May 25, 2018         

The date on which the GDPR will enter into force. It will apply in the 28 Member States of the European Union to all entities (companies, administration, startups, etc.) handling personal data and to any processing of personal data[1] with a view to providing goods or services to European residents.



The company is now 100% responsible for the way in which it and its subsidiaries process, store and protect the personal data of customers and employees. The requirement on prior notification has been replaced by the keeping of a register of processing.


7 principles

  • Individual consent must be acquired in a clear and informed manner. It may be withdrawn at any moment.
  • The collection of data on minors is supervised.
  • The rights of individuals have been reinforced (the precise right to information on the purpose of processing, the right to rectify, oppose and delete data).
  • A new right to data portability[2] has been introduced.
  • Profiling[3] is supervised.
  • A prior impact analysis of all processing must be made in the event of a substantial risk to the integrity of personal data.
  • The rules on the transfer of data outside the European Union have been reinforced.



72 hours

The time within which a company must alert the supervisory authority in the event of an attack and/or violation of personal data.


1 Data Protection Officer

A new function has been introduced by the GDPR: the Data Protection Officer. His main tasks are to ensure compliance with European regulation, to inform and advise on the implementation of data processing. He or she must also inform and advise employees responsible for processing personal data... The DPO is also the unique contact with the supervisory authority of his or her country.  At RCI Bank and Services, a Data Protection Officer was appointed in September 2017 for the entire group with a view to ensuring the compliance of our company, supporting our business lines and subsidiaries, and maintaining regular dialogue with the French data protection authority, CNIL.


24 RCI Bank and Services subsidiaries

The number of our European subsidiaries working actively to integrate GDPR in all their processes. 


[1] Any information relative to a natural person liable to be identified, directly or indirectly.

[2] The right to data portability gives individuals the possibility to ask companies to recover their data in an open and "machine-readable" format (e.g. Word or Excel). 

[3] Analyze the data of a natural person, including making decisions according to his preferences.