The event made the front page of all the media this Friday, May 25, 2018: the General Regulation on Data Protection (GDPR) has come into force in all the countries of the European Union. It replaces the 1995 European directive on personal data protection and becomes the new reference in this field.
One month to answer
But what are these rights that the GDPR reinforces and specifies? And have organizations handling personal data put in place all the procedures designed to respect the exercise of these rights? Nothing is less sure. Most of them prefer to wait for the first requests from European citizens before reacting. But the company has only one month to respond. After this period, the person concerned may lodge a complaint with the competent supervisory authority with possible administrative, financial or even criminal penalties and a consequent image risk.
Contrary to popular belief, the GDPR is not limited to new requirements for consent. European citizens also have other rights to assert: access to their personal data (Article 15), rectify them if they are inaccurate or incomplete (Article 16), request their deletion (Article 17) or the restriction of their processing (art.18), receive them in a machine-readable format and send them to another controller (Article 20), oppose their processing for prospecting purposes or for reasons related to their situation 21) and to require that decisions based on automated processing be made by natural persons and not only by computers (Article 22). On paper, the respect of these rights is relatively simple to implement but the reality is much more complicated, especially when the activity of the company is based on personal data exploited in different ways and in several locations.
Let us take a simple example: a company has the personal data of a large number of customers – thousands if not hundreds of thousands – and uses them, on the one hand, for the continuation of the commercial relationship sanctioned by a contract (interest legitimate) and, on the other hand, for sending advertising and promotional messages from partners (consent). Let us now assume that a significant number of these customers withdraw at the same time their consent for the company to use their personal data as part of marketing actions. Responding to this request manually will be impossible, as the workload will be large and the response time short and will necessarily involve the implementation of an automated solution.
At AdbA, we are among the only ones to offer you, according to the mapping of your data and the configuration of your IT system, a tailor-made platform, fully flexible and capable of responding to all requests for rights exercises. under the GDPR – the right of access to automated decision making. Completely integrated into your IT system, whether in a datacenter or within your company, our platform also manages relations with your potential subcontractors for the processing of personal data. It can also be combined with other IT solutions such as the one that allows to centralize, via an interface, the requests of citizens wishing to assert their rights with respect to their personal data and to ensure their follow-up while respecting the prescribed response time of 30 days.
With AdbA, you have a turnkey solution, adapted to your needs and your environment, which allows you to fully master all the constraints related to the GDPR. You save time, minimize the impact of the GDPR on your human resources and preserve your most valuable asset: the image of your company.
 In the Grand Duchy of Luxembourg, this mission is fulfilled by the Commission nationale de protection des données (CNPD).