When the protection of privacy and personal data becomes a matter for the European Union European
The RGPD regulation therefore balances the right to privacy with the right to process certain personal data for reasons relating to environmental protection and efficient economic management of the port.
This fair balance will enable everyone's interests to be reconciled in a respectful manner: the port's economic and environmental interests and the protection of everyone's privacy.
This is precisely in line with Article 8(2) of the European Convention on Human Rights - a convention, it should be remembered, to which the European Union has acceded - which states that proportionate restrictions may be placed on the right to privacy where legitimate interests are at stake.
Me Zakine, Lawyer, Doctor of Law, offers you a text on the impact of the RGPD on privacy.
Read his portrait here
Article 8 of the European Convention on Human Rights states:
Article 8 - Right to respect for private and family life
1 Everyone has the right to respect private and family life, home and correspondence.
2 A public authority may not interfere with the exercise of this right unless such interference is provided for by law and constitutes a measure which, in a democratic society, is necessary for national security, public safety, the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
As a result, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be applied, directly applicable regulation
Article 8 of the European Convention on Human Rights states:
Article 8 - Right to respect for private and family life
1 Everyone has the right to respect for their private and family life, their home and their correspondence.
2 A public authority may not interfere with the exercise of this right unless such interference is provided for by law and constitutes a measure which, in a democratic society, is necessary for national security, public safety, the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
As a result, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) must be applied, directly applicable regulation
it seems essential to refer to it in the context of the technology you intend to develop and propose.
As such, Recital No. 4 of the Regulation of 27 April 2016 states:
The processing of personal data should be designed to serve humanity. The right to protection of personal data is not an absolute right; it must be considered in relation to its function in society and balanced against other fundamental rights, in accordance with the principle of proportionality. This Regulation respects all fundamental rights and observes the freedoms and principles recognised by the Charter and enshrined in the Treaties, in particular respect for private and family life, home and communications, and the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom of enterprise, the right to an effective remedy and to a fair trial, and religious and linguistic diversity.
The processing of personal data must be in line with the objective laid down by the European legislator, which is very clear from recitals 6 and 7 of the Regulation:
(6) Rapid technological change and globalisation have created new challenges for the protection of personal data. The extent to which personal data is collected and shared has increased significantly. Technologies are enabling both private companies and public authorities to use personal data in their activities as never before. Increasingly, individuals are making information about themselves publicly and globally accessible. Technology has transformed both the economy and social relations, and is set to do so again. facilitate the free flow of personal data within the EU and their transfer to third countries and international organisations, while ensuring a high level of protection for personal data.
(7)These developments call for a solid and more coherent data protection framework in the EU, accompanied by rigorous application of the rulesIt is important to create the trust that will allow the digital economy to develop throughout the internal market. Individuals should have control over their personal data. Both legal and practical certainty should be reinforced for individuals, economic operators and public authorities.
(10) " In order to ensure a consistent and high level of protection for individuals and to remove obstacles to the flow of personal data within the Union, the level of protection of individuals' rights and freedoms with regard to the processing of such data should be equivalent in all Member States".
Recital 10 suggests that by adopting a very rigorous system from the outset in France, and taking into account the requirement for effective and similar protection in each of the Member States of the European Union.
With regard to recital 15 of the Regulation, which states :
"In order to avoid creating a serious risk of circumvention, the protection of natural persons should be technology-neutral and should not depend on the techniques used. It should apply to the processing of personal data by automatic means as well as to manual processing, if the personal data are contained or intended to be contained in a filing system.. Files or sets of files and their covers which are not structured according to specific criteria should not fall within the scope of this Regulation".
As a result, regardless of how personal data is processed, the Regulation RGPD must apply whenever personal data is collected.
So, for example, whether it's a video surveillance camera that can detect a number plate, or a technology that allows the regulation of a vehicle's speed, it's all possible. RGPD is immediately applicable.
This requirement is in line with the legislator's desire to offer maximum protection to personal data and privacy.
