Page 77 - RIMD_4
P. 77
77
R e v u ed el ’ I n s t i t u td uM o n d ee td udéveloppement
In order to reduce the responsibilities that they might incur when they pro-
cess personal data files, local authorities can appoint a personal data protec-
tion officer (“correpondant à la protection des données” or “correspondant
informatique et libertés” in conformity with article 22. III of the Act of 6
January 1978 amended in 2004).
This evolution has to be underlined especially towards local authorities that
usually process personal data to ensure the running of e-services. In this
context, the representatives of local authorities can be responsible in case
of ignorance or of failure to respect the protection data rules. From this
point of view, it is necessary to specify that the ignorance of such rules
cannot prevent local authorities from respecting the law. Indeed, recently a
French municipality has been sanctioned (by a public warning) for having
published on the Internet personal data of a citizen that lives in that town.
These data come from the electoral list that municipalities have to update
every year and to publish on paper version according to electoral laws (see
CNIL decision n° 2012-320 of 20 September 2012).
The mission of the personal data protection officer consists in encouraging
a better application of the Act of 6 January 1978 amended. He/she is char-
ged with ensuring, on an independent basis, compliance with the obliga-
tions provided for in this Act. This officer has especially to prevent that the
personal data processed by local authorities are not distorted, damaged, or
that some non authorized people have access to them. The officer can be
appointed by any responsible for data processing who is, for instance, the
mayor in municipalities (this officer exists not only in the public sector, but
also in associations and firms for example).
Indeed, according to article 22 of the Act of 6 January 1978 amended, « the
appointment of the officer shall be notified to the "Commission Nationale
de l’Informatique et des Libertés''. The officer shall be a person who shall
have the qualifications required to perform his duties. He shall keep
subsequently be processed in a manner that is incompatible with those purposes. However,
further data processing for statistical, scientific and historical purposes shall be considered
compatible with the initial purposes of the data collection, if it is carried out in conformity
with the principles and procedures provided for in this Chapter, in Chapter IV (formalities
prior to commencing data processing) and in Section 1 of Chapter V (obligations incumbent
upon the data controllers and the rights of individuals) as well as in Chapters IX (processing
of personal data for the purpose of medical research) and X (processing of personal medical
data for the purposes of evaluation or analysis of care and prevention practices or activities)
and if it is not used to take decisions with respect to the data subjects;
3° they shall be adequate, relevant and not excessive in relation to the purposes for which
they are obtained and their further processing;
4° they shall be accurate, complete and, where necessary, kept up-to-date. Appropriate steps
shall be taken in order to delete and rectify data that are inaccurate and incomplete with
regard to the purposes for which they are obtained and processed;
5° they shall be stored in a form that allows the identification of the data subjects for a period
no longer than is necessary for the purposes for which they are obtained and processed".
o
RIMD–n 4–2013
R e v u ed el ’ I n s t i t u td uM o n d ee td udéveloppement
In order to reduce the responsibilities that they might incur when they pro-
cess personal data files, local authorities can appoint a personal data protec-
tion officer (“correpondant à la protection des données” or “correspondant
informatique et libertés” in conformity with article 22. III of the Act of 6
January 1978 amended in 2004).
This evolution has to be underlined especially towards local authorities that
usually process personal data to ensure the running of e-services. In this
context, the representatives of local authorities can be responsible in case
of ignorance or of failure to respect the protection data rules. From this
point of view, it is necessary to specify that the ignorance of such rules
cannot prevent local authorities from respecting the law. Indeed, recently a
French municipality has been sanctioned (by a public warning) for having
published on the Internet personal data of a citizen that lives in that town.
These data come from the electoral list that municipalities have to update
every year and to publish on paper version according to electoral laws (see
CNIL decision n° 2012-320 of 20 September 2012).
The mission of the personal data protection officer consists in encouraging
a better application of the Act of 6 January 1978 amended. He/she is char-
ged with ensuring, on an independent basis, compliance with the obliga-
tions provided for in this Act. This officer has especially to prevent that the
personal data processed by local authorities are not distorted, damaged, or
that some non authorized people have access to them. The officer can be
appointed by any responsible for data processing who is, for instance, the
mayor in municipalities (this officer exists not only in the public sector, but
also in associations and firms for example).
Indeed, according to article 22 of the Act of 6 January 1978 amended, « the
appointment of the officer shall be notified to the "Commission Nationale
de l’Informatique et des Libertés''. The officer shall be a person who shall
have the qualifications required to perform his duties. He shall keep
subsequently be processed in a manner that is incompatible with those purposes. However,
further data processing for statistical, scientific and historical purposes shall be considered
compatible with the initial purposes of the data collection, if it is carried out in conformity
with the principles and procedures provided for in this Chapter, in Chapter IV (formalities
prior to commencing data processing) and in Section 1 of Chapter V (obligations incumbent
upon the data controllers and the rights of individuals) as well as in Chapters IX (processing
of personal data for the purpose of medical research) and X (processing of personal medical
data for the purposes of evaluation or analysis of care and prevention practices or activities)
and if it is not used to take decisions with respect to the data subjects;
3° they shall be adequate, relevant and not excessive in relation to the purposes for which
they are obtained and their further processing;
4° they shall be accurate, complete and, where necessary, kept up-to-date. Appropriate steps
shall be taken in order to delete and rectify data that are inaccurate and incomplete with
regard to the purposes for which they are obtained and processed;
5° they shall be stored in a form that allows the identification of the data subjects for a period
no longer than is necessary for the purposes for which they are obtained and processed".
o
RIMD–n 4–2013
