On January 27, 2020, the French Supervisory Authority (“CNIL”) issued a guidance for developers of websites and applications which sets out the main principles of the General Data Protection Regulation (“GDPR”), expounds on their application in the online environment, and gives practical tips to help developers respect users’ privacy when deploying websites and apps.

The guidance consists of 17 recommendations, each covering a key principle supported by additional advice and examples.  Below, we list all 17 of these recommendations and provide a brief summary of the CNIL’s advice related to each.

  1. Comply with the GDPR throughout the development process.  This recommendation sets out 5 action steps to ensure that personal data and processing operations are protected throughout the life cycle of an online development project, including:
    • Acquaint yourself with the main principles of the GDPR;
    • Map and categorize personal data processing operations in your systems;
    • Prioritize and manage risks;
    • Implement any needed internal processes to ensure compliance; and
    • Document how your website or application complies with the GDPR.
  1. Identify personal data.  This recommendation focuses on helping developers understand the broad concept of “personal data” and also defines other key terms (e.g., “processing”, “purpose”, “anonymization” and “pseudonymization”) to make clear how these concepts are applied under the GDPR.
  2. Apply privacy by design at the development phase.  This recommendation explains how to integrate privacy-by-design principles at the development phase, including “methodological” choices (e.g., the configuration of default privacy settings and completion of a DPIA) and technological choices (e.g., security controls, systems architecture, and programming standards).
  3. Secure the development environment.  This recommendation gives guidance on how developers can appropriately secure the testing and production environment, including the configuration and integration of servers and workstations, as well as the use of state-of-the-art cryptography, strong authentication methods, and automated analysis of systems logs.
  4. Safeguard your source code.  This recommendation promotes the use of source code management tools, strong authentication controls and user permissions, and regular backups of the source code manager.  It also lists certain indicators for configuring the source code manager and ensuring the quality of the code over time.
  5. Make an informed choice about architecture.  This recommendation focuses on identifying personal data that will be processed in order to define an appropriate data life cycle.  It also advises to choose data service providers (e.g., local storage, server, cloud service) in accordance with the developer’s needs and technical knowledge.
  6. Secure websites, applications and servers.  This recommendation lists various state-of-the-art security measures that developers should consider implementing.
  7. Minimize the collection of personal data.  This recommendation advises developers to determine – before they collect personal data – whether they actually need the data, and to generally limit the collect personal data to what is strictly necessary.  In this regard, the CNIL also recommends setting up an automatic erasure mechanism.
  8. Manage users.  This recommendation sets out best practices on how to manage user access rights, profiles, passwords, administrative privileges, and so forth.
  9. Master libraries and SDKs.  This recommendation provides tips on how to integrate libraries, SDKs and other software components written by third parties, without the developer losing control over the developed software.  It also recommends auditing libraries and SDKs and examining what personal data is sent through these channels.
  10. Ensure code quality through documentation.  This recommendation advises documenting the code and the architecture to ensure better control over the code’s quality (e.g., to reduce efforts related maintenance, audits and bug fixes).
  11. Test applications.  This recommendation advises automating tests of apps and integrating regular tests into the developer’s business strategy.
  12. Inform people.  This recommendation explains how developers can fulfill their transparency obligations under the GDPR by specifying who to inform, when to do it, what information to give, and how the information should be provided, as well as how to communicate data breaches to the CNIL and (if required) to affected persons.
  13. Implement processes to facilitate the exercise of data protection rights.  This recommendation sets out the minimum measures that developers should implement to ensure that data subjects can exercise their data protection rights and controllers can appropriately respond to them. It also establishes best practices for responding to each type of the data protection rights request.
  14. Administer proper data retention periods.  This recommendation advises developers to categorize personal data into 3 life cycle stages: (i) active base (e.g., presently in use); (ii) intermediate archiving; and (iii) final archiving and deletion/destruction.
  15. Ensure a valid legal basis.  This recommendation identifies the various legal bases for processing personal data under the GDPR that developers may rely upon, as well as what factors to consider when choosing the appropriate legal basis.
  16. Monitor websites and app traffic.  Finally, this recommendation instructs developers on how to implement audience measurement tools in a GDPR-compliant way.

This is the second guide published by the CNIL in relation to compliance with the GDPR in the online context.  Earlier this month, the CNIL published a draft guidance on cookies and similar technologies.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.

Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.

Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.

She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).

Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.

Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty…

Kristof Van Quathem advises clients on information technology matters and policy, with a focus on data protection, cybercrime and various EU data-related initiatives, such as the Data Act, the AI Act and EHDS.

Kristof has been specializing in this area for over twenty years and developed particular experience in the life science and information technology sectors. He counsels clients on government affairs strategies concerning EU lawmaking and their compliance with applicable regulatory frameworks, and has represented clients in non-contentious and contentious matters before data protection authorities, national courts and the Court of the Justice of the EU.

Kristof is admitted to practice in Belgium.

Photo of Nicholas Shepherd Nicholas Shepherd

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing…

Nicholas Shepherd is an associate in Covington’s Washington, DC office, where he is a member of the Data Privacy and Cybersecurity Practice Group, advising clients on compliance with all aspects of the European General Data Protection Regulation (GDPR), ePrivacy Directive, European direct marketing laws, and other privacy and cybersecurity laws worldwide. Nick counsels on topics that include adtech, anonymization, children’s privacy, cross-border transfer restrictions, and much more, providing advice tailored to product- and service-specific contexts to help clients apply a risk-based approach in addressing requirements in relation to transparency, consent, lawful processing, data sharing, and others.

A U.S.-trained and qualified lawyer with 7 years of working experience in Europe, Nick leverages his multi-faceted legal background and international experience to provide clear and pragmatic advice to help organizations address their privacy compliance obligations across jurisdictions.