January 28th  2023 - Guides

Aqua Ray protects your data

Data protection is a major topic guided by the General Data Protection Regulation (GDPR). On this European Data Protection Day, we felt it was necessary to go back over the basic foundations of this regulation. We asked our DPO: Jonathan KOGAN to answer some questions on the subject.

Data protection is a major topic guided by the General Data Protection Regulation (GDPR). On this European Data Protection Day, we felt it was necessary to go back over the basic foundations of this regulation. We asked our DPO: Jonathan KOGAN to answer some questions on the subject.

Jonathan is a former legal and HR director and the founder of Ad&Juris Innov: a company specialising in outsourcing legal issues such as contract management, human resources, collections and RGPD compliance for businesses. He is specialised in RGPD as a certified DPO (Data Protection Officer) with Bureau Veritas. Aqua Ray has been using his services since the beginning of the year.

Jonathan is a former legal and HR director and the founder of Ad&Juris Innov: a company specialising in outsourcing legal issues such as contract management, human resources, collections and RGPD compliance for businesses. He is specialised in RGPD as a certified DPO (Data Protection Officer) with Bureau Veritas. Aqua Ray has been using his services since the beginning of the year.

Interview

What is the role of a DPO?

«In the text, a DPO is the person who will ensure the compliance of a public or private company. This is the person who will be the CNIL's contact in the event of an inspection and who will be the contact point for external requests. If I take the case of Aqua Ray, when an employee, end user, customer or prospect makes a request to exercise his or her rights, the DPO will respond to this request. 

«In the text, a DPO is the person who will ensure the compliance of a public or private company. This is the person who will be the CNIL's contact in the event of an inspection and who will be the contact point for external requests. If I take the case of Aqua Ray, when an employee, end user, customer or prospect makes a request to exercise his or her rights, the DPO will respond to this request. 

As an external DPO, my main role is to explain to businesses what the RGPD is, their obligations under it and how it works. I am also there to reassure businesses that may feel overwhelmed or unsure about the new legislation, guiding and supporting them through the process. The the final objective of the GDPR is to protect the privacy rights of individuals.

As an external DPO, my main role is to explain to businesses what the RGPD is, their obligations under it and how it works. I am also there to reassure businesses that may feel overwhelmed or unsure about the new legislation, guiding and supporting them through the process. The the final objective of the GDPR is to protect the privacy rights of individuals.

The daily tasks of a DPO will be :

The daily tasks of a DPO will be :

  • audits;
  • writing mandatory compliance documentation;
  • implementation of processes, procedures and policies for data security;
  • raising awareness and training teams;
  • responding to the CNIL in the event of an inspection.»

When should a company have a DPO?

«There are three different cases:

«There are three different cases:

  • If it is a company or a public institution (a DPO is required).

If it is a private company, there are two scenarios:

If it is a private company, there are two scenarios:

  • If the organisation's main activities involve regular and systematic monitoring of individuals on a large scale.
  • If the controller, which is often the legal entity and therefore the company, collects and processes special categories of personal data on a large scale, such as sensitive data.»

What is personal data and why is it important to protect it?

«Personal data is any direct or indirect information that identifies a person:

«Personal data is any direct or indirect information that identifies a person:

  • Identification data (surname, first name, address, telephone number).
  • Economic and financial data (bank details, pay slip).
  • Social security (which is a bit different).
  • Connection data, location data and sensitive data (health, sexual orientation, religious belief, political opinion, etc.).

The list is really exhaustive. A single data item will sometimes not identify a person. For example a first name (several people can have the same one), but if you cross it with a family name it becomes more precise and an individual becomes identifiable.

The list is really exhaustive. A single data item will sometimes not identify a person. For example a first name (several people can have the same one), but if you cross it with a family name it becomes more precise and an individual becomes identifiable.

There have already been several scandals linked to the use of data, such as the sale or collection of illegal data. That's why the RGPD is important, it's a regulation that is complicated, but which allows us to protect our private life and to have consent when we go to a site, so that we are not tracked if we don't want to be.»

