RGPD

De Mi caja de notas

Cette page a démarré sur iwc:GDPR

Cet article est une ébauche. Vous pouvez m'aider à l'améliorer et le compléter. Merci.

RGPD est le Règlement du Parlement Européen relatif à la Protection des personnes physiques à l'égard du traitement des données à caractère personnel et à la libre circulation de ces données qui établit des lignes directrices beaucoup plus strictes sur l'utilisation des informations personnellement identifiables, et est soutenu par la loi, y compris des amendes pour non-conformité. Adopté le 25 mai 2016, les organisations ont eu droit à une période de grâce de deux ans pour mettre leurs processus en conformité. Les organisations qui ne se conforment pas après le 25 mai 2018 encourent des pénalités allant jusqu'à 4% du chiffre d'affaires global annuel, ou 20 millions d'euros.

Cela s'applique-t-il mon site indieweb ?

Perspective 1

Les sites purement personnels sont exemptés selon l'Article 2. Si votre site web contient des publicités payées ou de la publicité pour vos services ou vos produits, il rentre dans le champ du RGPD.

Perspective 2

Les interprétations strictes de la loi indiquent une portée potentielle du RGPD aux sites web personnel, non commerciaux sous certaines circonstances.

The conditions for exemption of Art. 2(2) lit. c GDPR are formulated very strictly: "by a natural person in the course of a purely personal or household activity". This is further specified by Recital 18(1) GDPR: "This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity."

Strictly read, "no connection" could potentially mean that the GDPR is applicable to a personal website as soon as it has any connection to a professional or commercial activity, hence not only applying to commercial aspects but e.g. to a web professional discussing web technology on their personal site.

Quelques concepts RGPD

Please note: The Indieweb Wiki is not a legal resource. Information presented herein may not be accurate, or apply to your specific circumstances.

Legal grounds for processing

GDPR always requires a legal basis for data processing, see Art. 6 GDPR:

  • Consent
  • Contract
  • Legal obligation
  • Vital interest
  • Public task
  • Legitimate interest

Each of these come with strict rules as to their preconditions and resulting obligations.

Consent

Consent is one of six possible grounds to justify processing [1]. The Guidelines warn:

  • if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn. If not, alter your consent mechanisms and seek fresh GDPR-compliant consent, or find an alternative to consent.

Data Portability

GDPR also requires data portability – that data can be moved from one service to another in a safe, standard, usable way.

Regarding which data the guidelines (PDF) eg. say:

As an example, the titles of books purchased by an individual from an online bookstore, or the songs listened to via a music streaming service are examples of personal data that are generally within the scope of data portability, because they are processed on the basis of the performance of a contract to which the data subject is a party.

This extends to “posts on social networking websites”, as noted on the official FAQ page. Your data will have to be provided to you “free of charge, in electronic format” [2] and you are allowed to give the data to another website [3]. This could make up for silos not offering native export options.

Data Erasure

Building on the 'Right to be Forgotten' decision in the European Courts, the Regulation for the first time codifies the right to have personal data erased by data processors. There are limits to this right, which must be balanced against freedom of expression, the public interest in health, scientific and historical research, and the exercise or defense of legal claims.

Extra Territoriality

Unlike the previous law (Data Protection Directive 95/46/e) the GDPR applies to all companies processing the personal data of all persons residing in the European Union, regardless of the company’s location. This is a major shift to the previous law, which required the establishment of a business in a member State of the Union. Furthermore, the previous gap in the law where data was 'processed' outside the EU no longer applies, as it is the subject of the data now has rights.

Articles

See Also