification, and cooperation with supervisory authorities. Educate staff about GDPR requirements and best practices for data transfers through regular training sessions. Ensure that employees understand the importance of compliance and their role in protecting personal data.

Finally, stay informed and seek legal advice. Monitor updates from data protection authorities, such as the European Data Protection Board (EDPB), and adjust practices accordingly. Changes in regulations or new legal precedents can significantly impact compliance obligations. Consult legal experts when dealing with complex transfer scenarios or uncertainties to ensure compliance. Legal counsel can provide valuable insights into navigating the complexities of international data transfers under the GDPR.

## 5. Conclusion

Cross-border data transfers are integral to the operations of many organizations in today's interconnected world. However, they come with significant responsibilities under the GDPR. Non-compliance can result in substantial fines and damage to an organization's reputation. By understanding the legal framework, learning from past cases, and implementing practical compliance measures, organizations can effectively navigate the complexities of cross-border data transfers. Proactive compliance not only mitigates legal risks but also builds trust with customers and partners by demonstrating a commitment to protecting personal data.


Understanding cross-border data transfers under the GDPR, including challenges, legal framework, and practical tips

What Are Cross-Border Data Transfers?


The GDPR brought significant changes to the way personal data is handled and protected in organizations across the European Union and all around the world. In this regulatory framework, the Data Protection Officer (DPO) plays a crucial role ensuring compliance work. But the DPO is not the controller, and carries no liability for his work. He acts independently to inform and advise the controller, monitoring compliance, conducting training and awareness programs, and providing guidance on Data Protection Impact Assessments (DPIAs). The DPO's responsibilities are comprehensive and multifaceted. Understanding these tasks in detail is essential for appreciating the critical role DPOs play in navigating the complex landscape of data protection today.


## Core Tasks of the Data Protection Officer

The Data Protection Officer has a set of five core tasks that needs to be conducted : informing and advising, monitoring compliance, training and awareness, and advising on Data Protection Impact Assessments (DPIAs).

The DPO's primary role involves educating and guiding the organization and its employees about their obligations under the GDPR and other data protection laws. This responsibility extends beyond merely disseminating information; it requires a deep understanding of legal requirements and the ability to apply data protection laws to various organizational operations. The DPO provides tailored guidance to ensure compliance with the GDPR, taking into account the unique data processing activities and sectoral requirements of each organization. They proactively anticipate potential data protection issues and offer advice to manage compliance effectively.

Monitoring compliance forms another critical aspect of the DPO’s role. This task is multifaceted, encompassing the understanding of the legal framework and its practical implementation. The DPO conducts regular compliance audits, identifying areas for improvement, and evaluates the effectiveness of data protection policies and procedures, recommending necessary enhancements. Risk assessment also forms a key part of this role, involving the evaluation of risks associated with data processing activities and the development of strategies to mitigate these risks.

A significant responsibility of the DPO is fostering a culture of data protection within the organization. This involves developing and implementing training programs tailored to different departments and levels within the organization. The DPO also focuses on raising general awareness about data protection issues across the organization and ensures ongoing education to keep staff's knowledge current and relevant in the face of evolving data protection regulations and technologies.

The DPO also plays an instrumental role in the DPIA process. DPIAs, mandated by the GDPR for certain data processing operations, assess the potential risks to individuals' rights and freedoms. The DPO advises when DPIAs are required and oversees their implementation, ensuring they are conducted correctly and effectively. Additionally, they interpret the results of DPIAs and advise on necessary actions to mitigate any identified risks.


## Practical example of the DPO's day to day tasks

Let's take a practical exemple from a DPO in a healthcare organization. His day to day job might be to develop comprehensive GDPR training modules for staff, specifically tailored to scenarios in healthcare data handling. This could include creating a quick-reference guide for employees on data protection dos and don'ts. In an e-commerce company, the DPO would conduct regular data processing audits, ensuring that customer data is handled in compliance with GDPR, reviewing data storage practices, consent forms, and data sharing policies. In an educational institution, organizing workshops and interactive sessions to educate the staff about data protection, focusing on student data privacy, can be a crucial initiative. In a tech company, leading a DPIA for a new data analytics project, assessing the risks associated with customer data processing, and advising on mitigation measures could be a key responsibility.