There have already been several scandals linked to the use of data, such as the sale or collection of illegal data. That's why the RGPD is important, it's a regulation that is complicated, but which allows us to protect our private life and to have consent when we go to a site, so that we are not tracked if we don't want to be.»

In practice, how is data protection exercised, i.e. type, security and retention policy?

«As I mentioned earlier, there is mandatory documentation required under the GDPR. This includes:

«As I mentioned earlier, there is mandatory documentation required under the GDPR. This includes:

  • records that provide information on all data processing activities within an organisation;
  • procedures and policies that are mandatory or strongly recommended.

Such documentation, procedures and policies, as well as security measures and employee training, are important to demonstrate compliance with the RGPD in the event of an inspection by the CNIL.

Such documentation, procedures and policies, as well as security measures and employee training, are important to demonstrate compliance with the RGPD in the event of an inspection by the CNIL.

For example, in the event of a data breach or security failure, what happens? Who does what in the company? Knowing that if there is a security breach in the company, it has 72 hours to report it to the CNIL. There is also the crucial importance of having many security measures. For example, access control, or who has knowledge of sensitive information? There is also a training and awareness-raising part, we accompany clients in practice. Sometimes I just do training missions and in other cases I intervene on a particular problematic subject.»

For example, in the event of a data breach or security failure, what happens? Who does what in the company? Knowing that if there is a security breach in the company, it has 72 hours to report it to the CNIL. There is also the crucial importance of having many security measures. For example, access control, or who has knowledge of sensitive information? There is also a training and awareness-raising part, we accompany clients in practice. Sometimes I just do training missions and in other cases I intervene on a particular problematic subject.»

What obligations are companies still not aware of with regard to the management of the data they collect?

«I think companies struggle to understand how to properly secure data or simply lack the resources or knowledge to do so. The documentation requirement is often not understood by companies, and many don't know what to do with the data they collect. There is also a tendency for companies to retain data for longer than necessary, whereas there is a founding principle of the GDPR which is retention limitation.

«I think companies struggle to understand how to properly secure data or simply lack the resources or knowledge to do so. The documentation requirement is often not understood by companies, and many don't know what to do with the data they collect. There is also a tendency for companies to retain data for longer than necessary, whereas there is a founding principle of the GDPR which is retention limitation.

This lack of understanding and knowledge of the RGPD, even 5 years after its implementation, is a problem. At Ad&Juris Innov, we try to make the RGPD more accessible to companies and to reduce the costs associated with compliance. »

This lack of understanding and knowledge of the RGPD, even 5 years after its implementation, is a problem. At Ad&Juris Innov, we try to make the RGPD more accessible to companies and to reduce the costs associated with compliance. »

What can be the sanctions for companies that do not comply with the RGPD obligations?

« There are two types of financial penalties imposed by the CNIL for non-compliance with the GDPR:

« There are two types of financial penalties imposed by the CNIL for non-compliance with the GDPR:

  • 2% of the group's annual worldwide turnover or 10 million euros,
  • 4% of annual worldwide turnover or 20 million euros.

The choice between the two varies according to the breach. The difference between the percentage and the figure is based on which will be more onerous for the offender. I would like to stress that for the moment, the CNIL's main objective is to help, educate and familiarise companies with the RGPD rather than to control and sanction them. When there are breaches, formal notices and injunctions are issued before moving on to sanctions.

The choice between the two varies according to the breach. The difference between the percentage and the figure is based on which will be more onerous for the offender. I would like to stress that for the moment, the CNIL's main objective is to help, educate and familiarise companies with the RGPD rather than to control and sanction them. When there are breaches, formal notices and injunctions are issued before moving on to sanctions.

GAFAMs are getting punished a lot at the moment. This is because the compliance issues are not the same.

GAFAMs are getting punished a lot at the moment. This is because the compliance issues are not the same.

In addition to these two sanctions, there is for me a third: reputation. The CNIL has developed a lot on the networks in recent years, and some formal notices and sanctions can be made public, which has a significant impact on the reputation of the data controller targeted by the publication. For information, the CNIL has more than 183,000 subscribers on LinkedIn.»

