France-IX GDPR preparation and compliance Thierry Draveny 1 - - PowerPoint PPT Presentation

France-IX GDPR preparation and compliance

Thierry Draveny

France-IX General Meeting September 2018 1

Context and compliance scope at France-IX

France-IX General Meeting September 2018 2

Context

strengthens rights for individuals concerning their personal data ; implies new obligations for companies, as data controllers and/or processors.

France-IX General Meeting September 2018 3

The General Data Protection Regulation (EU/2016/79) which came into effect the 25th of may 2018 :

What is personal data ?

France-IX General Meeting September 2018 4

Full definition in article 4 of the GDPR

Who can be identified directly or indirectly

Any information relating to a natural person (‘data subject’)

GDPR compliance scope

We identified within France-IX activities 3 general purposes for which personal data might be processed

France-IX General Meeting September 2018 5

Infrastructure functioning Customer care support, sales & marketing Human ressources

Data flow transfered by members through the France-IX’s infrastructure Individual information about members and prospects employees Individual information about France-IX employees

GDPR compliance scope

France-IX General Meeting September 2018 6

NO, for infrastructure functioning YES, for customer care support, sales & marketing, human ressources

We analysed which processes might involve personal data

France-IX doesn't extract any personal data (eg. IP addresses) from flows crossing the infrastructure. Data flow is aggregated by Member (MAC of the router) in order to provide statistics. Database : members & prospects, France-IX's employees. Direct communication related to France-IX’s activities. Suppliers : Network Operations Center (NOC), Data Center and operators (dark fibre).

Compliance works in progress

France-IX General Meeting September 2018 7

Compliance works in progress

France-IX General Meeting September 2018 8

Record of processing activities for database, including security policy. Data processor agreements with our suppliers

Processes of personal data

Privacy and policy will be published on the website. GDPR’s mentions will be added to communication supports, including request and contact forms. Contact dedicated for individuals who want to exercise their rights over their personal data.

Focus on ‘members & prospects database’

France-IX General Meeting September 2018 9

Execution of the contracts Direct communication related to France-IX activities

Limited purposes

Focus on ‘members & prospects database’

France-IX General Meeting September 2018 10

« Dataminimization »

Gender, first name and surname Position in the company Postal address of the company Phone number email address Logs from various web portals (eg. https://tools.franceix.net/)

Focus on ‘members & prospects database’

France-IX General Meeting September 2018 11

Limited to the period for which the personal data are processed. Erasure of the data when asked by and individual.

No data transfer outside EU Data retention period

Summary

France-IX General Meeting September 2018 12

Compliance works in progress Records of processing activities Data processor agreements Privacy and security policy GDPR’s key points

Principles (art 5 to 11) § Accountability § Lawfullness of processing § Dataminimization § Limited retention of data § ... Rights of the ‘data subject’ (art 12 to 23) § Transparency and access to personal data § Rectification, erasure and restriction § Right to object Obligations of the controller and processor (art 24 to 39) § Responsabilities § Record of processing activities § Security § Data protection officer

THANK YOU FOR YOUR ATTENTION

France-IX General Meeting September 2018 13