As part of our Law programme, “Extra-Patrimonial Rights”, Ms Vincent, our Law and Economics teacher, invited Ms Jade CORNILLOT-APPAVOU, Communications Officer and our school’s new RGPD (General Data Protection Regulation) Officer, to explain her role in data protection on 19 May 2025.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a European regulation governing the processing of personal data. It came into force on 25 May 2018. Its main objective is to protect the privacy of European citizens in the digital environment and to make organisations that process personal data more accountable.
More specifically, the GDPR was adopted in 2016 by the European Parliament and was implemented on 25 May 2018. It applies to all EU countries and aims to harmonise data protection practices, while strengthening the rights of data subjects.
The GDPR applies to all organisations that collect, process and store personal data, whether or not they are located in the European Union. It imposes strict obligations in terms of transparency, consent, security and data retention.
Failure to comply with the RGPD regarding the collection and processing of personal data is punishable by the CNIL.
https://www.cnil.fr/fr/reglement-europeen-protection-donnees
How is the RGPD applied and by whom at the French International School of Pondicherry?
Within our school, the Head of Communications is responsible for the communications strategy, monitoring the school’s image and reputation, as well as internal and external communications. It organises events and manages the media. She also ensures compliance with the RGPD concerning the protection of personal data, working in consultation with the Data Protection Officer (DPO).
Here are the main obligations:
For state schools, it is common for the headteacher to be seen as the data controller. Nevertheless, at LFIP, the Head of Communications assumes a key role in applying and monitoring data protection policies.
Information and transparency:
Ms CORNILLOT-APPAVOU is responsible for communicating data protection methods. She is responsible for ensuring that pupils, parents and staff are informed about how their data is collected, used and protected.
Collaboration with the Data Protection Officer (DPO):
It is required to work closely with the institution’s DPO. The role of the DPO is to ensure that the institution complies with the GDPR and to offer guidance and advice.
Data breach management:
In the event of a data breach,it must be involved in the management of the incident, including notifying the regulatory authority (the CNIL) within a period of no more than 72 hours.
In the event of an accident, it is essential to notify the CNIL. To ensure that families are well informed and that managers are alerted, this is an aspect that the AEFE is seeking to put in place in all its schools. The AEFE has a Data Protection Officer (DPO) who is a specialist in this area.
LFIP is looking for solutions to comply with the RGPD and guarantee the protection of all data. One of its main tasks over the coming months will be to set up a data processing register so that it can keep a constant record of the data being processed by each department.
Can the GDPR cope with new technologies such as AI?
The fundamental GDPR is not technology-specific. It wasn’t designed just for websites and software. In theory, it applies to newer technologies that have emerged since the adoption of the GDPR. Artificial intelligence is a more recent concept than the RGPD.
It is important to understand that the information we provide, whether it is intended for IA-GPT or any other artificial intelligence programme, must be free of personal data. It is important that users do not reveal their name, date of birth or place of residence, as this information is highly sensitive. That’s why our school is planning to draw up a charter on the use of artificial intelligence. This charter will be implemented not only for students, but also for adults within the school. Indeed, among the adults, there are teachers who use AI to prepare their lessons and who also need to be aware of how they are using it. For the moment, in the absence of legal regulation, we have created charters for the use of artificial intelligence in schools. Once legislation has been passed at European level, we will have new directives to protect data relating to artificial intelligence in particular.
As you know, the RGPD is a European regulation that applies throughout the European Union. No matter where a company is based, whether it is American, Japanese or of another nationality, it is obliged to comply if it carries out its activities in the European Union. Furthermore, all European institutions located abroad are also required to comply with this standard, which is why the LFIP under direct management with the AEFE, despite its location in India, has implemented it.
We believe that it is essential to favour the most protective legislation. In nations such as Canada and Japan, data protection is seen as being fairly comparable to that in the EU. So if data is transferred between these nations and the European Union, the procedure will be made slightly easier because the standards required are similar on both sides.
Conclusion
In conclusion, the GDPR plays a crucial role in the protection of personal data, imposing strict standards that all organisations, including French lycées abroad, must comply with. We believe it is crucial to favour the most protective law. The Head of Communications, as the main point of contact, plays a crucial role in ensuring compliance with these standards. He or she ensures that data is handled securely and transparently, while maintaining effective communication with the parties concerned. By developing charters for the use of artificial intelligence and establishing robust processes, the school has the opportunity to consolidate its reputation and the trust of its pupils, their parents, as well as its staff, while complying with the strictest legal standards.
Made by:
Pasupathy Shanmathi, 1STMG
Vincent Elyias, 1STMG
