The GDPR and the Cosmetics Industry: What you need to know
SYLVIE GALLAGE-ALWIS*, DEBORAH AZERRAF
*Corresponding author
Signature Litigation, Paris, France
Abstract
The GDPR is now a well-known piece of legislation that all companies should have implemented. This being said, as it is a Regulation, it provides for general principles and raises a certain amount of questions in practice. In the cosmetics industry, companies are subject to the standard obligations that all industries that are in direct contact with consumers face. For instance, they have to process personal data such as the consumer’s name, contact details, gender, location and email address, which are generally collected when he/she buys a product or subscribes to a loyalty programme. The actors of this industry may however process much more sensitive data such as data related to one’s health or physical and physiological features, especially in the scope of clinical tests or in beauty salons. This article gives the opinion of two lawyers on the issues the cosmetics industry has faced this past year in relation to the GDPR.
INTRODUCTION
In the era of digitalisation where data is shared and circulated easily with sometimes limited control as to their future use, the European Union has adopted a specific legal framework which entered into force in May 2018.
Regulation no. 2016/679 on the protection of personal data of 27 April 2016, known as the “GDPR”, which came into force on 25 May 2018, aims at reinforcing the duty to inform for companies collecting personal data in the European Union while granting European citizens a number of rights with regard to the processing of their personal data.
The Regulation thus provides European citizens with a right to be informed when their personal data is collected (Articles 13 and 14) as well as a right to access the information concerning their personal data (Article 15); a right to have inaccurate or incomplete data rectified (Article 16); a right to object the processing of their data at any time (Article 21); a right to data portability (Article 20); a right to a processing restriction (Article 18) and a right to erase data also known as the ...