Specific obligations for certain activities

Depending on the type(s) of activity implemented, the professional website must also contain the following information:

• Commercial activities : registration number in the trade and companies register (RCS) and if you have one, intra-community VAT number ;
• Editorial activities : for all sites offering articles, blogs and other information: name of the director, co-director or person in charge of publication;
• Activities subject to an authorization regime : name and address of the authority that issued the authorization to operate. 

Intellectual property information

If you use images, illustrations, or photographs, you must include their intellectual property rights.

For texts that are not your own, you must obtain the author's permission or at a minimum, if it is a short extract, cite the source of the text. 

Information regarding the use of personal data and cookie management

Since the entry into force of the General Data Protection Regulation (GDPR) on May 25, 2018, websites (and more broadly any person or organization collecting personal data) must list the processing carried out and implement the rights guaranteed by the GDPR.

Personal data is any information relating to a natural person : name, surname, address, telephone number… The GDPR distinguishes between two situations:

• The natural person is identified directly : direct collection of user data, by the user for example via filling out a form or through observation of their activity (geolocation, IP address, etc.)
•  The individual is identifiable indirectly : data obtained from business partners or data collection that indirectly allows the personal data of users to be retrieved.

In both cases, the website must contain a certain amount of information.

Note: In order to inform internet users about the methods of processing and storing their data, you can choose to make this information available following the identification notices, on the same page, or on a dedicated page which you can name for example Privacy Policy or Charter on respect for privacy.

The purposes of data collection by cookies

To analyze the behavior of internet users, such as their browsing, consumption habits, movements… websites use a small file placed on the user's computer: the cookie.

We can distinguish:

• Cookies are "necessary" for the proper functioning of the website. For example, they allow the website to save a shopping cart, login details, or track a user's actions on the site.
• Other cookies, whether internal or external, collect personal user data to track user behavior and serve advertising purposes.

With the exception of cookies necessary for the operation of the website, the use of all other cookies must be explained clearly and precisely to all users of the website.

Furthermore, it is mandatory to obtain prior consent for the processing of this personal data. This is the window that appears when you visit a website for the first time, asking you if you accept the website's terms and conditions (relating to the management of your personal data).

In this regard, the CNIL insists on the need for the collection of internet users' consent to offer the same simplicity for refusal as for approval.

It is possible to use a Consent Management Platform (CMP) to facilitate the implementation of a user consent collection interface on your website. Discover a selection of CMPs offered by Les Échos solutions: 

• How to ensure GDPR compliance for your website?

For more information on ensuring compliance with cookie usage regulations on a website, you can visit the following websites:

• Cookies and trackers: how to bring my website into compliance? (Cnil.fr)
• Cookies and trackers: what does the law say? (Cnil.fr)
• Use of personal data: your information obligations towards the internet user (Economie.gouv.fr)
• Refusing cookies should be as simple as accepting them: review of the second campaign of formal notices and future actions (Cnil.fr)

The legal basis for data processing

The legal notices must specify, in accordance with the GDPR, the legal basis for the data processing implemented on your website.

It is permissible to process personal data when the processing is based on one of the 6 legal bases mentioned in Article6 of the GDPR :   

• consent : the person has consented to the processing of their data;
• the contract : the processing is necessary for the performance or preparation of a contract with the data subject;
• legal obligation : the treatment is imposed by legal texts;
• the public interest mission : the processing is necessary for the performance of a public interest mission;
• Legitimate interest : the processing is necessary for the pursuit of the legitimate interests of the body processing the data or of a third party, in strict compliance with the rights and interests of the persons whose data are being processed;
• safeguarding vital interests: the processing is necessary to safeguard the vital interests of the person concerned, or of a third party.

When a single data processing operation pursues multiple purposes, i.e., multiple objectives, a legal basis must be defined for each of these purposes. However, it is not possible to "cumulative" legal bases for the same purpose: only one must be chosen.

The most commonly used legal basis is consent. It ensures that individuals have strong control over their data by allowing them to:

• to understand how their data will be processed;
• to choose, without constraint, whether or not to accept this treatment;
• to change their mind freely.

For example, you can consult the page dedicated to the Privacy Policy of Legalstart, an online legal services platform for very small and small businesses.

For more information, you can consult the CNIL resources:

• Understanding the GDPR - The legal basis
• Take into account the legal basis in the technical implementation
• The lawfulness of processing: the essentials regarding the legal bases provided for by the GDPR
   

The recipients of personal data

These are the people who have knowledge of the personal data collected. In the case of a professional website, this is most often the company that publishes the site and the site's hosting provider.

This section of the legal notice should also indicatewhether any personal data is transferred outside the European Union. This is particularly relevant when the website is hosted by a foreign provider with servers outside the European Union. It can also be the case if you use tools offered by companies outside the EU, such as an audience measurement tool like Google Analytics.

Users' rights over their personal data

In accordance with the GDPR, legal notices must inform users of their rights (right of access, rectification, objection, erasure, etc.). A user may, for example, decide to withdraw their consent.

It is also important toprovide an email or postal address that the person can use to exercise their rights. Certain uses of personal data (Cnil.fr) require you to provide the contact details of the Data Protection Officer (DPO) (Cnil.fr) that you should have appointed.

In most cases, small organizations whose processing volumes are limited can simply provide the address of an email address dedicated to exchanges relating to personal data.