-
Analysis of the recitals of the RGPD regulation, which provide an overview of the objectives pursued by the European Union
Recital 18:
"This Regulation shall not apply to the processing of personal data carried out by a natural person in the course of strictly personal or domestic activities, and therefore unrelated to a professional or commercial activity. Personal or domestic activities could include the exchange of correspondence and the keeping of an address book, or the use of social networks and online activities that take place in the context of these activities. However, this Regulation shall apply to controllers or processors who provide the means to process personal data for such personal or domestic activities.. "
The scope of the Regulation therefore allows you to apply your technology to it if we look at the Regulation by taking into account your data processing activity, even if it involves photographing a boat that only has a personal activity.
Recital 32:
" Consent should be given by a clear positive act by which the data subject freely, specifically, informally and unambiguously expresses his or her agreement to the processing of personal data concerning him or her, for example by means of a written statement, including by electronic means, or an oral statement.. This could be done in particular by ticking a box when consulting a website, by opting for certain technical parameters for information society services or by means of another statement or other behaviour which clearly indicates in this context that the data subject agrees to the proposed processing of his or her personal data. There can therefore be no consent in cases of silence, default tick boxes or inactivity. The consent given should apply to all processing activities with the same purpose or purposes. Where the processing has several purposes, consent should be given for all of them. If the data subject's consent is given following a request made by electronic means, this request must be clear and concise and must not unnecessarily disrupt the use of the service for which it is given".
A system should be set up whereby boat owners give their free, express and unequivocal consent.
Recital 39:
"Any processing of personal data should be lawful and fair. The fact that personal data relating to natural persons are collected, used, accessed or otherwise processed and the extent to which such data are or will be processed should be transparent to the natural persons concerned. The principle of transparency requires that any information and communication relating to the processing of personal data must be easily accessible, easy to understand and formulated in clear and simple terms. This principle applies, in particular, to information provided to data subjects concerning the identity of the controller and the purposes of the processing operation, as well as to other information intended to ensure a high level of protection of data subjects. fair and transparent treatment of the natural persons concerned and their right to obtain confirmation and communication of the personal data relating to them which are being processed. Individuals should be informed of the risks, rules, safeguards and rights associated with the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes of the processing of personal data should be explicit and legitimate, and determined at the time of collection of the personal data.. Personal data should be adequate, relevant and limited to what is necessary for the purposes for which it is processed. This requires, in particular, ensuring that data retention periods are limited to the strict minimum. Personal data should only be processed if the purpose of the processing cannot reasonably be achieved by other means. In order to ensure that data are not kept longer than necessary, time limits should be set by the controller for their erasure or for periodic review. Every reasonable step should be taken to ensure that inaccurate personal data are rectified or deleted.. Personal data should be processed in such a way as to ensure appropriate security and confidentiality, including the prevention of unauthorised access to, and use of, such data and the equipment used for their processing".
-
Detailed analysis of regulatory provisions
- Article 2 Material scope
" 1. These regulations apply to processing of personal data, automated in whole or in part, as well as the non-automated processing of personal data contained or intended to be contained in a filing system".
- Precise analysis of definitions
Article 4 Definitions For the purposes of this Regulation :
- "personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by by reference to an identifiersuch as a name or identification number, location dataA user's personal data may be linked to an online identifier or to one or more factors specific to the user's physical, physiological, genetic, mental, economic, cultural or social identity;
A personal data is any information relating to an identified or identifiable natural person.
A natural person can be identified:
directly (example: first and last name) ;
indirectly (e.g. by a telephone or fax number). number platean identifier such as the social security(e.g. a postal or e-mail address, but also a voice or image).
