General Data Protection Regulation

The essentials of the GDPR in 6 points


The European Regulation of 27 April 2016 on personal data came into force on 25 May 2018.

Its objective is to strengthen the protection of individuals in the European Union. It defines and specifies a certain number of rights recognized to individuals whose personal data is processed. It also provides for a certain number of obligations on the part of companies.

1. An extended scope of application

Since May 25, 2018, any company, as soon as it offers goods or services to the persons concerned by the processing on the whole territory of the European Union, must apply the GDPR.

2. The accountability principle and the end of reporting obligations

The accountability principle is one of the fundamental principles of the GDPR. It refers to the obligation for companies to implement internal mechanisms and procedures to demonstrate compliance with data protection rules.

This principle requires companies to provide the supervisory authorities (in France, the Commission Nationale Informatique et Libertés) with documentation establishing compliance with the Regulation.

Routine processing operations must now be listed in a register and no longer have to be declared to the CNIL.

3. Increased penalties

Failure to comply with the obligations of the Regulation is sanctioned by administrative fines issued by the Commission Nationale Informatique et Libertés. These fines have been considerably increased and can amount to up to 20 million euros or 4% of worldwide turnover (whichever is higher).

The CNIL monitors the application of the GDPR and imposes penalties of several million euros. 

4. Strengthening the rights of data subjects

New rights are recognized for the persons concerned by the processing.

These include the right to portability, the right to be forgotten and the right to limitation. In the event of a data breach, procedures must also be defined to notify the CNIL and the persons concerned. 

5. A new actor: the Data Protection Officer (DPO)

The DPO guarantees the compliance of his organization with the Data Protection Act. 

His appointment, mandatory in certain cases (*), is one of the major measures of the Regulation. He takes over from the Data Protection Correspondent but his responsibilities are broader.

Companies wishing to commit themselves to the respect of the privacy of individuals can also proceed to the optional appointment of a DPO.

The DPO continuously monitors the compliance of his organization. His appointment must meet conditions of integrity and professional ethics, Sellsy appointed a DPO on May 25, 2018, he can be contacted at

(*) For public authorities or organizations, organizations whose basic activities lead them to carry out regular and systematic monitoring of individuals on a large scale, organizations whose basic activities lead them to process on a large scale so-called "sensitive" data or data relating to criminal convictions and offences. 

6. New obligations for data processors

Until May 25, 2018, only the controller - who decides on the purposes and means of the processing - was responsible.

The GDPR provides that a processor is responsible in principle and subjects it to specific security, confidentiality and accountability obligations. 

There is a relative obligation to advise on certain points of the regulation (breaches, security, data destruction, contribution to audits).