Business Law

Privacy law – Personal data protection

Since 2016, the General Data Protection Regulation (GDPR) has implemented a completely new legal framework at the European level, taking full account of the legal issues related to the processing and use of personal data. GDPR has affected many professions and has made the performance of several tasks more complex. Today, personal data protection law concerns all organisations that process personal data, regardless of the sector or nature of their activities. 

In a context of profound digital transformation of the economy where personal data transfer flows are intensifying, JP Karsenty helps its clients to understand and apply this complex and evolving regulatory environment. We help our client to achieve compliance with the applicable regulations, while providing pragmatic and tailor-made solutions to meet the reality of the challenges and operational constraints they face. More specifically, JP Karsenty offers its expertise in litigation and contractual practice, in matters of personal data. 

The Personal Data Protection and Privacy Law team is led by Jean-Philippe Arroyo, who is a member of the French Association of Personal Data Protection Officers (AFCDP) and of the Association for the Development of Digital Law (ADIJ).

Jean-Philippe Arroyo is also co-author of the book « #RGPD et Marketing - De la contrainte à l’opportunité », published by e-theque. 

He regularly intervenes in conferences on these subjects and provides professional training on these issues, particularly in collaboration with independent DPO providing their services. 

The firm's Data Protection and Privacy team is well recognized in numerous rankings for its expertise.

Ranking Décideurs Magazine 2022 – Innovation, technology & telecoms

Data protection law – Highly recommended
IT, software & digital projects - Highly recommended
Internet – Recommended

Legal works in this area

  • Carrying out legal compliance audits (compliance of information to data subjects on the processing of their personal data and on cookies, audit of existing contractual relationships with processors and/or joint data controllers, etc.).
  • Analysis of the qualification of controller, processor, or joint controller of personal data processing (analysis of personal data flows and the role of each of the stakeholders in personal data processing)
  • Drafting of subcontractor and joint controller contracts and adaptation of commercial contracts to the personal data regulation
  • Drafting and adaptation of the various contractual documents between data controllers and their customers (BtoB and BtoC) with regard to the regulations on the protection of personal data (order forms, T&Cs, Terms of Use, warranty booklet…)
  • Drafting of personal data protection policies (personal data protection policy for employees but also for customers in BtoC relationships and for staff and management members of the clients in BtoB relationships)
  • Compliance of websites (Drafting of information documents on the processing of personal data and cookies management policy, legal notices, drafting of cookies information banners and contact forms)
  • Validation of internal procedures for processing of personal data (retention periods for personal data, management and retention of consents, management of relations with customers and prospects, mailing, etc.)
  • Assistance for personal data transfers abroad (coordination with foreign lawyers, compliance with local specificities, contractualization of data transfers outside the European Union (based on standard contractual clauses or others), drafting of Binding
    Corporate Rules etc.)
  • Support in structuring projects involving the processing of so-called “sensitive” personal data (health data, biometric data, etc.)
  • Adaptation of codes of ethics and whistleblower/whistleblowing programmes with regard to the regulations on the protection of personal data and the French law Sapin II
  • Training and support for DPOs (interpretation of the GDPR, French regulations, and CNIL recommendations and practices)
  • Representation and assistance of clients in litigation relating to the application of the regulations on personal data protection
  • Assistance before data protection authorities, in particular the CNIL in case of controls and complaints

Track records

  • Assisting a major American tech company in a dispute concerning consumer information on the processing of their personal data
  • Assistance to a foreign company regarding French regulations applicable to the processing and hosting of health data
  • Assistance to a foreign company in matter of urban mobility following a CNIL control
  • Drafting of personal data protection policies for (i) the management, staff and employees of a company, and of (ii) its BtoC and BtoB customers
  • Drafting of personal data outsourcing contracts for a car manufacturer in its relationship with its marketing agency
  • Drafting of a joint data processor contract between the publisher of an e-commerce website and a payment organisation
  • Audit and compliance of the cookies management policy of various website publishers in accordance with the latest guidelines of CNIL
Share and print

Subscribe to our newsletter to be informed of our news