In addition to these two sanctions, there is for me a third: reputation. The CNIL has developed a lot on the networks in recent years, and some formal notices and sanctions can be made public, which has a significant impact on the reputation of the data controller targeted by the publication. For information, the CNIL has more than 183,000 subscribers on LinkedIn.»

What are the duties of a hosting company like Aqua Ray that acts as a subcontractor on personal data collected by its customers?

«As a processor, Aqua Ray has obligations towards the so-called controller (the company that will give the order). The RGPD requires that the relationship be contractualised. In the contracts, the obligations of the processor and the controller must be defined. In the context of this question, the duties of a hosting company are above all security measures, answering the question “how do we secure the hosting?” Data security has become a real issue recently, especially with the increase in cyber attacks. This is why we are seeing more and more DPO profiles coming from jobs related to information systems. Whereas before, most of our profiles were juridical.

«As a processor, Aqua Ray has obligations towards the so-called controller (the company that will give the order). The RGPD requires that the relationship be contractualised. In the contracts, the obligations of the processor and the controller must be defined. In the context of this question, the duties of a hosting company are above all security measures, answering the question “how do we secure the hosting?” Data security has become a real issue recently, especially with the increase in cyber attacks. This is why we are seeing more and more DPO profiles coming from jobs related to information systems. Whereas before, most of our profiles were juridical.

Then there is the question of where the data is hosted. There is a real issue in contract negotiations, especially SaaS contracts, which is where the data is hosted. If we take the example of the United States, until 2020, the Privacy Shield was in force. It allowed European data to be hosted in the United States without any problem. Finally, according to the European Court, this Privacy Shield did not comply with the RGPD, so the agreement was broken. This poses problems for example with Google analytics and Microsoft, because these are tools used by a majority of people. The agreement has been resumed, but the question is: will it last? Especially since in the United States there is the Cloud Act of 2018 which allows the US government to audit data centres located on US soil or data centres of US-based hosting companies based in any other country.

Then there is the question of where the data is hosted. There is a real issue in contract negotiations, especially SaaS contracts, which is where the data is hosted. If we take the example of the United States, until 2020, the Privacy Shield was in force. It allowed European data to be hosted in the United States without any problem. Finally, according to the European Court, this Privacy Shield did not comply with the RGPD, so the agreement was broken. This poses problems for example with Google analytics and Microsoft, because these are tools used by a majority of people. The agreement has been resumed, but the question is: will it last? Especially since in the United States there is the Cloud Act of 2018 which allows the US government to audit data centres located on US soil or data centres of US-based hosting companies based in any other country.

Until recently this issue went unnoticed, it is only now that companies are starting to ask where their data is hosted. For Aqua Ray, being able to say that the hosting it offers is French is a real plus.»

Until recently this issue went unnoticed, it is only now that companies are starting to ask where their data is hosted. For Aqua Ray, being able to say that the hosting it offers is French is a real plus.»

In your experience, what are the most complex issues? Are there any directives within the RGPD that clash with the reality on the ground?

«There is the security part which is a real issue. With the arrival of teleworking, cyber attacks have increased enormously. About 54% of companies have already suffered a cyber attack, so one in two companies. If a site where you make purchases is hacked, the attackers can recover your bank details and it goes very quickly. For me, security is the most topical issue.

«There is the security part which is a real issue. With the arrival of teleworking, cyber attacks have increased enormously. About 54% of companies have already suffered a cyber attack, so one in two companies. If a site where you make purchases is hacked, the attackers can recover your bank details and it goes very quickly. For me, security is the most topical issue.

Then yes, there is a reality on the ground. The RGPD was drafted by the G29 (29 European member countries). It is very important, because it gives us some leverage vis-à-vis the United States, China and others. On the other hand, the text is the same for all types of companies and this creates an imbalance. Between a CAC 40 company and an SME, which represents 95% of the business fabric in France, I find that the challenge of compliance is not the same. The CNIL will not sanction them in the same way, but the stakes or the deadlines should not be the same.

