An alteration of a work of architecture that does not infringe the rights of the author can be carried out without their prior consent

La modification d'une œuvre architecturale qui ne porte pas atteinte aux droits de son auteur, peut se faire sans son accord préalable

The very essence of copyright is to confer on the author of an original work an exclusive, intangible property right enforceable against all. Pursuant to this exclusive right, no infringement of the work, of any nature whatsoever, can be carried out without the prior consent of the author. The right to the respect of the integrity of the work enshrined in article L.121-1 of the Intellectual Property Code imposes that a work that expresses the personality of the author cannot in theory be subject to a material alteration without the express agreement of the author. Through a judgment on 20 December 2017, the Supreme Court of Appeal has just established a limit to this exclusive right of the author: an alteration of a work of architecture that does not infringe the rights of the author can be carried out without their consent. An original architectural work can be protected in respect of copyright as any other literary or artistic work would be. However, and contrary to a purely aesthetic work, a work of architecture has a functional purpose which results from the fact that a building, in addition to being original, may constitute a place of residence, work or access to culture. In the case at hand, the architectural work intended to house the collections of the “Musée d’Arles antique” had been produced by an architect on behalf of a département, which, without the consent of the architect, proceeded to carry out extension works to the building in order to exhibit a Gallo-Roman trading ship.

The functional purpose of the work of architecture means the right to the respect of architecture must be reconciled with the right of the owner of the work. The method applied by the judges is that of the control of proportionality: a limit to the fundamental right (the right of the author) must be accepted but in a way that is justified and proportionate. The Supreme Court of Appeal here validated the reasoning of the 7 January 2016 ruling by the Court of Appeal of Aix-en-Provence which rejected the architect’s claims. To preserve the balance between the prerogatives of author and owner of the work of architecture, the alterations must not exceed what is strictly necessary for the adaptation of the work to new needs and must not be disproportionate with respect to the purpose. In the case at hand, the discovery of the boat and its cargo, dating back to ancient Roman times, declared a “national treasure”, and the necessity of showing both in the museum in question, characterise the existence of a new need which, to be satisfied, required the building of an extension, because the unity attached to the museum excluded the construction of a separate building. The extension produced altered the original construction but made use of the original colours, the white walls and blue facades, and it was not established that it spoilt the overall harmony of the work.

The right to the respect of the work is subject to a variable geometry application depending on the purpose of said work. In terms of a work of architecture, the architect cannot impose absolute intangibility of the premises they produce and must accept infringements of their rights when these are justified and proportionate.

Raising Awareness among its Staff: An Essential Step in Implementing the General Data Protection Regulation

Sensibiliser son équipe : une étape essentielle dans la mise en place du RGPDWhile most companies have understood the challenge of the General Data Protection Regulation (GDPR) that will come into effect on 25 May 2018, the implementation of its provisions remains difficult to grasp. With just two months to go before the regulation enters into force, it is imperative for companies to make their staff aware of the objectives of the regulation and, especially, how to put them into practice.

1.Risk mapping

To implement its compliance plan, the company must start by identifying the processing of personal data, and all computer and manual flows, to determine where each data process comes from, by whom is it carried out, and finally, its purpose. This data mapping will ultimately define the challenges and risks specific to the company. In this context, the CNIL (French data protection authority) offers examples of record sheets to guide work teams on the actions to be taken.

  1. A roadmap sent to its work team

Once the mapping is established, the team must prioritize its actions by drafting a roadmap including:

– a method ensuring management of the risks previously identified by the work team,

– raising awareness of the operational staff within the company,

– establishment of a new governance,

creation of a procedure for data processing management, to ensure the company’s continuous conformity.

  1. Informing the individual when collecting personal data from external sources

Although it is possible to process data collected from external sources such as public databases, social networks, lists of prospects, the provisions of the Regulation must be respected. However, under Article 47 of the GDPR, the company will have to assert a legitimate interest in the collection of such data. This legitimate interest can be asserted when:

  • the data processing takes place in the context of a customer relationship,
  • the processing is carried out for marketing purposes,
  • the processing prevents fraud or ensures the security of the computer systems network.
  1. The choice of the individual in relation to the collection of his personal data

In order to be able to process the personal data, the company must allow the individual to provide his express consent as stipulated under Article 7 of the GDPR. In practice, the pre-checked boxes will be excluded in favour of a provision exclusively devoted to the individual’s consent for each piece of personal data collected. This makes it possible to limit the over-collection of data; for example, collecting the individual’s exact date of birth will no longer be allowed if the year of birth is sufficient to satisfy the purpose of the processing, just as the individual’s exact place of residence if the country is sufficient. Faced with these requirements, the company will have to adapt and store only the data strictly necessary. Moreover, if the individual wishes to modify or even delete his personal data, this operation must be easy to perform, which means making the system for collecting personal data flexible.

  1. Ensuring compliance by subcontractors

Although the regulation is aimed at the direct holders of personal data, said regulation also applies to subcontractors and sales persons when they have access to such data. Indeed, the latter are required to certify their compliance with the GDPR. To do this, it is recommended that, if companies subcontract the data collected, they include standard data protection clauses attesting to their compliance with the GDPR.

