I.-Legal persons governed by public law and legal persons governed by private law entrusted with a public service mission who develop and make available the online services mentioned in 3° of II of article L. 5151-6 are authorised to create the necessary personal data processing under the conditions defined in this article.
The legal person who develops and makes available the online service is responsible for the corresponding personal data processing.
The processing of personal data must have received the consent of the holder of the personal activity account.
In accordance with IV of article 26 of the aforementioned Act of 6 January 1978, the implementation of each processing operation is subject to the prior submission to the Commission nationale de l’informatique et des libertés of an undertaking to comply with the provisions of this article. This undertaking shall be accompanied by a summary technical file describing the processing carried out and the measures taken to ensure its security.
II.-Insofar as they are strictly necessary for the provision of the online service, the data mentioned in article R. 5151-4 , with the exception of the following data:
1° Data relating to exposure to occupational risk factors mentioned in 3° to 6° of I of Article 2 of the Decree of 11 August 2016 authorising the creation of a personal data processing operation called the Professional Prevention Account;
2° Data relating to voluntary or volunteer activities recorded pursuant to Article L. 5151-8 , when it falls within the scope of the data listed in article 8 of the aforementioned law of 6 January 1978.
III.-An order of the Minister for Employment, issued after receiving the reasoned and published opinion of the Commission Nationale de l’Informatique et des Libertés, specifies the technical conditions for access to the data.
IV.Employees and agents of the bodies mentioned in I of the same nature as those mentioned in articles R. 5151-5 and R. 5151-6 may be recipients of the data mentioned in II, provided they have been specifically authorised for this purpose .
V.- Each data controller keeps the data mentioned in II for the duration of the operations required to provide the online service. This period may not exceed one month after completion of the operations.
VI.-In accordance with the provisions of I of article 32 of the aforementioned Act of 6 January 1978, each data controller shall inform individuals of the online service. This information shall mention in particular the identity of the data controller, the purpose of the processing, the recipients of the data and the procedures for exercising the rights of individuals.
The rights of opposition, access and rectification are exercised, in accordance with articles 38 to 40 of the same law, by the departments designated by the data controller in the commitment to compliance mentioned in I.