Then yes, there is a reality on the ground. The RGPD was drafted by the G29 (29 European member countries). It is very important, because it gives us some leverage vis-à-vis the United States, China and others. On the other hand, the text is the same for all types of companies and this creates an imbalance. Between a CAC 40 company and an SME, which represents 95% of the business fabric in France, I find that the challenge of compliance is not the same. The CNIL will not sanction them in the same way, but the stakes or the deadlines should not be the same.

In addition, companies that do not have the financial resources will take a very long time to become compliant, or will never be. At the moment, 50% of companies have started to take the subject seriously and it has been almost 5 years since the RGPD was implemented. For the other 50%, it is not even clear whether they intend to start.»

In addition, companies that do not have the financial resources will take a very long time to become compliant, or will never be. At the moment, 50% of companies have started to take the subject seriously and it has been almost 5 years since the RGPD was implemented. For the other 50%, it is not even clear whether they intend to start.»

Aqua Ray positions itself as a reference in the field of secure hosting and protection of sensitive data. Our infrastructures are based on a datacenter whose design has been certified Tier IV, that means designed in compliance with the most demanding specifications in terms of reliability and fault tolerance.

Aqua Ray positions itself as a reference in the field of secure hosting and protection of sensitive data. Our infrastructures are based on a datacenter whose design has been certified Tier IV, that means designed in compliance with the most demanding specifications in terms of reliability and fault tolerance.

Our internal security policy is based on ambitious principles such as the application of the ISO27001 standard, the use of zero paper, the vertical integration of our entire production chain and the almost exclusive use of free software maintained within the European Union.

Our internal security policy is based on ambitious principles such as the application of the ISO27001 standard, the use of zero paper, the vertical integration of our entire production chain and the almost exclusive use of free software maintained within the European Union.

Choosing an Aqua Ray solution such as our certified Secure Private Cloud for Health Data Hosting is not only the guarantee of an infrastructure base compatible with the requirements of the RGPD, but it is also the best way to protect your users against the cyber threat.

Choosing an Aqua Ray solution such as our certified Secure Private Cloud for Health Data Hosting is not only the guarantee of an infrastructure base compatible with the requirements of the RGPD, but it is also the best way to protect your users against the cyber threat.

Contact us

Contact us

Any question ? A doubt ? A particular request ? Do not hesitate to contact us by clicking on this button below, we will answer you as quickly as possible.

Any question ? A doubt ? A particular request ? Do not hesitate to contact us by clicking on this button below, we will answer you as quickly as possible.

Did you like this article? You might also like

Oct
2023

How to contact Aqua Ray Customer Support?

Guides

As an Aqua Ray customer, you may need fast and efficient assistance from our teams. Find out how to contact Aqua Ray customer support in this blog post.

Continue
Aug
2023

Tutorial: How to Set Up Your Email Client?

Guides

Just subscribed to Aqua Mail and wondering how to check your emails beyond the webmail interface? Interested in accessing your emails on your phone? In this article, we'll guide you through the steps to configure your email client on your computer and your phone.

Continue
Oct
2023

How to contact Aqua Ray Customer Support?

Guides

As an Aqua Ray customer, you may need fast and efficient assistance from our teams. Find out how to contact Aqua Ray customer support in this blog post.

Continue
Aug
2023

Tutorial: How to Set Up Your Email Client?

Guides

Just subscribed to Aqua Mail and wondering how to check your emails beyond the webmail interface? Interested in accessing your emails on your phone? In this article, we'll guide you through the steps to configure your email client on your computer and your phone.

Continue
Oct
2023

How to contact Aqua Ray Customer Support?

Guides

As an Aqua Ray customer, you may need fast and efficient assistance from our teams. Find out how to contact Aqua Ray customer support in this blog post.

Continue
Aug
2023

Tutorial: How to Set Up Your Email Client?

Guides

Just subscribed to Aqua Mail and wondering how to check your emails beyond the webmail interface? Interested in accessing your emails on your phone? In this article, we'll guide you through the steps to configure your email client on your computer and your phone.

Continue
Need assistance? Call us now!
Call us now! 01 84 04 04 05
Call us now! 01 84 04 04 05
DC Tier IV
AFNOR Certification ISO27001
AFNOR Certification HDS