  1. What are the working tools of employees covered by the GDPR?

By definition, the GDPR applies when

  • the processing is carried out by “automated means”,
  • the data “is part of a filing system or is intended to form part of a filing system” although the processing is not carried out by automated means in the strict sense of the word.

With regard to the first case, the work teams only convert documents into digital format. The situations referred to in the second case are those of systems for classifying “any structured set of personal data that is accessible according to specific criteria”. In practice, all unorganised paper documents, such as loose documents on a printer or documents on a desk, are not subject to the GDPR. On the other hand, whenever these paper documents are organised by staff so as to be accessible according to defined criteria, the GDPR will apply. For example, files submitted in a file indexed by name, expense reports sorted by function and sorted internally, or files from the department of human resources, will be subject to the GDPR. In light of future changes, we recommend coming into compliance as soon as possible. With a department dedicated to personal data issues and a department with technical skills, Dreyfus & associés is the ideal partner to assist you in this transition process.

In light of future changes, we recommend coming into compliance as soon as possible. With a department dedicated to personal data issues and a department with technical skills, Dreyfus & associés is the ideal partner to assist you in this transition process.

The bill on the protection of personal data

Le projet de loi relatif à la protection des données personnellesThe adoption of the “European data protection package” on 27 April 2016 launched a movement within the Member States to reform national legislation on personal data. The implementation of the General Data Protection Regulation 2016/679 (http://eur-lex.europa.eu/legal-content/FR/TXT/PDF/?uri=CELEX:32016R0679&from=FR) (“GDPR”) particularly marks significant progress in this area. It is from the perspective of the application of this regulation that the French government made public on December 13, 2017 the “bill on the protection of personal data” adapting the Data Protection Act to the GDPR ( https://www.legifrance.gouv.fr/affichLoiPreparation.do?idDocument=JORFDOLE000036195293&type=general&typeLoi=proj&legislature=15)

This draft law highlights the desire, contained in the European regulation, to increase the influence of the national supervisory authorities responsible for personal data. To this end, numerous changes relating to the powers and organization of the CNIL (https://www.cnil.fr/) are planned.  We note the strengthening of its role, especially through the extension of its powers in soft law and sanctions. Some changes also concern its investigative powers and cooperation with other EU supervisory authorities. In this sense, it is noted that the CNIL will henceforth be able to attach to its conclusions a reference for a preliminary ruling to the Court of Justice of the European Union for an assessment of the validity of the European Commission’s adequacy decision and of all the acts taken by the European Commission authorizing or approving the appropriate assurances in the context of data transfers. In addition, its scope of action has been broadened through its ability to ask the State Council ( https://www.google.fr/search?q=conseil+d%27%C3%A9tat&rlz=1C1CHBD_frFR778FR778&oq=conseil+d%27&aqs=chrome.0.69i59j0j69i57j0l3.1759j1j4&sourceid=chrome&ie=UTF-8) to order the suspension or termination of the data transfer concerned, if applicable under penalty.

In addition, the draft law establishes a specific procedure for the processing of health data. While this category of processing includes medical research and evaluation of care, it excludes, when they fall under the provisions on sensitive data, processes “necessary for the purposes of preventive medicine, medical diagnosis, the administration of care or treatment, or the management of health services“. Also, in accordance with the GDPR, the bill establishes a fundamental prohibition on the processing of so-called “sensitive” data, genetic and biometric data for the purpose of uniquely identifying a natural person. However, it goes further than Article 9.2 of the GDPR by providing for the possibility for the administration and employers to use biometric data for access control purposes to workplaces, devices and applications. In addition, the bill limits the use of data relating to criminal convictions, offences or related security measures to only certain categories of persons. An exception is, however, provided where such data are used for the purpose of taking legal action as a victim, defendant or on their behalf and enforcing the judgment given. Finally, it has been provided, in procedural matters, that the persons concerned may be represented individually by any organization or association authorized to take group actions in the context of complaints or actions against the CNIL.

Although the bill is in line with the GDPR, there are some discrepancies between the two texts. Indeed, while the GDPR abolishes prior formalities with the supervisory authorities, subject to a few exceptions, the bill keeps them with the CNIL for health data in certain areas. In addition, it also maintains a high level of authorization for processing on behalf of the State, including the use of biometric or genetic data for identification and identity control purposes. Processing requiring the use of the social security number (NIR) will also be authorized within the framework of a decree in the State Council, taken after a reasoned opinion and published by the CNIL which will determine the categories of data controllers and the purposes of these processing operations. The use of NIRs will also be authorized for derogatory purposes for national statistics, electronic relations with the French administration and scientific research. Therefore, the bill is more inflexible in this regard.

It is regrettable that the draft law does not specify the appointment of a Data Protection Officer (“DPO”) or the age of consent required of minors, aspects for which the Member States had a certain amount of leeway.

In conclusion, in the light of these discrepancies, it is certain that, even after the adoption of the law, certain amendments are still necessary to make the French law all the more compatible with the GDPR. However, the impact of these divergences will have to be measured insofar as the European regulation remains directly applicable.