Skip to content

Chapter 3

Obligations and sanctions

Obligations

Determine a retention period

It is the responsibility of the data controller to determine the appropriate retention period according to their business needs in
the absence of regulatory provisions.

Take appropriate security measures

The data controller must take all technical and organizational measures necessary to guarantee the security of the archived data.

To do this, he must ensure the level of privacy compliance upstream. This responsibility also lies with the controller when he calls on a processor. The data controller must therefore check that the latter presents sufficient security guarantees.

The security measures put in place must be proportionate to the risks and to the nature of the data. The risks concern in particular:

  • Destruction (accidental or unlawful);
  • the loss;
  • the alteration;
  • diffusion;
  • unauthorized access to data.

Manage access rights

Manage and adapt employee authorizations according to the different stages of the archiving life cycle.

When the data pass from the “active database” to the “intermediate archiving database” then to “final archiving”, they must no longer be available for consultation by all the operational staff initially planned, but only by specially authorized persons, having an interest in knowing its content because of their
functions (for example, the service in charge of litigation).

Promote anonymization

One of the measures to limit the risk on data is the practice of anonymization. Indeed, anonymization will reside in the fact of
using a set of techniques in such a way as to make it impossible to identify the persons involved.

Failure to comply with the safety obligation is sanctioned by the Penal Code but also by the supervisory authorities at European
level. For France it is the Cn.

Sanctions

The data controller must implement effective backup solutions in order to avoid incidents on backed up data because in some cases, his responsibility could be engaged.

Indeed, if an incident occurs (cyberattack, flaws in the system…) due to a breach of regulatory obligations (art. 32 and f. of the GDPR) or due to a breach of control authority’s recommendations (CNIL), the data controller can be sanctioned.

Two types of sanctions can occur: administrative fines and criminal penalties.

The data controller makes the company more vulnerable to data loss, if she doesn’t respect regulatory obligations and control authority’s recommendations.

Indeed, if the company is not able to restore its lost data she could be subjected to a total or partial interruption of its activities. This interruption can impact the company productivity.

However, if the backups have been correctly done, the company will be able to take its activities up again as quickly as possible. The sustainability of the business will be ensured and the financial loss of the business will be reduced.

There is also a risk related to the company’s image and reputation regarding its clients.

Moreover, the controller has to ensure that the processor has sufficient security guarantees before using its services. Indeed, an individual can sue the controller if the processing of his/her data caused it any damage.

However, a controller will not be held liable for damage if it proves that it was not responsible in any way for the event giving rise to the damage.