What is personal data?

Personal data or " personal data is a information relating to an identified or identifiable natural person (e.g. name, first name, social security number, address, phone number, email address, photo, fingerprint, geolocation data, IP address or online identifier).

A person is said identified when you know your identity. A person is identifiable when it can be identified, even if its name and surname would remain unknown, from data set crossing (e.g. a woman living at such an address, born such a day and a member of such an association).

On the other hand, data is no longer personal when it is anonymised, thus eliminating any possibility of identifying the data subject.

Similarly, a data item is not personal when it relates to a legal person (e.g. company, association).

What is personal data processing?

A processing of personal data consists of any transaction involving personal data, irrespective of the process used (e.g. collection, recording, storage, modification, consultation, dissemination or erasure of data).

In other words, data processing occurs whenever a person's data is used in some way, regardless of who owns the data (a customer, one supplier, one provider, one employee, one applicant for employment, etc.).

Processing of personal data is not necessarily computerized, paper files are also affected and must be protected under the same conditions.

In order to comply with the GDPR, data processing must comply with the following principles :

• Treatment should be lawful : it must be based on one of the six legal bases laid down by the GDPR, in particular the consent of the data subject, the performance of a contract or the fulfillment of a legal obligation.
• Treatment should be transparent : the person whose data is collected must be informed of the collection and its purpose, as well as the rights that he has over his data (access, rectification, portability, erasure...).
• Treatment should have a purpose : the controller must define the purpose of the data collection (e.g. prospecting, customer relations monitoring, human resources). The data must not be processed in a manner incompatible with that purpose.
• Treatment should be proportional and relevant : only data strictly necessary for the achievement of the objective may be collected. We talk about “ minimization principle ”. For example, a business does not have to collect the phone number of its customers when it only sends email prospecting.
• Treatment should be temporary : the retention period of the information must be defined as soon as the data collection device is in place. Once the objective is achieved, the information collected is no longer necessary and should therefore be deleted.
• Treatment should be secure : all necessary measures to ensure security, including the confidentiality of personal data, must be put in place (e.g. passwords, https, backup). These security measures are proportional to the risks involved (e.g. theft or loss of data).

Except in exceptional cases, any processing of so-called data sensitive is forbidden. This is a category of highly personal data which are likely to lead to discrimination if revealed (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, trade union membership, genetic data).

Who is responsible for the processing?

The legal representative of the company (head of company, manager, president...) is designated " controller ”. The controller is the individual on the initiative of data processing, it shall determine its aims and means.

Most often, the data controller uses a subcontractor responsible for processing the data on behalf of the controller (e.g. data hosting, IT maintenance, marketing message sending service).

The controller and its processor must comply with numerous obligations on the protection of personal data.

What information should be provided?

The controller shall transmit the following information :

• Identity and contact details of the controller
• Contact details of the Data Protection Officer (DPO), if applicable
• Purpose of the processing: i.e. what the personal data collected will be used for
• Legal basis for processing: this may be the consent of the person, compliance with a legal obligation, performance of a contract, etc.
• Compulsory or optional provision of personal data: the consequences for the person in case of non-provision of the data
• Recipients of personal data: who will receive and access the data (competent internal service, provider, etc.)
• Retention period for personal data
• Rights of the individual in his data: right to refuse collection, right to access, rectify and erase his data
• Right of the person to lodge a complaint with the Cnil: titleContent
• Source from which personal data originate, in the case of indirect collection
• Existence of a transfer of personal data to a country outside the EUEuropean Union, if applicable.

How to deliver information?

The information must be transmitted in a concise, transparent, understandable and easily accessible, in clear and simple terms. In other words, the information must be presented in an effective and succinct way to not drowning among other informative content.

The form of presentation must consider support on which the information is communicated. For example, in order to avoid too long entries in an online form, the controller may provide a first level of information at the end of the form and refer to a dedicated page on his website.

The title of the page should be clear, for example: “ privacy policy ", " privacy page ' or ' personal data ”. This page is part of the mandatory information on a website.

What is the penalty for not providing information?

Failure to inform the person from whom the data are collected shall be punishable by criminal fine of €1,500 for individual entrepreneurs and €7,500 for businesses.

Is consent still required?

The collection of consent shall be obligatory, unless the treatment is justified by performance of a contract (e.g. contract of employment, contract of sale, lease).

