What impact will this have on the electronic archiving of documents?

The GDPR will have a major impact on all the data storage service providers as well as on those in charge of electronic archiving. Archived electronic documents (contracts, subscription forms, consumer loans, HR documents, etc.) may contain personal data. When the archiving of an organisation's documents (with the organisation being considered as the data controller within the meaning given by legislation) is entrusted to an archiving service provider (the subcontractor), the data controller is responsible for ensuring that their service provider provides sufficient guarantees in terms of security and confidentiality in order to be able to entrust the data to them.
The subcontractor must therefore provide the data controller with the necessary items and information (processing forms, information for impact studies, etc.) enabling them to observe the different restrictions and formalities imposed by the regulation.

Privacy by design and Accountability

The GDPR also modifies compliance management by introducing two principles:

  • Privacy by design (which must apply to the service provider’s archiving platform)
  • Accountability, a principle according to which the data controller must demonstrate their compliance.

The subcontractor must therefore implement the appropriate measures to guarantee, and be able to demonstrate, that personal data is processed in compliance with the regulation. This encompasses the management of documentation, the implementation of security obligations, carrying out an impact analysis and keeping a register of processing operations.

The burden of proof

The GDPR requires that the data controller (company or public authority) documents all the actions in their data protection policy in order to be able to demonstrate to the supervisory authorities or persons concerned how they follow it. Therefore, the company/public authority that uses an archiving service provider (subcontractor) must take all the technical and organisational measures necessary for compliance with the regulation themselves, and must be able to demonstrate this at any time by keeping a compulsory register.
For its part, the archiving service provider must supply its client (data controller) with the responses and elements required, including the register of processing operations and the contracts (or general terms and conditions) containing clauses concerning the protection of any personal data that may be possibly be contained in the archived documents.

Electronic archiving: 3 key points for compliance with the GDPR

To comply with the principles in terms of personal data protection (as some requirements pre-date the adoption of the regulation), “sophisticated” electronic retention of documents is essential.
 Archived documents may contain personal data (in particular for companies with a B2C model) and must therefore only be stored for the time necessary to the fulfilment of the objectives applicable at the time this data was collected.

Electronic archiving must therefore be:

  • Selective. When a text stipulates an archiving obligation, care must be taken to ensure that only data necessary to comply with the obligation in question, or to assert a legal right, is archived.
  • Limited in time. The data necessary to fulfil a legal or regulatory obligation must be archived for the duration of the obligation concerned and must be deleted once this duration has elapsed. When the documents concerned are not subject to a retention obligation, but are used to assert a legal right, they must be destroyed at the end of the prescribed period.
  • Secure. Technical and organisational measures must be envisaged to protect the data archived against any type of event (destruction, loss, alteration, distribution or unauthorised access, etc.).

When the electronic archiving is entrusted to a subcontractor (third-party archiver) the data controller must therefore, as mentioned above, ensure that their service provider provides sufficient guarantees in terms of security and guarantees the confidentiality of the data entrusted to them.

ISO 27001 certification on the security of IT systems is a good start. In addition, there are standards on the design and operation of an Electronic Archiving System (ISO 14641-1 internationally and AFNOR NF Z 42-013 for France) in which the certification reference framework NF461 (common to both standards) provides responses in terms of archive life cycle management, compliance with storage periods and the traceability of all the corresponding actions.

An NF 461 certified EAS is a precious aid for compliance. It makes it possible to provide reliable answers on document integrity (non-alteration and non-destruction), on the permanence of documents and their legibility over time (control and validation of formats in order to guarantee that the owner may reread them should they need to produce a document for legal reasons, etc.), in addition to their traceability and the management of the archive life cycle (management of retention periods, destruction process at the end of the retention period, provision of destruction certificates enabling the data controller company to provide proof of destruction in case of an inspection by the relevant authorities – CNIL, etc.).

*Documentation describing details for the protection of personal data (for CDC Arkhinéo clients only).