GDPR

The new European GDPR legislation is intended to provide better protection for the citizen’s privacy. What does this mean in concrete terms, and what impact will it have on users and companies?  A brief overview of the key issues is provided below. 

What is GDPR?

GDPR stands for General Data Protection Regulation.  This European regulation replaces the Data Protection Directive 95/46/EC from 1995.

Why GDPR?

The aim is to protect the citizen’s privacy better and to lay down uniform rules for the entire EU. The citizen will gain more control over how his personal data are used.  Moreover, the GDPR establishes a clear legal structure, a standard that applies throughout Europe, so that companies know how they have to act to guarantee privacy.

Who falls under the scope of application of the GDPR?

Every organization, every company, every governmental authority that collects and processes personal data of European citizens must apply the GDPR, irrespective of the country where the company or the organization is established. An American company that works with data of European users must comply with these rules also. When you have a physical or online shop and collect the addresses of your customers to send them a mailing regularly by post or electronically, you fall under the scope of GDPR. 

The definition of personal data is important here. The regulation speaks about Personal Identification Information or PII.  This is not only your name, address, identity card number, national register number, and date of birth, but also digital data such as location, IP address, cookie data, RFID tags.  Health data also fall under PII, as do genetic, biometric, racial and ethnic data, sexual orientation and political opinion.

What does the GDPR determine?

Briefly, the following principles:

  • Collecting data, online and off line:
    • The user must give his express consent. For example, no pre-ticked boxes (opt out) any more in order to receive a newsletter or commercial announcements; the user must tick the box himself (opt-in).
    • There are several exceptions to the above principle however:  processing of personal data without the user’s consent is possible when it is necessary to perform a contract with the user, fulfil a legal obligation, carry out a task in the public interest or for the protection of vital interests of the users or other natural persons.  
    • The data collector must mention expressly which data are collected and to what purpose.
    • The collected data may be used only for that purpose and for the period that is in line with that purpose. 
  • Storing data
    • You have to store data according to a system geared to protecting the data and guaranteeing the privacy thereof.  
    • Any breach of data security must be reported within 72 hours.
    • The user has a right to access the data, improve them where necessary, have them removed but also transfer them. The company must be able to produce an electronic copy of his private file.
    • The user must also be able to withdraw his consent at all times. 
  • Supervising these data:
    • Companies with more than 250 employees must appoint a Data Protection Officer to supervise the correct application of the GDPR;
    • Special Supervisory Authorities in the member states will be entrusted with the supervision of GDPR compliance. In Belgium, this responsibility is entrusted to the Privacy Committee. 
  • Transferring the data to organizations outside the EU is authorized only if said organizations can show that they meet the GDPR rules too. 

Processing of personal data

Does the GDPR entail that from now on we have to request/obtain the consent of each person every time we wish to process data concerning that person?

You can find the answer to this question here.

Controller versus processor

In this article, we will take a more detailed look at two key concepts of the GDPR where there still seems to be a great deal of confusion: the processor and the controller.

DNS

Domain Name System or Domain Name Server. The global DNS is the system and protocol used on the internet to translate domain names into IP addresses and vice versa.