2) "processing" means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
3) "restriction of processing" means the marking of retained personal data with a view to limiting their future processing;
4) "profiling" means any form of automated processing of personal data which involves the use of personal data to evaluate certain personal aspects relating to an individual, in particular to analyse or predict factors associated with that individual's work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
5) "pseudonymisation" means the processing of personal data in such a way that it can no longer be attributed to a specific data subject without recourse to additional information, provided that this additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person;
6) "filing system" means any structured set of personal data accessible according to specified criteria, whether that set is centralised, decentralised or distributed on a functional or geographical basis;
7) "controller" means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing; where the purposes and means of such processing are determined by Union law or by the law of a Member State, the controller may be designated or specific criteria for such designation may be laid down in Union law or in the law of a Member State;
9) “recipient” means the natural or legal person, public authority, service or other body to which personal data are communicated, whether or not a third party. However, public authorities which are likely to receive communication of personal data staff in the context of a particular fact-finding mission in accordance with Union law or the law of a Member State are not considered recipients; the processing of these data by the public authorities in question complies with the applicable data protection rules depending on the purposes of the processing;
10) "third party" means a natural or legal person, public authority, department or body other than the data subject, the controller, the processor and the persons who, under the direct authority of the controller or the processor, are authorised to process the personal data;
11) "consent" of the data subject means any freely given, specific, informed and unambiguous indication of his wishes by which the data subject signifies his agreement, either by a declaration or by a clear positive act, to personal data relating to him being processed;
A system of informed consent and clear and fair information must be implemented as part of the use of your technology.
-
This leads us to consider the transparency and fairness of the information given before personal data is captured and processed.
CHAPTER III Rights of the data subject
Section 1 Transparency and terms and conditions
Article 12 Transparency of information and communications and arrangements for exercising the rights of the data subject
1.The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and to make any communication under Articles 15 to 22 and Article 34 concerning the processing to the data subject in a concise, transparent, comprehensible and easily accessible manner, in clear and simple language, in particular for any information specifically intended for a child.
Information shall be provided in writing or by other means, including, where appropriate, electronically.. Where the data subject so requests, the information may be provided orally, provided that the identity of the data subject is established by other means.
(2) The controller shall facilitate the exercise of the data subject's rights under Articles 15 to 22. In the cases referred to in Article 11(2), the controller shall not refuse to comply with the data subject's request to exercise his or her rights under Articles 15 to 22 unless the controller demonstrates that he or she is unable to identify the data subject.
3 The controller shall provide the data subject with information on the measures taken in response to a request made pursuant to Articles 15 to 22 as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. The data controller shall inform the data subject of this extension and the reasons for the postponement within one month of receipt of the request. Where the data subject submits his/her request in electronic form, the information shall be provided electronically where possible, unless the data subject requests otherwise.
4 If the controller does not comply with the request made by the data subject, it shall inform the data subject without delay and at the latest within one month of receipt of the request of the reasons for its failure to act and of the possibility of lodging a complaint with a supervisory authority and of seeking judicial remedy.
5 No payment shall be required for providing information under Articles 13 and 14 and for making any communication and taking any action under Articles 15 to 22 and Article 34. Where a data subject's requests are manifestly unfounded or excessive, in particular because of their repetitive nature, the controller may:
- (a) require the payment of reasonable charges which take into account the administrative costs incurred in providing the information, making the communications or taking the action requested;
or b) refuse to comply with such requests. It shall be for the data controller to demonstrate that the request is manifestly unfounded or excessive.
6 Without prejudice to Article 11, where the controller has reasonable doubts as to the identity of the natural person making the request referred to in Articles 15 to 21, it may request that additional information necessary to confirm the identity of the data subject be provided.
7.The information to be given to data subjects pursuant to Articles 13 and 14 may be provided together with standardised icons in order to provide a clear, easily visible, comprehensible and clearly legible overview of the intended processing. Where the icons are presented electronically, they shall be machine-readable. 8 The Commission shall be empowered to adopt delegated acts in accordance with Article 92 for the purpose of determining the information to be presented in the form of icons and the procedures governing the provision of standardised icons.
