GDPR
- What data is considered personal under GDPR?
Personal data is defined as any information related to an identified or identifiable natural person. This includes elements such as name, address, email address, phone number, IP address, and even biometric data.
- What rights do individuals have regarding their personal data under GDPR?
Individuals have several rights, including the right to access, rectify, erase, restrict processing, data portability, and object to the processing of their personal data.
- What are the penalties for non-compliance with GDPR?
Companies that fail to comply with GDPR risk fines of up to €20 million or 4% of the annual global turnover, whichever is higher.
- How can I ensure that my subcontractors comply with GDPR when processing my company's personal data?
It is essential to select subcontractors who provide sufficient guarantees regarding data protection. Ensure that your contracts specify confidentiality obligations, security measures to be implemented, and procedures in case of data breaches. Close collaboration with your subcontractors is crucial for maintaining GDPR compliance.
- What is a Data Protection Officer (DPO), and when is it mandatory to appoint one?
A DPO is a professional responsible for overseeing an organization's GDPR compliance. Appointing a DPO is mandatory for public authorities, companies whose core activities involve regular and systematic monitoring of individuals on a large scale, or those processing sensitive data on a large scale.
- What is a Data Protection Impact Assessment (DPIA), and when should it be conducted?
A DPIA is an assessment to identify and minimize risks associated with personal data processing. It is required when processing is likely to result in a high risk to the rights and freedoms of individuals, such as when using new technologies or processing sensitive data on a large scale.
- How does GDPR affect direct marketing and sending newsletters?
GDPR requires businesses to obtain explicit consent from individuals before sending direct marketing communications, including newsletters. Recipients must be informed of the purpose of data collection and have the option to withdraw consent at any time.
- What are the obligations in case of a personal data breach?
In case of a personal data breach, the data controller must notify the relevant supervisory authority (in France, the CNIL) within 72 hours of becoming aware of the breach. If the breach is likely to result in a high risk to the rights and freedoms of individuals, those affected must also be informed without delay.
- How does GDPR apply to data transfers outside the European Union?
GDPR strictly regulates the transfer of personal data to third countries to ensure an adequate level of protection. Transfers are allowed to countries recognized by the European Commission as providing adequate protection, or using mechanisms such as standard contractual clauses or binding corporate rules.
- What are the responsibilities of processors under GDPR?
Processors, who process personal data on behalf of a controller, have specific obligations under GDPR. They must ensure data security, not engage other processors without the controller's authorization, and assist the controller in upholding the rights of individuals.
- How does GDPR impact the use of cookies on websites?
GDPR requires websites to obtain explicit consent from users before placing non-essential cookies on their devices. Users must be informed clearly and fully about the use of cookies and have the option to withdraw consent at any time.
- What is the difference between a controller and a processor?
A controller determines the purposes and means of personal data processing, while a processor processes data on behalf of the controller according to its instructions.
- How does GDPR apply to children's data?
GDPR provides special protection for children's data. Parental consent is required for processing personal data of children under 16 (or a lower age, but not below 13, depending on national laws). Information intended for children must be written in clear and age-appropriate language.
- What are the key steps to achieve GDPR compliance?
To comply with GDPR, an organization must:
These steps ensure responsible and compliant management of personal data.
IA-ACT
- What is the IA ACT, and how does LEGALYA facilitate compliance?
The IA ACT refers to regulations governing the use of artificial intelligence and related technologies. LEGALYA provides specific features to help organizations comply with these regulations, including risk assessment for AI and implementing appropriate compliance measures.
- What are the main obligations for businesses under the IA ACT?
The IA ACT requires businesses to assess AI risks, ensure transparency, document AI systems, and comply with security and ethical standards.
- How does the IA ACT classify AI systems by risk?
The IA ACT categorizes AI systems into four risk levels: unacceptable risk (prohibited), high risk (under strict regulation), limited risk (transparency obligations), and minimal risk (few or no restrictions).
- What are the key dates for the implementation of the IA ACT?
The IA ACT came into effect on August 1, 2024, with progressive application of measures: some from February 2, 2025, others from August 2, 2025, and main obligations starting August 2, 2026.
- What are the implications of the IA ACT for AI system developers?
Developers must ensure their AI systems comply with the IA ACT requirements, including transparency, risk management, documentation, and adherence to ethical and security standards.
- How can businesses prepare for the IA ACT?
Businesses should begin by assessing their current AI systems, identifying potential risks, implementing compliance processes, training teams, and staying informed about regulatory updates to ensure a smooth transition to IA ACT requirements.
- What AI systems are prohibited under the IA ACT?
The IA ACT prohibits AI systems with unacceptable risk, such as those used for social scoring, subliminal manipulation, or real-time remote biometric identification in public spaces, except under strictly regulated exceptions.
- How do GDPR and IA ACT interact?
GDPR and IA ACT are complementary: GDPR protects personal data, while IA ACT regulates AI systems to ensure ethical and secure compliance. Companies must comply with both regulations when using AI systems that process personal data.