In addition, the consent package is always obligatory in the following cases:

• Collecting ‘sensitive’ personal data. This is a category of highly personal data which may lead to discrimination if revealed (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, trade union membership, genetic data).
• Reuse of data for other purposes. For example, a sports shop organizes a contest and collects data from participants to contact the winner (initial purpose). If the store subsequently decides to use this data to create a customer file (new purpose), it will again have to obtain the consent of the individuals.
• Using non-essential cookies the operation of the service (e.g. advertising targeting). The Cnil: titleContent has compiled a file on rules applicable to the use of cookies.
• Use of data for the purpose of commercial prospecting by electronic means (e.g. newsletter, sms). The consent obligation expires if the person being prospected is already a client of the company and the prospecting concerns similar products or services.

How do I collect meaningful consent?

To be valid, the consent obtained must complete the 4 following conditions :

• Consent must be free : it must not be coerced or influenced. The data subject must have a genuine choice to accept or refuse the processing, without having to suffer negative consequences in case of refusal (e.g. inaccessibility of the website). The person must also have the right to withdraw consent at any time, and as easily as he or she has given it.
• Consent must be enlightened : before giving consent, the data subject must have received sufficient information (identity of the controller, purpose of the processing, type of data collected, right to withdraw consent and possible transfer of data outside the EU) so that he or she can make an informed decision. Information must be communicated in clear and easily understandable terms.
• Consent must be specific : if the processing involves several purposes (e.g. customer management, satisfaction survey, prospecting), the data subject must be able to give his or her consent independently for one or other of these purposes.
• Consent must be unambiguous : it must be given by a deliberate act, without any ambiguity. It may be collected, for example, by means of a written or oral statement or by ticking a box electronically (e.g.: " I agree that my e-mail address will be re-used for e-mail marketing purposes ”.

By contrast, the use of default ticked consent boxes is forbidden. In addition, the silence of the data subject (e.g. the person visits the website without accepting or refusing cookies) does not constitute consent.

How does withdrawal of consent work?

The data subject must also have the right to withdraw consent at any time, and as easily as she gave it. For example, where consent is obtained electronically only by clicking, typing or scanning the screen, the data subject should be able to withdraw that consent in the same way.

Where a data subject withdraws his or her consent, the controller must cease all processing operations based on that consent. However, transactions carried out on the basis of a valid consent given before withdrawal shall remain valid.

What is the penalty for not giving consent?

Where the collection of consent is mandatory, the processing of personal data obtained without consent of the person concerned shall be punishable by 5 years imprisonment and €300,000 fines for individual contractors and €1,500 000 for businesses.

Right of access to data

The controller must allow the person who requests it, to access its data subject to treatment. The data subject must be able to exercise this right, for example, by means of an online form, an email or a contact email.

On this occasion, the responsible person must provide the following information :

• Purpose of the processing: i.e. what the personal data collected will be used for
• Recipients of personal data: who will receive and access the data (competent internal service, provider, etc.)
• Retention period for personal data
• Rights of the person in his data: right to refuse processing, right to rectify and erase his data
• Right of the person to lodge a complaint with the Cnil: titleContent
• Source from which personal data originate, in the case of indirect collection
• Existence of a transfer of personal data to a country outside the EUEuropean Union, if applicable.

The data subject must be able to access the information on which the controller has relied to take a decision concerning it. For example, the elements that would have been used by an employer not to give him a promotion or the score assigned by a bank that led to the rejection of a credit application.

The manager has 1 month to respond from the date of receipt of the request, including if the controller does not have any data on the person exercising his right of access.

The information must be provided for free and in easily understandable. The codes, acronyms and abbreviations used should be explained (possibly in a lexicon).

The controller may deny access request on condition that it gives reasons for its decision. In this case, it must inform the applicant of the means and time limits for challenging it.

It can also failing to respond to manifestly abusive requests in particular because of their number and their repetitive or systematic nature (e.g. request for a full copy of a recording every week).

Right to rectification of data

The controller must allow the person who requests it to rectify inaccurate data as soon as possible. The data subject must be able to complete his or her incomplete data, including by providing a supplementary declaration.

Right to erasure of data (“right to be forgotten”)

The controller shall allow the person who so requests to obtain the erasure of its data as soon as possible.

