General Data Protection Regulation (GDPR)
The general regulations on the protection of personal data entered into force on May 25, 2018.
You will find on this page a certain number of links, documents and information, which we consider useful in the context of these new regulations.
- The Belgian Data Protection Authority has published a document presenting 13 steps to prepare .
- A register of processing activities must be established (with a few exceptions)
- A model document for the processing register is available on the website of the Belgian data protection authority. The CNIL in France has published a simplified model for the processing register in particular for SMEs.
- - The new regulations do not only apply to computerized data but also to data in paper format. In addition, it does not only concern the IT department but all the departments of the company.
What is personal data?
- Any information relating to an identified or identifiable natural person.
What is an identifiable natural person?
- A natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to his physical, physiological, genetic, psychic, economic, cultural or social identity "
- Examples of data allowing the identification of a person: surname, first name, address, date of birth, civil status, family members, national register number, passport number, photos, e-mail addresses, mobile number, bank details, license plate, IP addresses, location data, fingerprints, ...
Examples of personal data (not exhaustive):
- Identification data, Financial details, Personal characteristics, Physical data, Lifestyles, Psychic data, Household composition, Hobbies and interests, Affiliations, Judicial data, Consumption habits, Housing characteristics, Health data, Studies and training , Profession and employment, Ethnic data, Data relating to sexual behavior, Political opinions, Affiliation to a professional association, Philosophical or religious beliefs, Image recordings, Sound recordings, ...
- Data that could be considered anonymous may constitute personal data if it makes it possible to identify indirectly or by cross-checking information with a specific person. It can indeed be information that is not associated with a person's name but which easily makes it possible to identify him and to know his habits or tastes.
How to comply?
- Minimize the personal data collected
- Ensure the legal basis of the processing carried out or the legitimate interest of the processing
- Avoid processing sensitive data, unless necessary
- Display the legal notices relating to treatments
- Respect the right to data portability, the right to rectification and the right to be forgotten
- Set up a register of processing operations carried out on personal data
- Ensure the security of personal data and limited access to data controllers within the framework of the intended use
- Maintain a record of personal data breaches
- Appoint a data protection officer (DPO) - essential if company size> 250 people
- Carry out an impact study on privacy, in the event of a high risk to the rights and freedoms of individuals
In practice, where to start?
- Inform company staff about the requirements of the new regulations
- Make an inventory of all the data managed by the company and identify personal data.
- Clean personal data of all that is not necessary for the business of the company and which is not linked to a legal requirement, or which can no longer be kept under the new regulations.
- Ensure the consent of individuals for the stored personal data and for the clearly identified use that will be made of it by the company.
- Document the IT of your company (infrastructure, management tools, security procedures, list of internal and external stakeholders, ...)
The complete regulations (source: official journal of the European Union) can be downloaded directly by clicking here (PDF, 88 pages).
The Belgian Data Protection Authority has published a document about direct marketing. Download it directly by clicking here (PDF, 78 pages)
Sources: European regulation, data protection authority in Belgium, CNIL in France
Last update on March, 28 2020.