One major challenge for DPOs is keeping up with legal changes in data protection. Attending conferences, webinars, and participating in professional networks is important to stay informed. Balancing transparency with confidentiality is another challenge; maintaining regular communication and fostering an open dialogue about data protection can help in this regard. Resource limitation, especially in smaller organizations, can be addressed by leveraging online resources, tools, and external consultancy for specific tasks. Engaging effectively with stakeholders is also crucial. Building a rapport with different departments and ensuring their cooperation through regular meetings, updates, and involving them in data protection discussions can enhance collaboration.


### The Impact of the DPO's Tasks on GDPR Compliance

The DPO's role in informing and advising the organization is fundamental to ensuring that all levels of the organization understand and comply with GDPR requirements. By providing tailored guidance and proactive advice, the DPO helps prevent potential data breaches and ensures that data processing activities are aligned with legal standards.

Monitoring compliance is another vital aspect of the DPO's role. Regular audits and assessments conducted by the DPO not only ensure ongoing compliance with the GDPR but also help identify areas where improvements are needed. This continuous oversight is essential for maintaining a high standard of data protection.

Training and awareness initiatives led by the DPO play a significant role in embedding a culture of data protection within the organization. These initiatives ensure that staff at all levels are aware of their responsibilities regarding data handling, thus reducing the risk of data breaches and enhancing the overall security posture of the organization.

Finally, the DPO's involvement in DPIAs is crucial for assessing and mitigating risks associated with data processing activities. Through DPIAs, the DPO helps the organization identify potential impacts on data privacy and advises on how to address these issues effectively, further reinforcing GDPR compliance.

## Collaboration and Reporting: The DPO’s Interaction with Management and Authorities

Effective liaison with top management is crucial for the Data Protection Officer. This involves not only reporting on the organization's data protection status and compliance but also providing strategic advice on data protection matters that could impact the organization's decision-making and policies. The DPO's insights can guide the management in understanding the implications of data processing activities and in making informed decisions that align with GDPR requirements.

Interacting with data protection authorities is another key aspect of the DPO's role. The DPO acts as the primary contact point for these authorities, facilitating inspections, audits, and inquiries. This requires the DPO to be well-versed in the organization's data processing activities and to be able to represent and defend the organization's data protection practices.

The independence and authority of the DPO are essential for the effective execution of these tasks. The DPO must have the freedom to perform their duties without undue influence from the organization and the authority to access all necessary information and resources. This independence ensures that the DPO can provide unbiased advice and make recommendations that are in the best interest of data protection compliance.


## Conclusion

The Data Protection Officer (DPO) plays an indispensable role in upholding data protection standards within an organization. Their tasks, ranging from informing and advising on GDPR compliance, monitoring organizational adherence to data protection laws, conducting training and awareness programs, to overseeing Data Protection Impact Assessments (DPIAs), are essential if organizations want to avoid fines.

The DPO's responsibilities are not just procedural; they are integral to embedding a culture of data privacy and protection throughout the organization. By ensuring that GDPR principles are consistently applied and understood, the DPO not only helps safeguard personal data but also enhances the organization’s credibility and trustworthiness in handling such sensitive information.


## Details of article 39

>Article 39 -Tasks of the data protection officer
> 1.   The data protection officer shall have at least the following tasks:
>(a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
> (b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
> (c ) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
> (d) to cooperate with the supervisory authority;
> (e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
> 2.   The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.



The Data Protection Officer (DPO) has a specific set of tasks given by the GDPR : nforming and advising, monitoring compliance, training and awareness, and advising on Data Protection Impact Assessments (DPIAs).

GDPR and AML, what can go wrong ?

Témoignages

Articles connexes