{"id":8950,"date":"2018-03-19T08:46:25","date_gmt":"2018-03-19T08:46:25","guid":{"rendered":"http:\/\/localhost:8080\/?p=8950"},"modified":"2018-03-19T08:46:25","modified_gmt":"2018-03-19T08:46:25","slug":"quel-programme-de-conformite-rgpd-pour-le-groupe-orange","status":"publish","type":"post","link":"https:\/\/dev.cfecgc-orange.app\/index.php\/2018\/03\/19\/quel-programme-de-conformite-rgpd-pour-le-groupe-orange\/","title":{"rendered":"Quel programme de conformit\u00e9 RGPD pour le Groupe Orange ?"},"content":{"rendered":"<p>[<em style=\"font-family: Lato; font-size: 14px;\">French version here\/English version below<\/em>]<\/p>\n<p>Dans le cadre du Comit\u00e9 de Groupe Europ\u00e9en d&rsquo;Orange des 27, 28 f\u00e9vrier et 1er mars 2018 \u00e0 Paris, la Direction du Groupe a inscrit un point \u00e0 l&rsquo;ordre du jour relatif au programme de conformit\u00e9 RGPD (R\u00e8glement G\u00e9n\u00e9ral pour la Protection des Donn\u00e9es) pour le domaine RH pr\u00e9sent\u00e9 par Elise Bruillon, Risk Manager Plazza.<\/p>\n<p>La pr\u00e9sentation se limite strictement au volet RH, \u00e0 savoir donc aux nouvelles r\u00e8gles de protection des seules donn\u00e9es personnelles relatives aux salari\u00e9s du Groupe. <\/p>\n<p> Si le r\u00e8glement est bien con\u00e7u \u00e0 l\u2019origine pour prot\u00e9ger les donn\u00e9es personnelles des consommateurs, les traitements des donn\u00e9es personnelles de salari\u00e9s n\u2019en entrent pas moins pour autant dans son champ d\u2019application.&nbsp;&nbsp;L\u2019objectif premier est de permettre aux salari\u00e9s d\u2019exercer leurs droits nouveaux. <\/p>\n<p> Le projet de mise en conformit\u00e9 se d\u00e9cline selon deux axes&nbsp;: <br \/>&nbsp; &nbsp; &nbsp;&#8211; l\u2019information des salari\u00e9s <br \/>&nbsp; &nbsp; &nbsp;&#8211; la s\u00e9curit\u00e9 des donn\u00e9es et la gestion des risques<\/p>\n<p>Le salari\u00e9 sera inform\u00e9 sur les traitements qui concernent ses donn\u00e9es et leur finalit\u00e9 de mani\u00e8re \u00e0 ce qu\u2019il puisse exercer ses droits. Les dispositifs techniques n\u00e9cessaires seront mis en place aux fins de g\u00e9rer les risques de la collecte \u00e0 la suppression de toute donn\u00e9e personnelle. <br \/>La collecte&nbsp;des donn\u00e9es personnelles ob\u00e9it \u00e0 deux r\u00e9gimes : <br \/>&nbsp;\u00f0&nbsp; La collecte de certaines donn\u00e9es r\u00e9pond \u00e0 des obligations l\u00e9gales: celles prescrites par exemple pour la mise en paiement des salaires. Dans cette hypoth\u00e8se le consentement du salari\u00e9 n\u2019est pas requis. <br \/>&nbsp;\u00f0&nbsp; Les traitements op\u00e9r\u00e9s dans l\u2019int\u00e9r\u00eat de l\u2019entreprise ind\u00e9pendamment de toute obligation l\u00e9gale seront soumis au consentement du salari\u00e9. <\/p>\n<p> En mati\u00e8re de collecte, le principe devient de s\u2019interdire de collecter toute donn\u00e9e qui ne serait pas strictement n\u00e9cessaire. Il devra d\u00e9sormais \u00eatre fait un usage proportionn\u00e9 des donn\u00e9es. <\/p>\n<p>Trois sc\u00e9narios de risques sont d\u00e9sormais int\u00e9gr\u00e9s dans les processus de traitement des donn\u00e9es personnelles&nbsp;: <br \/>&nbsp; &nbsp; &nbsp;&#8211; l&rsquo;acc\u00e8s ill\u00e9gitime aux donn\u00e9es par un tiers <br \/>&nbsp; &nbsp; &nbsp;&#8211; les modifications non souhait\u00e9es des donn\u00e9es par un tiers <br \/>&nbsp; &nbsp; &nbsp;&#8211; la suppression des donn\u00e9es personnelles <\/p>\n<p>Pour mener \u00e0 bien ce chantier, une organisation a \u00e9t\u00e9 mise en place et un \u00ab\u00a0Data Officer\u00a0\u00bb (Patricia Lelarge) a \u00e9t\u00e9 d\u00e9sign\u00e9. Pour les filiales europ\u00e9ennes et Orange Business Services, le principe de subsidiarit\u00e9 est retenu. Il y aura