This "right to be forgotten" is not general, it applies only in the following cases :

• Personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
• The data subject withdraws the consent on which the processing is based, and this processing is not justified by the performance of a contract (e.g. sales, rental, employment).
• The data subject objects to the processing and there are no legitimate grounds for the processing.
• Personal data has been unlawfully processed (e.g. the consent of the person was not collected when it was mandatory)
• Personal data must be erased in order to comply with a legal obligation under EU lawEU or by the law of the Member State to which the controller is subject.

Right to data portability

The controller must allow the person who requests it, receive and reuse datawithin a reasonable period (between 1 and 3 months depending on the complexity of the application).

The right to portability applies to personal data declared by the person (e.g. e-mail address, name, age) and to generated by its activity when using a service or device (e.g. purchases on a loyalty card).

On the other hand, personal data which are derived, calculated or deducted on the basis of the data provided by the data subject (e.g. profiling for advertising purposes) do not fall within the scope of this right.

Manager must communicate for free data in a structured, commonly used and computer-readable format. Where technically possible, the data subject may request that his or her data be directly transmitted to another controller.

This right shall not result in the deletion of the data of the service from which they are transferred. In addition, it can be exercised at any time, including if the person wants to continue using the service after exercising that right.

The Cnil: titleContent Strongly recommends that an internal procedure be put in place to respond to requests that may be received. For example, provide a feature that allows the data subject to upload their data in a standard computer-readable format (CSV, XML, JSON, etc.) directly from their authenticated account/space.

The controller may refuse the portability request on condition that it gives reasons for its decision. It can also failing to respond to manifestly abusive requests in particular because of their number and their repetitive or systematic nature.

Right to object to processing

The controller must allow the data subject to to oppose the re-use of his data for the purpose of soliciting, in particular for commercial purposes, when placing an order or signing a contract.

A check box, not checked by default, must allow them to express their choice directly on the form or order form to be filled in. The mere mention of the existence of that right in the general conditions is not sufficient.

The right of opposition may be exercised by the person only if treatment is warranted by legitimate interest (e.g. processing for fraud prevention purposes or to ensure network and information security).

On the contrary, if the processing is justified because the data subject has given his or her consent, the data subject must exercise his or her right to withdraw consent and not his or her right to object.

Who is affected by the register?

The obligation to keep a register of treatments does not apply to all companies, it is necessary to refer to their size.

What should the register contain?

The register shall to identify all treatments implemented by the company.

In practice, a record sheet must be established for each treatment. Each record sheet shall contain next items :

• Identity of controller, data protection officer and processors
• Categories of persons concerned (e.g. customer, prospect, employee)
• Categories of data processed (e.g. identity, family, economic or financial situation, banking data, connection data, location data)
• Purposes of the processing, i.e. the purpose for which the data were collected
• Recipients of the data, i.e. those to whom the data have been or will be communicated, including processors
• Duration of data retention, or failing this, the criteria for determining it
• General description of data security measures
• Where applicable, transfer of data to a country outside the EUEU.

What form should the register take?

The GDPR only requires that the register shall be in written form. The format of the register shall be free and may be in paper or electronic form.

The CNIL provides process register templates.

Census data processing

The controller shall identify treatments of personal data (automated or not) and media on which these treatments are based, namely:

• hardware (e.g. servers, laptops, hard drives)
• software (e.g. operating systems, business software)
• logical or physical communication channels (e.g. fiber optic, Wi-Fi, Internet, voice, couriers)
• paper media (e.g. printed documents, photocopies)
• physical premises and facilities where the above mentioned items are located (e.g. computer rooms, offices).

Assess the risks associated with each treatment

This census makes it possibleassess risks generated by each treatment, including:

• Illegitimate access to data (e.g. impersonation following the disclosure of the pay slips of all employees of a company)
• Unwanted modification of data (e.g. wrongly accusing a person of misconduct or misdemeanor following modification of access logs)
• Data Disappearance (e.g. failure to detect a drug interaction due to inability to access the electronic patient record).

The controller shall identify the sources of risk considering human (e.g., IT administrator, user, external attacker, competitor) and non-human (e.g., water, outbreak, hazardous materials, non-target computer virus) sources.

It must also estimate the severity and likelihood of the risks (example of a scale that can be used for estimation: negligible, moderate, large, maximum) for this to determine the measures able to address each risk (e.g. access control, backups, traceability, premises security, encryption, anonymization).

