DATA BREACH PROCEDURE
1. Object
This Procedure is established by JELIC, located 66 Avenue des Champs-Élysées, 75008 Paris, listed under the registration number, Siren: 447 820 150 (hereinafter referred to as "the controller").
The purpose of this Procedure is to describe the measures taken by JELIC, hereinafter the data controller, in order to prevent data breaches and to react appropriately in the event of an incident.
This Global Procedure covers the entire process, i.e. the implementation of measures aimed at:
at) Immediately detect a violation; and
b) Dike it quickly; and
vs) Analyze the risks generated by the incident and determine whether it is appropriate to notify the supervisory authority, or even the persons concerned.
There is a personal data breach when:
at). The data controller has processed personal data; and
b) These data have been the subject of a violation (loss of availability, integrity or confidentiality of personal data, accidentally or unlawfully).
This Procedure is in line with the wish of the controller to act in full transparency, in compliance with its national provisions and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (hereinafter referred to as the "General Data Protection Regulation").
2. Security
In order to prevent any data breach, the data controller has implemented strict security measures.
The data controller pays particular attention to the protection of the privacy of its users and therefore undertakes to take the reasonable precautions required to protect the personal data collected against loss, theft, disclosure or unauthorized use.
The data controller implements the appropriate technical and organizational measures to guarantee a level of security for the processing and the data collected with regard to the risks presented by the processing and the nature of the data to be protected adapted to the risk. It takes into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks to the rights and freedoms of users.
The data controller always uses encryption technologies that are recognized as industry standards within the IT sector when transferring or receiving data on the website.
The controller has implemented appropriate security measures to protect and prevent the loss, misuse or alteration of information received on the website.
It regularly tests and evaluates the effectiveness of technical and organizational measures to ensure safety.
3. Reaction in the event of an incident
In the event that the personal data that the data controller controls should be compromised, he will act quickly to identify the cause of this violation, in particular by documenting the incident internally and by assessing the risk, and he will take the necessary steps. appropriate remedial measures, if necessary by notifying the incident to the supervisory authority and / or by communicating it to the person concerned.
4. Document the incident internally
It is a question of determining:
The nature of the violation; and
If possible, the categories and approximate number of people affected by the violation: and
The categories and approximate number of personal data records concerned; and
Describe the likely consequences of the data breach; and
Describe the measures taken or envisaged to prevent this incident from happening again or to mitigate any negative consequences
5. Risk assessment
The risk assessment will be assessed on a case-by-case basis by the controller and will take into account the following elements:
at) The type of violation (affecting the integrity, confidentiality or availability of the data); and
b) The nature, sensitivity and volume of the personal data concerned; and
vs) The ease of identifying those affected by the violation; and
d) The possible consequences of these for people; and
e) The characteristics of these people (children, vulnerable people, etc.); and
f) The volume of people involved; and
g) The characteristics of the controller (nature, role, activities).
6. Notification to the supervisory authority
In the event of a personal data breach, the controller will notify the relevant breach to the competent supervisory authority as soon as possible and, if possible, no later than 72 hours after becoming aware of it, unless the breach in question is not likely to create a risk for the rights and freedoms of natural persons. When the notification to the supervisory authority does not take place within 72 hours, it is accompanied by the reasons for the delay.
The notification must, at a minimum:
at) Describe the nature of the personal data breach including, if possible, the categories and approximate number of persons affected by the breach and the categories and approximate number of personal data records affected; and
b) Communicate the name and contact details of the data protection officer or other point of contact from which further information can be obtained; and
vs) Describe the likely consequences of the personal data breach; and
d) Describe the measures taken or that the controller proposes to take to remedy the personal data breach, including, where applicable, measures to mitigate any negative consequences.
7. Communication to the data subject
When a personal data breach is likely to generate a high risk for the rights and freedoms of a natural person, the controller communicates the personal data breach to the data subject as soon as possible.
The communication to the data subject describes in clear and simple terms the nature of the personal data breach and contains at least the following information:
at) The nature of the violation; and
b) The name and contact details of the data protection officer or other point of contact from which further information can be obtained; and
vs) A description of the likely consequences of the personal data breach; and
d) A description of the measures taken or that the controller proposes to take to remedy the breach, including, where applicable, measures to mitigate any negative consequences.
Communication to the data subject is not necessary if one of the following conditions is met:
at) The controller has implemented the appropriate technical and organizational protection measures and these measures have been applied to the personal data affected by the said breach, in particular the measures which make the personal data incomprehensible to any person who does not is not allowed to access it, such as encryption; Where
b) The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize; Where
vs) It would require disproportionate effort. Rather, in this case, a public communication or similar measure is carried out allowing the data subjects to be informed in an equally effective manner.