donc des data officers par pays et chez Orange Business Services, et des gouvernances sp\u00e9cifiques anim\u00e9es par la DRH Groupe. Les premiers enjeux pour le 25 mai sont d\u2019\u00e9tablir un registre des traitements, de modifier les contrats des sous-traitants et de travailler \u00e0 la s\u00e9curit\u00e9 de tous les traitements. Dans les pays non-europ\u00e9ens, une charte reprend des obligations similaires. <\/p>\n<p> <b>Les \u00e9lus ont jug\u00e9 cette pr\u00e9sentation tr\u00e8s insuffisante dans la mesure o\u00f9, d\u2019une part, elle ne pr\u00e9cise pas les nouvelles obligations impos\u00e9es par le r\u00e8glement, et d\u2019autre part, elle se limite aux donn\u00e9es des salari\u00e9s, alors m\u00eame que ce sont les traitements des donn\u00e9es personnelles des clients qui sont l\u2019enjeu majeur.&nbsp;<\/b><b>Quelques questions pratiques des repr\u00e9sentants des filiales europ\u00e9ennes n\u2019ont pas obtenu de r\u00e9ponse en s\u00e9ance, notamment sur les registres des traitements qui devront \u00eatre \u00e9tablis et les modalit\u00e9s de consultation de ces registres par les salari\u00e9s, les modalit\u00e9s de suppression ou de limitation de l\u2019usage de leurs donn\u00e9es, ainsi que sur les solutions techniques en mati\u00e8re de s\u00e9curit\u00e9. <\/b><b>Pour les traitements exigeant un consentement la priorit\u00e9 est donn\u00e9e pour mettre en place des processus faciles et compr\u00e9hensibles. <\/b><\/p>\n<p> <b>A la question de savoir si la conformit\u00e9 sera assur\u00e9e le 25 mai 2018, il est indiqu\u00e9 que les autorit\u00e9s de contr\u00f4le (la CNIL en France) n\u2019ont pas pour objectif de sanctionner les entreprises d\u00e8s le 25 mai, mais de les sensibiliser et les accompagner.<\/b><\/p>\n<p> <b>Les \u00e9lus, par l\u2019interm\u00e9diaire du Bureau, ont sollicit\u00e9 une intervention du Data Officer lors du prochain Comit\u00e9 de Groupe Europ\u00e9en sur une vision globale du sujet.<\/b><\/p>\n<p>[<em style=\"font-family: Lato; font-size: 14px;\">English version<\/em>]<\/p>\n<p>As part of the Orange European Works Council meeting which was held in Paris on February 27th, 28th, and March 1st 2018, the Group&rsquo;s management team had included an agenda item related to the GDPR (General Data Protection Regulation) compliance program for the HR field presented by Elise Bruillon, Risk Manager Plazza.<\/p>\n<p>The presentation is strictly limited to the HR area, ie to the new rules protecting personal data relating uniquely to the Group employees.<\/p>\n<p> Although the regulation was originally designed to protect the consumers personal data, the processing of employees personal data also remains in its scope.&nbsp;The primary objective is to enable employees to exercise their new rights.<\/p>\n<p> The compliance project is divided into two areas:<br \/>&nbsp; &nbsp; &nbsp;&#8211; information of the employees<br \/>&nbsp; &nbsp; &nbsp;&#8211; securing the data and risk management<\/p>\n<p>The employees will be informed about the processing of their data procedures and purposes so that the employees can exercise their rights.&nbsp;The necessary technical devices will be put in place to manage all of the risks from the collection to the suppression of any personal data.<br \/>The collection of personal data obeys two regimes:<br \/> &#8211; The collection of certain data meets legal obligations: those prescribed for example for the payment of wages. In this case, the employee&rsquo;s consent is not required.<br \/>&#8211; Procedures made in the interest of the company independently of any legal obligation will be subject to the consent of the employee.<\/p>\n<p> In terms of collection, the principle becomes to limit the collection of any data that would not be strictly necessary. It will now have to be made a proportionate use of the data.