Raise awareness among users

The controller shall sensitize the users on security and privacy issues. This can be done by organizing an awareness session, sending regular updates on relevant procedures for people according to their duties, sending reminders via e-mail, etc.

The manager must document operating procedures, keep them up to date and make them available to all concerned users. Specifically, any action on the processing of personal data, whether it is an administration operation or the simple use of an application, must be explained in clear language and adapted to each category of users, in documents to which the latter may refer.

In addition, he must write an it charter, annexed to rules and regulations, including the following information:

• Data protection rules and penalties for non-compliance
• Scope of the Charter (e.g. how data management teams are involved, means of authentication, security rules)
• How to use the computer resources made available (workstation, storage space, Internet access, e-mail, etc.)
• Conditions for the administration of the information system
• Liabilities and penalties for non-compliance with the Charter.

Authenticate users

To ensure that a user only has access to the data they need, they must have a unique identifier and must authenticate before any use of the computer means.

An essential precaution is to define a unique identifier per user and prohibit accounts shared between multiple users. Where the use of generic or shared identifiers is unavoidable, the following measures shall be implemented:

• Require hierarchy validation
• Implement means to trace actions associated with these identifiers
• Renew the password as soon as a person no longer needs to access the account.

Manage User Entitlement

The controller shall manage user entitlement in order to limit their access to the only data they need for the performance of their tasks.

The person responsible is first brought to define entitlement profiles in systems by separating tasks and areas of responsibility; and to have any application for authorization validated by a manager (e.g. supervisor, project manager).

It is imperative to remove access permissions users as soon as they are no longer entitled to access a premises or an IT resource (e.g. change of mission or post), as well as at the end of their contract.

Trace Operations

The controller shall also trace operations to be able to respond to data breaches (breaches of confidentiality, integrity or availability).

To do this, it is necessary to put in place a logging system, which is a record of users’ business activities, technical interventions (including by administrators), anomalies, and security events.

The controller shall ensure that the records managers notify the controller of any security anomaly or incident as soon as possible.

Secure desktops and mobile computing

The risks of intrusion into computer systems are significant. The controller shall protect workstations which are one of the main points of entry.

In order to prevent fraudulent access, virus execution or remote malicious takeovers, the controller must take the necessary following precautions :

• Provide a mechanism for automatic session locking if the station is not used for a given time
• SETTLE a “firewall” (“firewall”) software on the workstation and limit the opening of the communication ports to those strictly necessary for the proper functioning of the applications settled on the workstation
• Use anti-virus regularly updated and provide for a policy of regular software updates
• Securely erase data on a computer before reassignment to another person.

Off-premises work practices (e.g. traveling, teleworking) involve specific risks related to the use of laptops, USB sticks or smartphones. It is therefore essential to anticipate the data breach outside the premises.

The controller shall to raise awareness among users specific risks associated with the use of mobile computing tools (e.g. theft of equipment, risks associated with connection to public networks) and mandate the use of VPN Strong authentication.

It is also recommended to providing encryption means Mobile PCs and mobile storage media (e.g. laptop, USB drives, external hard drive, CD-R, DVD-RW), such as:

• Hard Drive Encryption (many operating systems include such functionality)
• File-by-file encryption
• Creating encrypted containers (a file that may contain multiple files).

Back up and archive data

The controller shall perform regular backups to minimize the impact of data loss or unwanted alteration. It is also recommended to store at least one backup to an external site and isolate a offline backup, disconnected from the company's network.

In addition, the person responsible must archive data that is no longer in daily use but which have not yet reached their shelf-life, for example because they are stored for use in case of dispute.

To do this, it must define an archive management process that calls for several questions, including:

• What data needs to be archived?
• How and where are they stored?
• What are the specific ways to access archived data? (use of an archive should be done on an ad hoc and exceptional basis)
• With regard to the destruction of archives, what method of operation should be chosen to ensure that an entire archive has been destroyed?

Manage Outsourcing

Data processing carried out by a processor on behalf of the controller must be subject to adequate safeguards, in particular with regard to security.

It is imperative to use only sub-contractors providing sufficient guarantees, particularly in terms of expertise, reliability and resources. The controller shall require the provider to communicate its information systems security policy and any certifications.

