Contrary to what people tend to believe, the European Regulation on the Protection of Personal Data does not only govern digital data.
It also covers all data contained on paper. They must also be protected, of course. This is usually the subject of insurance distributors to compliance with the regulations of the RGPD.
This article will also interest you: RGPD, ransomware: Clusif's concerns about communities
"The rise of new technologies is changing our society: the way we work is changed (reduced deadlines, instant information sharing, etc.), human relationships are changing (increased availability requirements, etc.). and the processing of personal data is growing exponentially to the point that such data have become the primary asset of most economic actors. Brokers, general agents and even companies are no exception to these rules and are always looking for new ways to evolve contract management, customer relations via digital tools.
It is in this digital and dematerialised context that the European Data Protection Regulation (GDPR) regulates data flows to protect individuals. However, digitalization is not a universal rule and personal data is still processed by many distributors without a digital tool. The application of the European regulation to these paper file treatments remains a source of questioning for these "traditional" actors, says Pierre Craponne, counsel at the law firm Choisez – Associates – and certified DPO.
However, this problem was addressed by the General Data Protection Regulation. Indeed, it must be said that the European standard, in its formulation, makes no distinction between the paper format or the digital format. Personal data remains a personal data regardless of its support. However, when we talk about the issue of paper files, we see a real challenge with regard to the obligations of the players in terms of data processing. In this regard, let us recall the provision of Article 2 of the General Data Protection Regulation which means that it "applies to the processing of personal data, which is entirely or partially automated, as well as to the non-automated processing of personal data contained or called to be in a file." In other words, it is important to note that the data must be processed regardless of the procedure. They must be contained in a file no format. As far as the concept of 'treatment' is concerned, within the meaning of the European regulation. Article 4 of the European standard defines it as "any transaction or set of transactions carried out or not using automated processes and applied to personal data or data sets, such as collection, registration, organisatio[…]n." The same provision defines the file as "any structured set of personal data accessible according to specific criteria."
It is then, in view of the European regulation, that the question of data is not limited only to digital. The paper document is not excluded so must be subject to the same regime as the computer document. "There is therefore no way to exclude handwritten files or paper documents from the scope of the RGPD if they contain personal data, even if they would only be collected and stored. But Ubi lex undy distinguished, nec our distinguishee debemus (Where the law does not distinguish, there is no need to distinguish)" says Pierre Craponne
In terms of the obligation on companies that process its data, it is important to know that the severity of the law is not going to fluctuate. The objective of the general regulation is to protect data and allow individuals to be able to control their personal data. To know how they are treated and under what conditions, so as not to harm them.
In practice, it will be seen that the penalty of negligence on the part of those who possess automated data processing, generally less than if it were the case with digital data.
"The problem is the same with respect to the risk of data damage. Apart from the assumption of a break-in or conventional damage (fire or water damage), the risk of loss, theft, alteration or destruction of data compiled on paper files is limited. While these risks should never be eliminated in the management of the business, the fact remains that compliance with the RGPD of entities that do not process or little digital data, although mandatory, remains less restrictive in its implementation. Between the principle of application and real risks, data protection law remains a matter of subtlety. concludes Pierre Craponne.
Now access an unlimited number of passwords: