Personal Data Protection Obligations (GDPR) (2025)

Any company shall ensuring the security of personal data collected (customer, supplier, employee data, etc.). To ensure a level of security appropriate to the risk, many technical and organizational measures are necessary.

FYI

The Cnil provides a practical guide on data security.

Census data processing

The controller shall identify treatments of personal data (automated or not) and media on which these treatments are based, namely:

  • hardware (e.g. servers, laptops, hard drives)
  • software (e.g. operating systems, business software)
  • logical or physical communication channels (e.g. fiber optic, Wi-Fi, Internet, voice, couriers)
  • paper media (e.g. printed documents, photocopies)
  • physical premises and facilities where the above mentioned items are located (e.g. computer rooms, offices).

Assess the risks associated with each treatment

This census makes it possibleassess risks generated by each treatment, including:

  • Illegitimate access to data (e.g. impersonation following the disclosure of the pay slips of all employees of a company)
  • Unwanted modification of data (e.g. wrongly accusing a person of misconduct or misdemeanor following modification of access logs)
  • Data Disappearance (e.g. failure to detect a drug interaction due to inability to access the electronic patient record).

The controller shall identify the sources of risk considering human (e.g., IT administrator, user, external attacker, competitor) and non-human (e.g., water, outbreak, hazardous materials, non-target computer virus) sources.

It must also estimate the severity and likelihood of the risks (example of a scale that can be used for estimation: negligible, moderate, large, maximum) for this to determine the measures able to address each risk (e.g. access control, backups, traceability, premises security, encryption, anonymization).

Raise awareness among users

The controller shall sensitize the users on security and privacy issues. This can be done by organizing an awareness session, sending regular updates on relevant procedures for people according to their duties, sending reminders via e-mail, etc.

The manager must document operating procedures, keep them up to date and make them available to all concerned users. Specifically, any action on the processing of personal data, whether it is an administration operation or the simple use of an application, must be explained in clear language and adapted to each category of users, in documents to which the latter may refer.

In addition, he must write an it charter, annexed to rules and regulations, including the following information:

  • Data protection rules and penalties for non-compliance
  • Scope of the Charter (e.g. how data management teams are involved, means of authentication, security rules)
  • How to use the computer resources made available (workstation, storage space, Internet access, e-mail, etc.)
  • Conditions for the administration of the information system
  • Liabilities and penalties for non-compliance with the Charter.

Please note

It may be appropriate to provide for the signature of a confidentiality commitment, or to include in employment contracts a specific confidentiality clause concerning personal data. One model confidentiality commitments shall be made available by the Council.

Business Business I, the undersigned Mr./Mrs. ______________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________________

recognize the confidentiality of such data.

I therefore undertake, in accordance with Article 32 of the General Data Protection Regulation of 27 April 2016, to take all precautions in accordance with the state of the art and internal rules within the framework of my duties

in order to protect the confidentiality of the information to which I have access, and in particular to prevent it from being communicated to persons not expressly authorized to receive that information.

In particular, I commit to:

  • not use the data I can access for purposes other than those provided for by my powers;
  • disclose such data only to persons duly authorized by reason of their duties to receive such data, whether private, public, natural or legal persons;
  • make no copies of such data except as necessary for the performance of my duties;
  • take all measures in accordance with the state of the art and internal rules within the framework of my powers to prevent the misuse or fraudulent use of this data;
  • take all precautions in accordance with the state of the art and internal rules to safeguard the physical and logical security of such data;
  • ensure, within the limits of my powers, that only secure means of communication will be used to transfer such data;
  • in the event of termination of my duties, return in full the data, computer files and any information medium relating to these data.

This undertaking of confidentiality, in force throughout my term of office, will remain effective, without limitation, after I have ceased to hold office, whatever the cause, provided that this undertaking concerns use

and the provision of personal data.

I have been informed that any violation of this undertaking will subject me to disciplinary and criminal sanctions in accordance with the regulations in force, in particular with regard to Articles 226-13 and 226-16 to 226-24 of the Criminal Code.

Done at _____, on dd/mm/yyyy, in X copies

Name:

Signature:

See Also
Principles and grounds for processing[Archived content]Data Protection Authorities - European CommissionData Protection in Schools - Guidance for the Education SectorSensitive personal data - special category under the GDPR – Data Privacy Manager

Authenticate users

To ensure that a user only has access to the data they need, they must have a unique identifier and must authenticate before any use of the computer means.

An essential precaution is to define a unique identifier per user and prohibit accounts shared between multiple users. Where the use of generic or shared identifiers is unavoidable, the following measures shall be implemented:

  • Require hierarchy validation
  • Implement means to trace actions associated with these identifiers
  • Renew the password as soon as a person no longer needs to access the account.

Please note

If you are using password-based user authentication, it is recommended that you follow the recommendations of the Council.

Manage User Entitlement

The controller shall manage user entitlement in order to limit their access to the only data they need for the performance of their tasks.

See Also
[PDF] Examining the Integrity of Apple's Privacy Labels: GDPR Compliance and Unnecessary Data Collection in iOS Apps | Semantic Scholar

The person responsible is first brought to define entitlement profiles in systems by separating tasks and areas of responsibility; and to have any application for authorization validated by a manager (e.g. supervisor, project manager).

