Computer files and personal data

An organization that collects your personal data directly from you should provide you with the following information:

• Identity and contact details of the data controller and, if necessary, of the data controller's representative
• Contact details for Data Protection Officer (DPO) if a DPO has been designated
• Purposes of processing (e.g. payroll management)
• Legal basis for processing (e.g. performance of a contract or fulfillment of a legal obligation)
• If necessary, legitimate interests of the controller justifying the collection of your personal data (e.g. doing business prospecting)
• Data Recipients
• Intent to transfer data to a non-EU country European and existence or absence of an adequacy decision by the European Commission or safeguards put in place to govern the transfer of data (e.g. standard contractual clauses)
• Retention period of data or criteria used to determine this period
• Existence of your rights (right to access, rectify, erase, limit or object to the processing of your data, right to portability and right to define guidelines on the fate of your personal data after your death)
• Right to withdraw your agreement if the processing is based on your agreement
• Right to lodge a complaint with the Cnil: titleContent
• Information on whether the provision of your personal data is of a regulatory or contractual nature, whether the provision of your data is a condition for the conclusion of a contract, and the possible consequences of not providing your data
• Existence of automated decision-making, including profiling, and information about the impact of this processing on you
• If necessary, information on the other purposes envisaged for this treatment

If the controller does not collect your personal data directly from you, it must tell you where it comes from and what categories are collected.

You must be able easily accessible to this information.

This information must be provided to you in a language clear and simple.

You need to be well informed about how your data is being used.

Thus, the organization must inform you in case of violation of your personal data, if there is a high risk for your rights and freedoms.

The right of access is used to determine if your data are processed by an organization, and if they are, to obtain a copy of your data in plain language.

The organization must also provide you with the following information:

• Why your data is being used
• What categories of data are used
• Who are the recipients of your data
• How long your data is kept
• What are your rights?
• What is the origin of your data when it has not been collected directly from you?
• If there is automated decision-making, including profiling, and what is the impact of this treatment on you.

Where personal data are transferred to a non-EU country European or to an international organization, you must be informed of the guarantees governing their transfer.

When you send a request by email, you must receive the information by email. However, you may request that the information be communicated to you in another way. For example, by mail.

The right of rectification allows you to request correction of inaccurate or incomplete information about yourself.

For example, an error in your address.

In practice, consult the website of the organization concerned for the contact details of the contact person.

The request can be made by online form, by mail, by post...

If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.

The procedure is free of charge.

Mail templates are available on the Cnil: titleContent.

Send a letter to an organization that holds your personal data

Keep a copy of your application so that you can make a complaint if necessary.

When the organization receives your response, it has 1 month to answer you.

If the organization needs more time, it must inform you within one month of receiving your request.

In total, the response time cannot exceed 3 months.

During this period, you can request that your data is no longer used by the organization.

This is the right to restriction of processing.

For example, an e-commerce site should stop using your data while it checks it.

In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.

Submit a complaint online to the Cnil

The right to erasure (right to be forgotten) allows you to request the removal of personal data about you.

For example, an inconvenient photo on a website.

You must be in one of the following situations:

• Your data is no longer necessary for the purposes for which it was collected or processed
• You withdraw your consent to the use of your data and there is no other legal basis for their processing
• You object to the processing of your data and this processing does not meet an overriding legitimate reason
• You object to your data being used for commercial prospecting
• Your data has been processed unlawfully. For example, your data has been hacked and published
• Your data must be erased in order to comply with a legal obligation
• Your data was collected when you were a minor (blog, forum, social network, website...)

If an organization has made your personal data public and needs to erase it, it must inform the other organizations that process your data of your request for erasure. For example, deleting any link to your data or deleting any copy or reproduction of your data.

In practice, consult the website of the organization concerned for the contact details of the contact person.

The request can be made by online form, by mail, by post...

Specify precisely which data you want to delete and the reasons for deleting it.

For example, if you request the erasure of a photo on a site, only the photo will be erased, not your account on that site.

If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.

The procedure is free of charge.

Mail templates are available on the Cnil: titleContent.

Send a letter to an organization that holds your personal data

Keep a copy of your application so that you can make a complaint if necessary.

When the organization receives your request, it must respond as soon as possible, and at the latest within the1 month.

If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.

In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.

Submit a complaint online to the Cnil

The right to dereferencing allows you to have a search engine delete a search result associated with your first and last names.

For example, by typing your name in the search engine, an old resume appears.

The deletion only concerns the association of a result of your name and your first name. The information is not deleted from the source website.

In practice, contact the search engine by mail or via the dedicated form (most search engines offer an online form).

Specify in your request the web address (URL) of the result to be deleted and explain why you would like to delete it.

If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.

The procedure is free of charge.

Keep a copy of your application so that you can make a complaint if necessary.

When the organization receives your response, it has 1 month to answer you.

If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.

In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.

Submit a complaint online to the Cnil

The profiling is to use your personal data to evaluate certain personal aspects concerning you for the purpose of analyzing or predicting certain elements.

For example, to predict your work performance, your economic situation, your health, your personal preferences, your travel...

You have the right to refuse to be subject to a fully automated decision, often based on your profiling, that would have legal effects or impact your daily life.

For example, an automated decision can make it impossible to access a credit card.

An organization may automate the following decisions:

• Decision authorized by specific legal provisions
• Decision necessary for the conclusion or performance of a contract you have concluded with the organization
• Decision made with your consent

However, when the decision is necessary for a contract or is made with your consent, you have the right to have a human being intervene and review the decision. You can also express your point of view and challenge the decision.

In practice, consult the website of the organization concerned for the contact details of the contact person.

The request can be made by online form, online account, email, mail...

If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.

The procedure is free of charge.

Mail templates are available on the Cnil: titleContent.

Send a letter to an organization that holds your personal data

Keep a copy of your application so that you can make a complaint if necessary.

When the organization receives your response, it has 1 month to answer you.

If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.

During this period, you can request that your data is no longer used. This is the right to restriction of processing.

In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.

Submit a complaint online to the Cnil

The right to portability is about controlling your personal data: it allows you to retrieve the data you have communicated to the organization in a machine-readable format.

For example, your contact information, your purchase history.

You can obtain that your data is transmitted directly from one organization to another when technically possible.

For example, changing social networks while keeping the history of your data, retrieving your emails from one provider to be able to use them with another service provider.

This right applies only to automated computer files created with your consent or on the basis of a contract.

In practice, consult the organization's digital platform to learn how to exercise your right to portability.

For example, after you have authenticated to your customer account, you have access to a button to download your data.

In case of difficulties, consult the website of the organization concerned for the contact details of the contact person.

The request can be made by online form, by mail, by post...

If there is reasonable doubt about your identity, the organization may ask you for information to confirm it. For example, to prevent identity theft.

The procedure is free of charge.

Keep a copy of your application so that you can make a complaint if necessary.

When the organization receives your response, it has 1 month to answer you.

If the organization needs more time, it must inform you within one month of receiving your request. In total, the response time cannot exceed 3 months.

In the absence of a response or in case of an unsatisfactory response, you can make a complaint to the Cnil: titleContent.

Submit a complaint online to the Cnil