<\/p>\n<p> Three risk scenarios are now integrated into the personal data processing processes:<br \/>&nbsp; &nbsp; &nbsp;&#8211; illegitimate access to data by a third party<br \/>&nbsp; &nbsp; &nbsp;&#8211; unwanted changes to data by a third party<br \/>&nbsp; &nbsp; &nbsp;&#8211; deletion of personal data<\/p>\n<p> To carry out this work, an organization was set up and a \u00ab\u00a0Data Officer\u00a0\u00bb (Patricia Lelarge) was appointed.&nbsp;For the European subsidiaries and Orange Business Services, the principle of subsidiarity is retained. There will be data officers by country and at Orange Business Services, and specific governance led by the Group HR Management.&nbsp;The first issues for May 25th are to establish a register of all data files, modify the contracts of subcontractors and work on the safety of all procedures. In non-European countries, a charter takes on similar obligations.<\/p>\n<p> <b>The elected representatives considered this presentation to be very insufficient so far as, on the one hand, it does not specify the new obligations imposed by the regulation, and on the other hand, it is limited to employee data even if the customer&rsquo;s personal data becomes the most complex issue to manage.&nbsp;<\/b><b>Some practical questions from European subsidiaries representatives were not answered at the meeting, particularly regarding the registers of employees that will have to be established, and the processes for consulting these registers by the employees, the methods for deleting or limiting the use of their data as well as technical security solutions.&nbsp;<\/b><b>For procedures requiring consent, priority is given to put in place easy and understandable processes.<\/p>\n<p> To the question of whether compliance will be assured on May 25th it is indicated that the control authorities (the CNIL in France) are not intended to penalise companies from May 25th, but to raise awareness and support.<\/p>\n<p>Finally, the elected representatives have asked the Data Officer to intervene at the next European Works Council on a global vision of the subject<\/b><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[French version here\/English version below] Dans le cadre du Comit\u00e9 de Groupe Europ\u00e9en d&rsquo;Orange des 27, 28 f\u00e9vrier et 1er mars 2018 \u00e0 Paris, la Direction du Groupe a inscrit [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[56],"tags":[],"class_list":["post-8950","post","type-post","status-publish","format-standard","hentry","category-economie-et-reglementation-des-telecoms"],"blog_post_layout_featured_media_urls":{"thumbnail":"","full":""},"categories_names":{"56":{"name":"Economie et R\u00e9glementation des T\u00e9l\u00e9coms","link":"https:\/\/dev.cfecgc-orange.app\/index.php\/category\/cit\/entreprise\/economie-et-reglementation-des-telecoms\/"}},"tags_names":[],"comments_number":"0","wpmagazine_modules_featured_media_urls":{"thumbnail":"","cvmm-medium":"","cvmm-medium-plus":"","cvmm-portrait":"","cvmm-medium-square":"","cvmm-large":"","cvmm-small":"","full":""},"_links":{"self":[{"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/posts\/8950","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/comments?post=8950"}],"version-history":[{"count":0,"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/posts\/8950\/revisions"}],"wp:attachment":[{"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/media?parent=8950"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/categories?post=8950"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dev.cfecgc-orange.app\/index.php\/wp-json\/wp\/v2\/tags?post=8950"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}