RGPD advice for 2022: what obligations for companies?

rgpd 2022

RGPD. You have often heard this acronym, you know that it refers to the General Data Protection Regulation, but you do not know exactly what it refers to.

However, you know that behind these four letters, there are important issues at stake for your company... In 2022, it is time to take stock of what is important for the creation of a company and for SMEs, especially in an increasingly digital market. 

Are you an entrepreneur and are you confused about the RGPD? Are you wondering what your obligations are in terms of data protection?

You can consult the text of the Regulation in its entirety, or that of the law transposing it into French law, or read the documentation made available by the CNIL, or else ... you can follow these tips to be in order!


RGPD... what is it?

The acronym RGPD or GDPR in English refers to the "General Data Protection Regulation". This European Regulation of 27 April 2016 ensures the protection of individuals by defining the rules applicable to the processing and circulation of personal data. It provides a single legal framework for professionals throughout the European Union.  

The RGPD has been transposed into French law by a 2018 ActThis is in line with the 1978 Data Protection Act, which strengthens citizens' control over the use of their data.

1. Are you concerned by the RGPD?  

  • You are a company, regardless of its size or number of employees
  • You are established in France or in another European Union country
  • Your activity directly targets European residents
  • You process personal data (on your behalf or not)

Some examples

Personal data

  • First and last name ;
  • Address, telephone number, date of birth ;
  • Social security number, customer number ;
  • Biometric data, DNA
  • Tastes and habits etc.

Processing of this data 

  • Maintaining a customer file
  • Collecting data from prospects by means of a questionnaire or form
  • Maintenance of a supplier file
  • Editing an invoice
  • Issuing a loyalty card etc.

If you answered YES to these 4 questions, you are concerned by the respect of the rules on personal data protection. 

What does it mean to process personal data?

  • First of all, what is personal data?

    The definition is very broad as it includes The term "information relating to an identified or identifiable natural person" is used in this context.
  • So what does it mean to process personal data?

    The definition is also very broad, as it includes The term "personal data processing" refers to "any operation or set of operations, whether or not by automatic means, which is performed on personal data or sets of personal data".

2. What are your obligations as a company?

As a professional, you must ensure that personal data is :

Treated in a lawful, fair and transparent manner

Accurate and up to date

Collected for specific, explicit and legitimate purposes

Adequate, relevant and limited

Kept for a reasonable period of time

Treated in such a way as to ensure their protection

What does this mean in practice? 

1. You may only collect data that is strictly necessary for the purpose for which you are collecting it

Data must be collected for a specific purpose. It should not be collected "just in case" or used for other incompatible purposes.

To be sure you are not mistaken, ask yourself the right questions: 

  • What is the purpose of my data collection? What will it be used for? 

  • Is this goal legitimate, justified in terms of my activity? 

  • Is this objective understandable to all? 


For example: 

You are a kitchen fitter and you propose to make an appointment on your website. In the online form, you ask your customers for their first name, last name and telephone number in order to achieve your objective (to arrange an appointment).

But you don't need to know their religion or their social security number.

2. You must keep your list of files up to date and regularly reassess the consistency between the data collected and your needs 

You should regularly ask yourself the following question about each piece of data you collect: Is the collection of this data still necessary to achieve my goal?

For example: 

You used to collect your customers' birth dates in order to send them special invitations on their birthdays. Finally, you decided to stop this type of "birthday promotion". 

You no longer need to collect the dates of birth of customers.

3. You undertake to secure the storage of the data you hold 

In short, you must take all the necessary precautions to avoid capture, piracy and misappropriation of files.

To do this, you can implement several measures:

  • regular updating of your antivirus software;
  • regular change of passwords;
  • the use of complex passwords;
  • encryption of your data (in certain situations).
rgpd 2022
Note: If you suffer a breach of your files containing personal data, you must report it to the CNIL within 72 hours. And if there is a risk to rights and freedoms, you must inform the persons concerned without delay.

4. You must inform the people whose data you collect

 You must inform the people whose data you collect about various things:

  • What data do you collect? 

  • What is the purpose of the data collection (the purpose)?

  • What is the legal basis for this data collection (consent of the data subject, compliance with a legal obligation...)?

  • Who will have access to this data (the company's internal manager, partners, etc.)?

  • How long will this data be kept (3 years, 5 years after the end of the contractual relationship...)? 

  • How can people exercise their right of access, rectification, opposition, deletion, portability and limitation of processing (via a dedicated e-mail address, etc.)? 

  • How can people exercise their right to access, rectify and delete data? 

  • Is the data transferred outside the European Union? 

Focus on ... The privacy policy 

In order to inform the people whose data you collect about all these points and to fulfil your obligation of transparency, you can include all these elements in a page on your website dedicated to your privacy policy. 

If your site contains forms to be filled in by users (contact form, quote request form, newsletter subscription form, etc.), don't forget to mention your privacy policy and provide a link to the page of your website dedicated to it.

Is your website RGPD compliant?

  • You use your website for business purposes

1. Legal notices must be correctly published. To find out the specifics for your situation, consult the public service website

2. You should mention a contact method for people to exercise their rights electronically.

3. Your website must respect the general recommendations of the CNIL regarding data protection. 

  • You offer a contact form

Plan to include the "CNIL mentions", models of which are available online.

  • You offer to subscribe to a newsletter

1. Access to your website should not be conditional on subscribing to your newsletter.

2. You must also include the "CNIL mentions" when subscribing to this newsletter.

  • Your site uses cookies

1. Your site uses consent-exempt cookies

 You can simply inform users of this and remind them that browser settings can allow them to block them, with potentially negative effects on the functioning of the site.

Cookies that are exempt from consent are The following are not included in this list: "strictly necessary for the provision of an online communication service expressly requested by the user, or tracers that aim to enable or facilitate the transmission of the communication by electronic means".

2. Your site uses cookies requiring prior consent

You must inform users and obtain their consent before depositing or reading cookies or other tracers.

To do this, you need to set up a "cookie banner" on your website, which meets the following requirements requirements for valid consent :
  • by informing the user about the purposes of use related to cookies;
  • providing the user with a list of data controllers;
  • by allowing the user to consent by a clear positive act;
  • by allowing the user to make a choice by purpose (by ticking boxes);
  • allowing the user to exercise his or her choices with the same degree of simplicity;
  • allowing the user to reconsider their decision at any time.

Cookies requiring prior consent are, for example, cookies related to personalised or non-personalised advertising, or related to sharing features on social networks.

3. What are the penalties for non-compliance with the RGPD?

The CNIL carries out regular checks, online or on site, at random or following complaints from users.

Penalties for non-compliance with the rules on personal data protection can range from a simple reminder to a substantial financial penalty(4% of worldwide turnover or 20 million euros). 

rgpd 2022

At Digital 64, we like good advice. And when it concerns specific and important areas, such as the subject of law and privacy, we call in the experts. 

We would like to thank Amélie Da Fonseca fromAstraiaandcom for this article and her many tips. 

If you are looking for a marketing partner to help you create your website or digital communication, while respecting consumers, contact us

Amelie Da Fonseca

The author of this article

Amélie has a doctorate in public law and is a legal web editor and researcher at the Centre de documentation et de recherches européennes de Bayonne. As an expert in law, she also gives seminars to students at the University of Pau and the Pays de l'Adour.

Boost your web strategy!

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Discover our free trainings to optimize your company's
digital marketing.