A subcontract must define the subject matter, duration, purpose of the processing and the obligations of the parties, in particular in terms of security of processing. It shall contain provisions laying down the following:

• Division of responsibilities and obligations in relation to confidentiality of personal data entrusted
• Minimum authentication requirements of users
• Conditions for the return and destruction of data at the end of the contract
• Incident Management and Notification Rules. This should include information to the controller in the event of a security breach or security incident.

Assess data security

Since there are many measures to ensure data security, it is appropriate toassess the level of security of personal data company. The CNIL provides a evaluation grid.

The technical and organizational measures implemented by the controller must be appropriate, taking into account the nature, scope, context and purposes of the processing and the risks (the degree of probability and seriousness of which varies) to the rights and freedoms of individuals.

In the event of a data breach (e.g. unauthorized disclosure, irregular access), the controller must be able to prove that it has taken adequate security measures.

What information should be included in the contract?

The controller and the processor shall enter into a contract including following mandatory particulars :

• Purpose of the contract, i.e. the activity of the subcontractor (e.g. data hosting, email routing, maintenance)
• Nature, purpose and duration of processing
• Type of personal data collected and categories of data subjects
• Obligations and rights of the controller
• Obligations and rights of the subcontractor.

In order to facilitate the drafting of this contract, the parties may insert certain standard contractual clauses (CLC) drafted by the European Commission. They provide a useful support to frame subcontracting in accordance with the requirements of the GDPR.

What are the obligations of the subcontractor?

The subcontractor must comply with the subsequent obligations :

• Ensure a sufficient level of security with regard to the nature of the data processed
• Advise the controller (e.g. alert the controller if he/she believes that an instruction he/she receives constitutes a violation of applicable regulations)
• Assist the controller in guaranteeing the rights of individuals (access, rectification, erasure, portability)
• Formalize instructions issued by the controller in writing
• Maintain a record of processing activities performed on behalf of the controller
• Keep available to the controller all information necessary to demonstrate compliance and enable audits to be carried out
• Ensure that persons authorized to process personal data undertake to respect confidentiality.

Can the subcontractor itself use a subcontractor?

The subcontractor shall obtain written authorization the controller before recruiting another processor. This authorization may be given to the subcontractor on a case by case basis for each new subcontractor, or have a general scope.

The CNIL recommends specifying in the contract which of these 2 authorization procedures is chosen by the parties.

If the authorization is of general application, the processor shall communicate to the controller of the list of its subsequent subcontractorsand any additions or substitutions to that list to enable it to object if it so wishes. In this case, the Council recommends formalizing the procedures for informing the controller and, possibly, the criteria for selecting these subcontractors.

Is the designation of a DPO mandatory?

The designation of a DPO by the company is obligatory in the following 2 cases :

• The main activities of the company or subcontractor involve a regular and systematic large-scale monitoring data subjects involved in processing operations (e.g. geolocation, video surveillance, banking processing).
• The main activities of the company or subcontractor involve a large-scale treatment of sensitive data or relating to criminal convictions.

The concept of treatment large-scale shall be analyzed on a case-by-case basis, depending on the number of data subjects involved, the volume and range of different data collected, the duration of the processing activity and the geographical distribution of the processing activity.

What are the DPO's missions?

The duties of the Data Protection Officer shall be as follows:

• Inform and advise the controller or processor and the employees who carry out the processing on the obligations incumbent upon them
• Check compliance with the GDPR and the internal data protection rules of the controller or processor, including the allocation of responsibilities, awareness raising and training of personnel involved in processing operations
• Provide advice and recommendations, upon request, on a specific subject related to the processing of personal data
• Cooperate with the Cnil: titleContent and act as a point of contact on treatment issues.

How to choose and designate the DPO?

The Data Controller may designate a DPO internally or a external provider offering its DPO services. He must ensure that the DPO has specialist knowledge data protection law and practice. They must take into account the training received by the person involved, as well as their experience and his knowledge of the sector.

The Cnil: titleContent has implemented a certification procedure the powers of the DPO. The procedure is not not obligatory but allows the DPO who followed him to justify that he meets the competency requirements. The certifications are issued by certifying bodies approved by the CNIL.

When selecting the company's DPO, the controller must complete the online designation form to inform the CNIL.

Appointment of a Data Protection Officer (DPO)

What are the conditions for performing the OPD function?