Section 2 Information and access to personal data
Article 13 Information to be provided when personal data are collected from the data subject
(1) Where personal data relating to a data subject are collected from that person, the controller shall provide him or her, at the time the data in question are obtained, with all the following information:
- a) the identity and contact details of the controller and, where appropriate, of the controller's representative
- b) if applicable, the contact details of the Data Protection Officer;
- c) the purposes of the processing for which the personal data are intended and the legal basis for the processing;
- d) where processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party;
- e) the recipients or categories of recipients of the personal data, if any;
and f) where applicable, the fact that the controller intends to transfer personal data to a third country or to an international organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47, or in the second subparagraph of Article 49(1), the reference to the appropriate or adequate safeguards and the means of obtaining a copy of them or the place where they have been made available;
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject, at the time the personal data are obtained, with the following additional information which is necessary to ensure fair and transparent processing:
- a) how long the personal data will be kept or, where this is not possible, the criteria used to determine this period;
b) the existence of the right to request from the controller access to personal data, their rectification or erasure, or a restriction on the processing relating to the data subject, or the right to object to the processing and the right to data portability;
- c) where the processing is based on Article 6(1)(a) or Article 9(2)(a)), the right to withdraw consent at any timeThis does not affect the lawfulness of the processing carried out on the basis of consent prior to its withdrawal;
- d) the right to lodge a complaint with a supervisory authority;
- (e) information on whether the requirement to provide personal data is of a regulatory or contractual nature or whether it is a condition for the conclusion of a contract and whether the data subject is obliged to provide the personal data, as well as on the possible consequences of failure to provide such data;
- (f) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, relevant information concerning the underlying logic and the significance and intended consequences of such processing for the data subject.
3 Where the controller intends to further process personal data for a purpose other than that for which the personal data were collected, it shall provide the data subject in advance with information about that other purpose and any other relevant information referred to in paragraph 2.
(4) Paragraphs 1, 2 and 3 shall not apply where and insofar as the data subject already has this information. Article 14 Information to be provided where the personal data have not been obtained from the data subject 1 Where the personal data have not been obtained from the data subject, the controller shall provide the data subject with all the following information: (a) the identity and contact details of the controller and, where applicable, of the representative of the controller;
- b) where applicable, the contact details of the Data Protection Officer;
- c) the purposes of the processing for which the personal data are intended and the legal basis for the processing;
- d) the categories of personal data concerned;
- e) where appropriate, the recipients or categories of recipients of the personal data;
- (f) where applicable, the fact that the controller intends to transfer personal data to a recipient in a third country or to an international organisation, and the existence or absence of an adequacy decision by the Commission or, in the case of transfers referred to in Article 46 or 47 or in the second subparagraph of Article 49(1), the reference to the appropriate or adequate safeguards and the means of obtaining a copy of them or the place where they have been made available;
(2) In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject :
- a) the period for which the personal data will be kept or, where this is not possible, the criteria used to determine that period;
- (b) where processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party ;
(c) the existence of the right to request from the controller access to, rectification or erasure of personal data, or a restriction on the processing relating to the data subject, as well as the right to object to the processing and the right to data portability;
- (d) where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent carried out prior to withdrawal of consent;
- e) the right to lodge a complaint with a supervisory authority;
- f) the source from which the personal data originate and, where appropriate, a statement as to whether or not they originate from publicly available sources;
- (g) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, relevant information concerning the underlying logic and the significance and intended consequences of such processing for the data subject.
(3) The controller shall provide the information referred to in paragraphs 1 and 2:
- (a) within a reasonable time after obtaining the personal data, but not exceeding one month, having regard to the specific circumstances in which the personal data are processed;
- b) if the personal data is to be used for the purposes of communicating with the data subject, at the latest at the time of the first communication to the data subject;
or c) if it is intended to communicate the information to another recipient, at the latest when the personal data is communicated for the first time. (4) Where the controller intends to further process the personal data for a purpose other than that for which the personal data were obtained, the controller shall provide the data subject in advance with information about that other purpose and any other relevant information referred to in paragraph (2). (5) Paragraphs (1) to (4) shall not apply where and to the extent that:
- a) the data subject already has this information;
- (b) the provision of such information proves impossible or would require a disproportionate effort, in particular for processing for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes subject to the conditions and safeguards referred to in Article 89(1), or insofar as the obligation referred to in paragraph 1 of this Article is likely to make impossible or seriously compromise the achievement of the purposes of such processing. In such cases, the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including by making the information publicly available;
- (c) obtaining or communicating the information is expressly provided for by Union law or by the law of the Member State to which the controller is subject and which provides for appropriate measures to protect the data subject's legitimate interests; or
- d) personal data must remain confidential by virtue of an obligation of professional secrecy regulated by Union law or the law of the Member States, including a statutory obligation of professional secrecy.
