Failure to comply with legislation in the field of information technology can put the organisation in a difficult situation vis-à-vis the law, its customers (brand image) and also in terms of financial consequences (fines) or criminal consequences (personal liability).
The legal responsibilities and obligations of companies about the protection of personal data were presented during the Internet Security Day 2007 by Maître Cyril Pierre-Beausse on computer crime: Repression and legal risks for companies relating to personal data.
Thus, the law punishes organisations from which information is stolen even more severely than the thieves themselves due to the breach of their obligation to protect personal and/or sensitive data.
The law recognises and punishes:
All organisations must implement a security policy based on:
Draft and enforce a Sectoral policy on compliance.
Copyright on original literary and artistic works, which include databases and computer programs, as defined in the amended Law of 18 April 2001, must be respected. For example, the following basic principles can be cited:
For any other question, please contact the Office of Intellectual Property.
All files or databases must be created in accordance with the Law of 2 August 2002 on the protection of individuals in respect of the processing of personal data. The same applies to the process involving both newly created data and pre-existing data.
To ensure compliance with this law, the IT manager and the legal officer must obtain the applicable texts from the National Commission for Data Protection (CNPD) and ensure that the structure is suitable, particularly in respect of:
It is also important to remember the 10 personal data protection principles:
Personal data may only be processed if there are sufficiently legitimate grounds to do so.
The use of personal data must be limited to a purpose that is explicitly specified in advance and must be limited to what is necessary to achieve the purposes expressly defined by the organisation requesting the personal data.
Processing should be limited to data for which there is a direct relationship with the original purpose of the processing.
On the basis that inaccurate or incomplete information may be harmful to the person to whom it relates, every effort must be made to ensure that processed data is correct and up to date and that the option to rectify or delete it is available.
Personal data must be collected, recorded, used and transmitted in good faith and made known to the individuals involved.
Personal data must be stored in secure places, on secure equipment.
Under the law, individuals may: ask to see a copy of their personal data; request information on why the data are being held; object if the processing is unlawful. Registration of all databases with the National Commission for Data Protection upholds the principle of transparency.
Processing data revealing opinions or beliefs relating to health and sex life, including genetic data, is prohibited, apart from certain exceptions listed in the law.
Authorisation by the National Commission for Data Protection is required before technical means can be used to monitor people. The personal data thus collected may only be processed in the specific instances outlined in the law.
The use of personal data for commercial purposes may be prohibited at any time. In principle, direct marketing using modern communications media (SMS, email) is prohibited, unless you have expressly agreed to it.
Deviation from one or more of these principles is punishable by law.
Furthermore, the individuals involved must be fully aware of the collection of their personal information and must give their prior consent to any collection and processing of their personal information.
The right to privacy, a basic principle in terms of image rights, is enshrined in a number of legal texts, including:
It follows from these texts that everyone has the right to object to their image both being taken and published: agreeing to be photographed does not grant authorisation to disseminate photographs in any circumstances.
It is strongly advised that the consent of an individual is obtained before their picture is taken and (in particular) photographs of them are published. For minors, the consent of their parents or other legal representatives must be obtained, as well as the consent of minors who have reached the age of reason.