General Data Protection Regulation (GDPR)
The general regulations on the protection of personal data entered into force on May 25, 2018.
You will find on this page a certain number of links, documents and information, which we consider useful in the context of these new regulations.
What is personal data?
- Any information relating to an identified or identifiable natural person.
What is an identifiable natural person?
- A natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to his physical, physiological, genetic, psychic, economic, cultural or social identity "
- Examples of data allowing the identification of a person: surname, first name, address, date of birth, civil status, family members, national register number, passport number, photos, e-mail addresses, mobile number, bank details, license plate, IP addresses, location data, fingerprints, ...
Examples of personal data (not exhaustive):
- Identification data, Financial details, Personal characteristics, Physical data, Lifestyles, Psychic data, Household composition, Hobbies and interests, Affiliations, Judicial data, Consumption habits, Housing characteristics, Health data, Studies and training , Profession and employment, Ethnic data, Data relating to sexual behavior, Political opinions, Affiliation to a professional association, Philosophical or religious beliefs, Image recordings, Sound recordings, ...
- Data that could be considered anonymous may constitute personal data if it makes it possible to identify indirectly or by cross-checking information with a specific person. It can indeed be information that is not associated with a person's name but which easily makes it possible to identify him and to know his habits or tastes.
How to comply?
- Minimize the personal data collected
- Ensure the legal basis of the processing carried out or the legitimate interest of the processing
- Avoid processing sensitive data, unless necessary
- Display the legal notices relating to treatments
- Respect the right to data portability, the right to rectification and the right to be forgotten
- Set up a register of processing operations carried out on personal data
- Ensure the security of personal data and limited access to data controllers within the framework of the intended use
- Maintain a record of personal data breaches
- Appoint a data protection officer (DPO) - essential if company size> 250 people
- Carry out an impact study on privacy, in the event of a high risk to the rights and freedoms of individuals
In practice, where to start?
- Inform company staff about the requirements of the new regulations
- Make an inventory of all the data managed by the company and identify personal data.
- Clean personal data of all that is not necessary for the business of the company and which is not linked to a legal requirement, or which can no longer be kept under the new regulations.
- Ensure the consent of individuals for the stored personal data and for the clearly identified use that will be made of it by the company.
- Document the IT of your company (infrastructure, management tools, security procedures, list of internal and external stakeholders, ...)
The complete regulations (source: official journal of the European Union) can be downloaded directly by clicking here (PDF, 88 pages).
The Belgian Data Protection Authority has published a document about direct marketing. Download it directly by clicking here (PDF, 78 pages)
Sources: European regulation, data protection authority in Belgium, CNIL in France
Last update on March, 28 2020.
SIGN UP TO RECEIVE OUR NEWSLETTER