The controller shall allow the DPO to exercise its supervisory, advisory and contact functions in complete independence. Independence must be guaranteed in the following way:

• The DPO shall not be in a conflict of interest situation if his function as DPO is combined with another function. For example, there is a conflict of interest when the DPO is entrusted with tasks in which he determines the purposes and means of processing.
• The DPO must be accountable to the highest level of company management
• The DPO shall not be sanctioned for the performance of its DPO duties
• The DPO shall not be instructed in the performance of his or her DPO duties.

In addition, the DPO must have sufficient time and adequate material and human resources to carry out its mission. It must have the active support of management and be associated upstream to all projects involving personal data.

What is the risk for a company that does not designate a DPO?

A company that does not designate an OPD where such designation is mandatory shall be subject to Cnil sanctions :

• Call to Order
• Injunction to comply
• Administrative fine up to €10 million or 2% of annual turnover of the preceding financial year, whichever is the greater.

Is impact assessment mandatory?

The carrying out of an impact assessment is obligatory when the data processing presents a high risk to rights and freedoms the persons concerned, namely:

• Either the treatment is listed in the list of treatments for which the CNIL considered it mandatory to carry out an impact assessment.
• Either the treatment fulfills at least 2 of the following criteria :
  
  • evaluation/scoring (including profiling)
  • automatic decision with legal or similar effect
  • systematic surveillance
  • collection of sensitive data
  • large-scale collection of personal data
  • data crossing
  • vulnerable people (patients, elderly, children, etc.)
  • innovative use (use of new technology)
  • exclusion from entitlement to a right/contract.

The AIPD must be conducted before treatment is started. It should be started as early as possible and will be updated throughout the treatment life cycle.

What should the impact assessment contain?

The impact assessment must contain at least following information :

• Description system of processing operations envisaged and the purposes processing, including, where appropriate, the legitimate interest pursued by the controller
• Assessment of necessity and the proportionality processing operations with regard to the purposes
• Risk Assessment on the rights and freedoms of data subjects
• Measures envisaged to address risks, including safeguards, measures and security mechanisms to ensure the protection of personal data and to demonstrate compliance with the Regulation.

The controller should then forward the impact assessment to the Council through the following online service:

Submit a Data Protection Impact Assessment (DPIA) to the CNIL

What sanctions should be imposed in the absence of an impact assessment?

A company that does not carry out an impact assessment is exposed to Cnil sanctions :

• Call to Order
• Injunction to comply
• Administrative fine up to €10 million or 2% of annual turnover of the preceding financial year, whichever is the greater.

Under what conditions can data be transferred outside the EU?

In order for a transfer of data outside the EU to be authorized, the country receiving the data must be subject to a adequacy decision.

This is a decision adopted by the European Commission establishing that a third country presents a adequate level of protection personal data. The Commission assesses this level of protection on the basis of elements set out in the GDPR (e.g. the country's domestic legislation, the existence of an independent data protection supervisory authority and the country's international commitments).

The adequacy decision shall have the effect of enabling the transfer of data to the country concerned, without additional requirements.

In the absence of an adequacy decision, the controller shall implement appropriate safeguards before transferring the data outside the EU. These may include:

• Entering into a contract including standard contractual clauses (CLC) of the European Commission. These clauses provide a useful framework for transfer outside the EU, in line with the requirements of the GDPR.
• Establish binding company rules (Binding Corporate Rules (BCR) in English). For multinational companies with large data transfers, these rules refer to an intra-group data protection policy that unifies safeguards for the processing of personal data offered by their subsidiaries worldwide.
• Join a code of conduct. The Code is a tool set up by an organization representing a sector of activity. It highlights good practices in the sector, such as standard information notices, model contractual clauses or recommendations for security measures, in a vocabulary adapted to the sector. The Code is legally binding on its members.

What derogations allow data to be transferred outside the EU?

In the absence of an adequacy decision or appropriate safeguards, the transfer may be carried out by way of derogation, in special situations:

• The data subject has given his or her consent consent explicit the intended transfer, after having been informed of the risks that such a transfer might entail for it
• The transfer is necessary for the performance of a contract between the data subject and the controller or to implement pre-contractual measures taken at his request
• The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
• Transfer is required for important grounds of public interest
• The transfer is necessary to the establishment, exercise or defense of legal claims
• The transfer is necessary to safeguard the vital interests of the data subject or other persons, where the data subject is physically or legally unable to give consent
• The transfer takes place from a register which is legally intended to provide information to the public and is open to consultation by the public or any person having a legitimate interest.