Se connecter

Legal document

TABLE OF CONTENTS

How do you write your GDPR notices ?
Is the RGPD Charter mandatory ?
Sanctions for non-compliance
Steps to create your RGPD Charter with Dipeeo ?

GDPR Charter

The main purpose of a Pivacy Notice is to inform users of a website or digital platform about the personal data collected. Indeed, informing users is one of the pillars of the RGPD.

This RGPD charter can also be called a “privacy policy” or “Privacy”. The important thing is that it should be easy for the user to find and understand, otherwise it won’t be able to fulfill its role.

Within an RGPD charter, a user must be able to find the personal data that is collected, how it is used, the recipients, the retention periods, its retention outside the EU and the various rights of users regarding their collected personal data…

For a better understanding of the implementation of each section, Dipeeo’s RGPD charter is available on the left for download.

On this subject, as part of its support for professionals in RGPD compliance, the CNIL has put in place basic precautions to make users aware of what’s at stake in terms of security and privacy.

How do you write your GDPR notices ?

Defining the scope of processing: determining the purpose of your processing is the first thing you need to think about. In other words, you need to specify the reason why you are collecting personal data.

Definition of the legal basis (consent, legal obligation…): Article 13 specifies this point, requiring the identification of one of six different bases:

  • Personal consent ;
  • Performance of a contract or pre-contractual measures ;
  • A legal obligation ;
  • Safeguarding a person’s vital interests ;
  • A mission of public interest / public authority;
  • The legitimate interests of the data controller ;

Indication of data recipients: the next step is to indicate the recipients of the personal data. This point is mentioned in article 13.1.e, and we understand that it is compulsory to indicate :

“the recipients or categories of recipients of personal data, if any”.

Determining the data retention period: This is one of the rules imposed by the RGPD. It is mandatory to talk to data subjects about how long you keep their personal data. You’ll find this rule in article 13.2.a

Finalizing the rest of the mandatory mentions: After defining the scope of your processing and the legal basis, determining the retention period and indicating their recipients while mentioning whether their provision is mandatory or not, all that remains is for you to indicate the remaining requirements of the thirteenth article of the RGPD namely:

« l’identité et les coordonnées du responsable du traitement et, le cas échéant, du représentant du responsable du traitement » (art. 13.1.a) ;

  • “where applicable, the contact details of the data protection officer” (art. 13.1.b) – if you don’t have a data protection officer, leave this blank;
  • “the existence of the right to request from the controller access to personal data, rectification or erasure of such data, or a restriction on the processing relating to the data subject, or the right to object to processing and the right to data portability” (art. 13.2.b);
    “the right to lodge a complaint with a supervisory authority” (art. 13.2.d).

Is the RGPD Charter mandatory?

Any organization, company of any size, association […] in possession of personal data, whether from customers, employees or even visitors to their websites, is obliged to draw up an RGPD charter. As the name suggests, personal data is information that can be used to identify a person. In other words, a surname, first name, telephone number or address can be considered personal data.

In this respect, the law punishes any failure to provide information describing the processing of personal data collected. It is also compulsory to update this information after each modification to the various processing procedures.

Transparency, comprehensibility and accessibility are all requirements imposed by law when it comes to information provided to data subjects.

Sanctions for non-compliance

Generally speaking, the types of sanctions for failure to comply with the RGPD Charter are administrative sanctions and criminal sanctions.

A list of conditions set out in Article 83 of the RGPD allow what is known as a supervisory authority after verification of these conditions to apply administrative sanctions to the group (be it a company or an association…) that has not complied with the RGPD provisions.

Article 84, for its part, provides for additional sanctions in the event of non-compliance with the RGPD. Provisions that are present in the French Penal Code. By way of example, we can cite here Article 226-16 of the Penal Code, which stipulates: “the fact, including through negligence, of carrying out or having carried out processing of personal data without compliance with the formalities prior to their implementation provided for by law is punishable by five years’ imprisonment and a fine of 300,000 euros”.

Steps to create your RGPD Charter with Dipeeo ?

1

2

3

1

Tell us about your project: questionnaire

5 min⏱️

2

One of our experts will contact you

24h⏱️

3

You'll receive your document!

24h⏱️

Je souhaite réaliser ma Charte RGPD

2nd DPO
in France

+20 new clients
per month

3 years
of existence

1.8M euros
raised in 2024

They trust us

Client Dipeeo - L'EXPRESS a été mis en conformité par Dipeeo qui est son DPO externe
RATP Dev d'insertion a été mis en conformité par Dipeeo qui est son DPO externe
Logo Dipeeo Blanc

01 59 06 81 85

contact@dipeeo.com

4 boulevard de Montmartre
75009 Paris

SUIVEZ NOUS

Découvrez notre newsletter

Pour vous contacter, nous devons traiter vos données.
Pour plus d’infos, consultez notre Politique de confidentialité.