Time should preferably be allowed to file the terms and conditions in the office of a bailiff, which may take a few hours or up to a couple of business days.
Time should also be allowed if the organizer has not yet made the appropriate steps towards becoming compliant with the GDPR and French data protection act requirements as regards the management of the personal data collected and processed in connection with promotional operations, including, without limitation, the creation and maintenance of a record of data processing activities, appropriate information notices provided to data subjects, and formal processes implemented in order to enable the latter to exercise their rights (i.e. access, rectification and erasure, data portability, objection, restriction of processing, the right to digital legacy).
Where the processing of personal data in the context of promotional operations is likely to result in high risks to the rights and freedoms of natural persons (e.g. where such data is used to profile participants), the organizer must also proceed with a Personal Data Impact Assessment.
In France, since the entry into force of the GDPR on May 25, 2018, the general principle is that each processing purpose for which personal data is processed must be evidenced with a record of data processing activities. Therefore, it is not a requirement to make a record entry for each promotional operation, but to have one record entry encompassing the management of the personal data collected and processed in the course of such operations (provided that means of processing and data processed are similar). If personal data is transferred outside of the European Economic Area, it is necessary to 'ensure that the recipient is located in a country recognized by the European Commission as ensuring an adequate level of personal data protection, or that a proper transfer mechanism is implemented (e.g. binding corporate rules, European Commission model clauses).
In addition, the organizer shall allow time to implement 'Privacy by Design' and 'Privacy by Default' principles to any further processing of personal data in the context of promotional operations (i.e. ensure that appropriate technical and organizational measures are implemented to meet the requirements of the GDPR and that, by default, only the personal data that is necessary for the purposes of promotional operations is collected and processed).
Last modified 10 Jan 2019