Processing of personal data: definition
This refers to any operation on personal data, whether digital or on paper: “collection, recording, organisation, storage, adaptation, modification, retrieval, consultation, use, communication by transmission or dissemination or any other form of making available, matching” according to the CNIL website.
The processing of such data is likely to infringe on the privacy of users. This is why these operations are subject to European regulations and French law:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)
- LOI n° 2018-493 du 20 juin 2018 relative à la protection des données personnelles
What data are concerned?
Personal data is information that makes it possible to identify a natural person, either directly or by cross-checking information: surname, first name, e-mail address, geographical address, social security number, telephone number, voice recording, photograph, date of birth, diplomas, place of work, etc.
How to write the explanatory paragraph
On your website, you must write an article on the collection and processing of personal data, to be included in the legal notice. In this paragraph you should:
- refer to Law n° 78-17 du 6 janvier 1978, relative à l’Informatique, aux fichiers et aux Libertés (articles 38, 39, 40) and to the Règlement général sur la protection des données (RGPD) which came into force on 25 May 2018
- indicate a contact person and the means by which users can assert their rights in case of need: e-mail, telephone, on their personal space, etc.
- explain the purpose of the data collection. For example: for secure navigation on the journal’s website, to enable dissemination, archiving, indexing of articles and their metadata in an open access context, etc.
- inform the legal basis of the data processing: consent of the person, execution of a contract, legitimate interest of the host…
- indicate who has access to the data: internal departments, a service provider, the host, etc.
- Specify how long the data will be retained.
Example of a paragraph for a journal hosted by thec centre Mersenne
The journal [Nom de la revue], via its website, does not trade in the data of users, third parties and contributors (editors, reporters and authors). The information we collect for the proper functioning of the publication site has been voluntarily entered by the Users and contributors, via an action on their part (connection, navigation on the site, submission of document, downloading…).
The centre Mersenne has its own personal data protection policy, which is available on the centre Mersenne’s website at the following link: https://www.centre-mersenne.org/spage/privacy/
In accordance with the law n° 78-17 du 6 janvier 1978, relative à l’Informatique, aux fichiers et aux Libertés (articles 38, 39, 40) and the general regulation on data protection (RGPD), which came into force on May 25, 2018, you have a right of access, rectification, portability, and deletion of data concerning you put on line on this site and/or processed by [Nom de la revue] or the centre Mersenne. You also have a right to oppose to such personal data process; to ask for limitation to such process; to withdraw your consent to such process, and to ask, if applicable, for your account to be deleted.
To exercise these rights or for any further information, in particular concerning [nom de l’éditeur] policy on the protection of personal data, please contact: firstname.lastname@example.org.
Examples of processing of personal data
For example, in the context of a scientific journal site, the main personal data managed are :
- the full names of the authors,
- the list of their publications
- the authors’ e-mail addresses
- the authors’ telephone numbers
- the IP addresses of site users (authors, readers, etc.)
- the affiliation of authors
What are the rights of users?
Users of a scientific journal site, in this case authors and readers, have rights:
- Right of access: any person whose data is collected may request access to his/her personal data at any time and without limitation.
- Right of modification and deletion: any person whose data is collected may request the rectification of erroneous information or request its deletion.
- Right to transfer data: any person whose data is collected has the right to retrieve their data in a reusable form and to transfer it to a third party.
- Right to be forgotten: deletion of data and dereferencing are rights.
- Right to notification
- Right to compensation for material or moral damage
Declaration to the CNIL
Since 25 May 2018, when the RGPD came into force, declarations to the CNIL have disappeared except for certain formalities, particularly in the health sector.
More information: https://www.cnil.fr/fr/declarer-un-fichier