Article 15 Data subject's right of access
(1) The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data relating to him or her are being processed and, where such data are being processed, access to such personal data and the following information:
- a) the purposes of the processing;
- b) the categories of personal data concerned;
- c) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients established in third countries or international organisations;
- (e) the existence of the right to request from the controller the rectification or erasure of personal data, or a restriction on the processing of personal data relating to the data subject, or the right to object to such processing;
- f) the right to lodge a complaint with a supervisory authority;
- g) where personal data is not collected from the data subject, any available information as to its source;
- (h) the existence of automated decision-making, including profiling, as referred to in Article 22(1) and (4) and, at least in such cases, relevant information concerning the underlying logic and the significance and expected consequences of such processing for the data subject.
2 Where personal data is transferred to a third country or to an international organisation, the data subject shall have the right to be informed of the appropriate safeguards, pursuant to Article 46, in relation to that transfer.
3 The controller shall provide a copy of the personal data being processed. The controller may charge a reasonable fee based on administrative costs for any additional copies requested by the data subject. Where the data subject submits his or her request electronically, the information shall be provided in a commonly used electronic form, unless the data subject requests otherwise.
4 The right to obtain a copy referred to in paragraph 3 shall not prejudice the rights and freedoms of others.
Articles 12 and 13 of the regulations The RGPD makes it clear that a very precise and strict legal framework will have to be implemented to avoid any difficulties and to ensure that companies comply with respect for privacy and the protection of personal data. in line with the objective pursued by the European legislator.
Section 3 Rectification and deletion
Article 16 Right of rectification
The data subject has the right to obtain from the controller, as soon as possible, the rectification of inaccurate personal data concerning him or her.
In view of the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by providing a supplementary declaration.
Article 17 Right to erasure ("right to be forgotten")
(1) The data subject has the right to obtain from the controller the erasure, as soon as possible, of personal data relating to him or her and the controller has an obligation to erase such personal data as soon as possible, where one of the following grounds applies:
- a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed ;
- (b) the data subject withdraws the consent on which the processing is based in accordance with Article 6(1)(a) or Article 9(2)(a) and there is no other legal basis for the processing;
- (c) the data subject objects to the processing under Article 21(1) and there are no compelling legitimate grounds for the processing, or the data subject objects to the processing under Article 21(2) ;
- d) the personal data has been processed unlawfully ;
- (e) the personal data must be erased in order to comply with a legal obligation laid down by Union law or by the law of the Member State to which the controller is subject;
- f) the personal data have been collected in connection with the provision of information society services as referred to in Article 8(1).
(2) Where the controller has made the personal data public and is required to erase it pursuant to paragraph 1, the controller shall, having regard to available technology and the costs of implementation, take reasonable steps, including technical steps, to inform controllers processing the personal data that the data subject has requested the erasure by those controllers of any link to, or any copy or reproduction of, the personal data.
(3) Paragraphs 1 and 2 shall not apply insofar as such processing is necessary for: (a) the exercise of the right to freedom of expression and information;
- (b) to comply with a legal obligation to process which is laid down by Union law or by the law of the Member State to which the controller is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the controller ;
- (c) for reasons of public interest in the field of public health, in accordance with Article 9(2)(h) and (i) and Article 9(3) ;
- (d) for archival purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1), insofar as the right referred to in paragraph 1 is likely to make impossible or seriously compromise the achievement of the purposes of such processing; or
- e) the establishment, exercise or defence of legal claims.