It is imperative to remove access permissions users as soon as they are no longer entitled to access a premises or an IT resource (e.g. change of mission or post), as well as at the end of their contract.

Please note

It is recommended to conduct a regular review of entitlements (at least annually) to identify and remove unused accounts and realign the rights granted to the functions of each user.

Trace Operations

The controller shall also trace operations to be able to respond to data breaches (breaches of confidentiality, integrity or availability).

To do this, it is necessary to put in place a logging system, which is a record of users’ business activities, technical interventions (including by administrators), anomalies, and security events.

The controller shall ensure that the records managers notify the controller of any security anomaly or incident as soon as possible.

Please note

L'So: titleContent provides a best practice guide to establish an efficient and secure logging system.

Secure desktops and mobile computing

The risks of intrusion into computer systems are significant. The controller shall protect workstations which are one of the main points of entry.

In order to prevent fraudulent access, virus execution or remote malicious takeovers, the controller must take the necessary following precautions :

  • Provide a mechanism for automatic session locking if the station is not used for a given time
  • SETTLE a “firewall” (“firewall”) software on the workstation and limit the opening of the communication ports to those strictly necessary for the proper functioning of the applications settled on the workstation
  • Use anti-virus regularly updated and provide for a policy of regular software updates
  • Securely erase data on a computer before reassignment to another person.

Please note

The Government Center for Computer Attack Watch, Warning and Response (CERT-FR) details the good reflexes to adopt in case of intrusion on an information system.

Off-premises work practices (e.g. traveling, teleworking) involve specific risks related to the use of laptops, USB sticks or smartphones. It is therefore essential to anticipate the data breach outside the premises.

The controller shall to raise awareness among users specific risks associated with the use of mobile computing tools (e.g. theft of equipment, risks associated with connection to public networks) and mandate the use of VPN Strong authentication.

It is also recommended to providing encryption means Mobile PCs and mobile storage media (e.g. laptop, USB drives, external hard drive, CD-R, DVD-RW), such as:

  • Hard Drive Encryption (many operating systems include such functionality)
  • File-by-file encryption
  • Creating encrypted containers (a file that may contain multiple files).

Please note

The CNIL recalls the key principles of cryptology (encryption, hash, signature).

Back up and archive data

The controller shall perform regular backups to minimize the impact of data loss or unwanted alteration. It is also recommended to store at least one backup to an external site and isolate a offline backup, disconnected from the company's network.

In addition, the person responsible must archive data that is no longer in daily use but which have not yet reached their shelf-life, for example because they are stored for use in case of dispute.

To do this, it must define an archive management process that calls for several questions, including:

  • What data needs to be archived?
  • How and where are they stored?
  • What are the specific ways to access archived data? (use of an archive should be done on an ad hoc and exceptional basis)
  • With regard to the destruction of archives, what method of operation should be chosen to ensure that an entire archive has been destroyed?

Please note

The CNIL has established a list of recommendations concerning the arrangements for electronic archiving.

Manage Outsourcing

Data processing carried out by a processor on behalf of the controller must be subject to adequate safeguards, in particular with regard to security.

It is imperative to use only sub-contractors providing sufficient guarantees, particularly in terms of expertise, reliability and resources. The controller shall require the provider to communicate its information systems security policy and any certifications.

A subcontract must define the subject matter, duration, purpose of the processing and the obligations of the parties, in particular in terms of security of processing. It shall contain provisions laying down the following:

  • Division of responsibilities and obligations in relation to confidentiality of personal data entrusted
  • Minimum authentication requirements of users
  • Conditions for the return and destruction of data at the end of the contract
  • Incident Management and Notification Rules. This should include information to the controller in the event of a security breach or security incident.

Please note

The CNIL published a guide to accompany subcontractors in the practical implementation of their obligations.

Assess data security

Since there are many measures to ensure data security, it is appropriate toassess the level of security of personal data company. The CNIL provides a evaluation grid.

The technical and organizational measures implemented by the controller must be appropriate, taking into account the nature, scope, context and purposes of the processing and the risks (the degree of probability and seriousness of which varies) to the rights and freedoms of individuals.

In the event of a data breach (e.g. unauthorized disclosure, irregular access), the controller must be able to prove that it has taken adequate security measures.

Personal Data Protection Obligations (GDPR) (2025)
Top Articles
What Does It Mean When One Eye Is Swollen?
Acne For Dummies - PDF Free Download
VtR2e - Night Horrors - Spilled Blood PDF - PDFCOFFEE.COM
Latest Posts
How to use baby shampoo to calm stubborn or uncomfortable styes at home
32 Skincare Products That’ll Make You Say “Why Didn’t I Start Using This Sooner?”
Recommended Articles
Article information

Author: Mrs. Angelic Larkin

Last Updated:

Views: 5519

Rating: 4.7 / 5 (67 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Mrs. Angelic Larkin

Birthday: 1992-06-28

Address: Apt. 413 8275 Mueller Overpass, South Magnolia, IA 99527-6023

Phone: +6824704719725

Job: District Real-Estate Facilitator

Hobby: Letterboxing, Vacation, Poi, Homebrewing, Mountain biking, Slacklining, Cabaret

Introduction: My name is Mrs. Angelic Larkin, I am a cute, charming, funny, determined, inexpensive, joyous, cheerful person who loves writing and wants to share my knowledge and understanding with you.