The date of 25 May 2019 marks the first anniversary of the application of Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR). In this context, the CNUE is emerging as a platform for exchange between its members with regard to compliance at the level of notarial chambers and notaries’ offices. Thus, a first exchange workshop was organised between European notariats in Berlin in February 2018. A taskforce was also set up within the CNUE to facilitate networking for the notariats’ Data Protection Officers (DPOs). Aurélie Merquiol, President of Cil.not and DPO of the French notariat, and Aurélie Van der Perre, DPO of the Belgian notariat, are the co-chairs of this taskforce.
What is your initial assessment of the GDPR?
Aurélie Merquiol: “The significant increase in the number of Data Protection Officers in France, but the supervisory authority expected more. In the French notariat, communication around the GDPR has made it possible to convince those who were still undecided of the importance of this protective shield. In addition to regulatory compliance, this text makes it possible to restore trust by making data flow more fluid within a secure environment.”
Aurélie Van der Perre: “Although the basic principles of data protection have not been thoroughly reviewed, the GDPR has had a visible impact on the practice of notarial offices. Thus, the GDPR made it possible to create the shared DPO service for the Belgian notariat. Awareness-raising activities with regard to notary offices have been stepped up, with the result that data protection precepts are gradually being taken into account in notarial practice. Within a few months, notaries and their staff have become visibly aware of the intrinsic link between the GDPR and the work of a public officer-holder.”
In concrete terms, what should be done?
A. Merquiol: “In France, it is a question of implementing the action plan drawn up by the notary office’s Data Protection Officer and documenting the data protection policy, which could be summarised as “writing what we do and doing what we write”. In concrete terms, this means informing clients via notices on websites or questionnaires; supervising relations with the office’s service providers; raising awareness among employees, etc. It is also necessary to notify the supervisory authority and possibly clients of data breaches that pose a risk to rights and freedoms”.
A. Van der Perre: “The difficulty for notaries lies in identifying the actions to be taken under the GDPR. Through the development of the register of processing operations, the necessary actions – legal, practical (organisational) and technical – are identified for each office. Notaries can then start the compliance process with the help of the DPO they have appointed. In Belgium, the most frequent practical questions raised by notaries concern the length of time data are kept before they are destroyed and the strictly controlled use of the national identification number.”
And in a European context?
A. Merquiol: “The free movement of data, promoted by the GDPR, requires a comprehensive approach to compliance at the level of EU notariats. How to deal with requests for access that have a cross-border element? How to ensure that data subjects outside the borders of a country are notified of data breaches – a new obligation – in the case of cross-border clients? It is essential that notariats work together to ensure that EU citizens are able to harmonise data protection practices and responses, while taking into account national specificities.”
A. Van der Perre: “The legal form of the Regulation was chosen by the European authorities above all in order to harmonise European rules and to promote the free movement of data, particularly between professionals in the same sector. With the growth of new technologies, data will naturally circulate within and even outside the European Union. Cooperation between European notariats can only strengthen the image of a profession concerned with ensuring the protection of the data and privacy of European citizens while taking into account the latest technological developments.”