General Data Protection Regulation (GDPR)

  • RGPD , ce qu'il faut savoir !

The general regulations on the protection of personal data entered into force on May 25, 2018.

You will find on this page a certain number of links, documents and information, which we consider useful in the context of these new regulations.

What is personal data?

  • Any information relating to an identified or identifiable natural person.

What is an identifiable natural person?

  • A natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to his physical, physiological, genetic, psychic, economic, cultural or social identity "
  • Examples of data allowing the identification of a person: surname, first name, address, date of birth, civil status, family members, national register number, passport number, photos, e-mail addresses, mobile number, bank details, license plate, IP addresses, location data, fingerprints, ...

Examples of personal data (not exhaustive):

  • Identification data, Financial details, Personal characteristics, Physical data, Lifestyles, Psychic data, Household composition, Hobbies and interests, Affiliations, Judicial data, Consumption habits, Housing characteristics, Health data, Studies and training , Profession and employment, Ethnic data, Data relating to sexual behavior, Political opinions, Affiliation to a professional association, Philosophical or religious beliefs, Image recordings, Sound recordings, ...
  • Data that could be considered anonymous may constitute personal data if it makes it possible to identify indirectly or by cross-checking information with a specific person. It can indeed be information that is not associated with a person's name but which easily makes it possible to identify him and to know his habits or tastes.

How to comply?

  • Minimize the personal data collected
  • Ensure the legal basis of the processing carried out or the legitimate interest of the processing
  • Avoid processing sensitive data, unless necessary
  • Display the legal notices relating to treatments
  • Respect the right to data portability, the right to rectification and the right to be forgotten
  • Set up a register of processing operations carried out on personal data
  • Ensure the security of personal data and limited access to data controllers within the framework of the intended use
  • Maintain a record of personal data breaches
  • Appoint a data protection officer (DPO) - essential if company size> 250 people
  • Carry out an impact study on privacy, in the event of a high risk to the rights and freedoms of individuals

In practice, where to start?

  • Inform company staff about the requirements of the new regulations
  • Make an inventory of all the data managed by the company and identify personal data.
  • Clean personal data of all that is not necessary for the business of the company and which is not linked to a legal requirement, or which can no longer be kept under the new regulations.
  • Ensure the consent of individuals for the stored personal data and for the clearly identified use that will be made of it by the company.
  • Document the IT of your company (infrastructure, management tools, security procedures, list of internal and external stakeholders, ...)

The complete regulations (source: official journal of the European Union) can be downloaded directly by clicking here (PDF, 88 pages).

The Belgian Data Protection Authority has published a document about direct marketing. Download it directly by clicking here (PDF, 78 pages)

Sources: European regulation, data protection authority in Belgium, CNIL in France

Last update on March, 28 2020.