Following the implementation of the General Data Protection Regulation (GDPR) which became enforceable on May 25, 2018, we have asked a law firm specialized in this area to make an audit on issues related to the use of personal data.
On May 25, 2018, the Regulation (EU) 2016/679 from the European Parliament and the Council of Europe dated April 27, 2016, related to the protection of private persons, regarding the personal data processing and the free movement of these data (more commonly known as GDPR), became enforceable, provoking public awareness on personal data concerns.
Contrary to what has been sometimes said, this European Regulation, from the point of view of French legislation and of French law n° 78-17 on Information Technology, Data Files and Civil Liberty of January 6, 1978, doesn’t affect existing legislation: This is not a revolution but rather a continuation and a consecration of known rules and principles.
One of the main changes is the introduction of the principle of responsibility and accountability which result in changes in the compliance procedures for those who are responsible for personal data processing. Some own control obligations have superseded preliminary formalities, and responsability regarding the personal data subcontractors has been enhanced.
The rights of individuals are enhanced about their prior information, their prerogatives and the nature of their consent, but the principles of the processing remain unchanged.
Can I add information about living persons in my family tree?
The defintion of a private data has not been significantly changed by the GDPR, which defines it as follow: this is “every information related to an identified or an identifiable private person”. An identifiable private person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as their name, an identification number, their geolocalization data, or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity.”
The question of adding information about living persons in a family tree can be complicated regarding the actual legislation about personal data, and depends on a number of factors:
If the processing is made for personal purposes and is not subject to public release (like a family tree only available to the owner or the owner’s family), it is not subject to the GDPR.
In other cases, it is necessary to refer to the GDPR.
In this respect, the Geneanet Terms of Service recall the possible basis concerning information about living persons in a family tree.
In accordance with these basis, the historical or scientific research is the most relevant as genealogy is a historical science and as making a family tree is historical and scientific research task.
That being said, the consent of the person is still the most secure basis in regard to the GDPR. Attention: concerning the minors under 16 years of age (15 years of age in regard of the latest French draft legislation), the consent must be obtained from persons who have parental authority.
May Geneanet be held responsible for personal data published on the site by its members?
The responsibility of Geneanet in regard of the personal data published on the site by its members remains unchanged, the applicable regime is that by law n° 2004-575 dated June 21, 2004 from the Confidence in the Digital Economy Act law (French law about Internet rights).
Geneanet acts as a hosting provider by limiting its actions to providing space to its users, allowing them to upload genealogical data and documents.
In this regard, Geneanet can be responsible for the data published only if the illicit nature of an information (attention, “illicit” is not “contested”) has been brought to its attention, in the forms prescribed by law, and if Geneanet did not react quickly enough to remove these data or to make them unavailable.
For this reason, the Geneanet Terms of Service expressly foresee the conditions under which the rights of access, rectification, removal or opposition may be exercised.
However, members remain fully responsible for the information they publish on the site Geneanet.org, in the space made available to them. They are also responsible for the data processing they make as adding data to their family tree.
What are your rights if you find some personal data in a Geneanet family tree?
The rights of the persons concerned by personal data processing have been enhanced. Some of these rights are:
• Any person has the right to access their personal data and information about how this personal data is being processed.
• Any person has the right to data portability, and the data must be provided by the controller in a structured and commonly used standard electronic format.
• Any person has the right to rectification and to restriction, to obtain from the controller the rectification or the restriction of processing of inaccurate personal data or data no longer needed for the purposes of the processing.
• Any person has the right to erasure (right to be forgotten), which pre-existed in the French jurisprudence, and the personal data must be removed by the controller without undue delay. It is important to remember that this right is limited when the processing is related to historical and scientific research, as genealogy research.
• Any person has the right to object on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her.
These rights shall be exercised to the controller of the processing which may ask for proof of identity (credential).
For example, concerning the family trees, the request shall be addressed to the owner of the family tree (i.e. the Geneanet member), and not to Geneanet which only is the hosting provider.
Furthermore, these rights may not be exercised for others.
Finally, the GDPR only applies and only benefits to living persons.
For this reason, the Council of State of France recently recalled that these rights, as the right of access, are not transferable to heirs. This decision contradicts the provisions of the recent French law for a digital Republic dated October 7, 2016, especially with Article 40-1 allowing heirs, in absence of specific directives from the deceased, to exerce a right of access, if it’s necessary to settle the succession of the deceased, or a right to object to proceed to the closure of the accounts of the deceased and to oppose the data processing.