Familiarize yourself with the new privacy legislation.
Collection of personal data is restricted.
With the emergence of Facebook, Instagram, and other online platforms that collect a wealth of personal data, along with the widespread use of cold mailing by telesales companies, there has been a lot of talk about protecting personal data.
The European Commission wants to curb the existing abuses with the implementation of the General Data Protection Regulation – AVG – which came into effect on 25 May 2018. This legislation aims to better protect citizens and creates a number of obligations for government agencies and companies.
Little distinction is made here according to the size or type of entity. As soon as you keep a file with personal data (right holder, customers, staff, suppliers, etc.), these are affected by these regulations. The impact of the GDPR is not always realized.
Regulations
The General Data Protection Regulation (GDPR) – “General Data Protection Regulation” , in full de Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC .
This European Regulation entered into force on 24 May 2016. The regulation provided for a transition period of two years, so that the new rules came into effect on 25 May 2018. But in 2020, these rules are more NOT followed, especially by website builders and owners.
In contrast to the previous European legislation, this is a regulation: this means that the new rules are directly applicable in all Member States. Unlike a directive, the GDPR does not therefore need to be transposed into Belgian law.
The AVG brings a number of changes to certain federal and Flemish regulations:
- The Privacy Commission will be replaced by the Data Protection Authority (Act of 3 December 2017 establishing the Data Protection Authority). On 2 March 2018, the Flemish Government approved a final draft decree that adapts other decrees to the AVG (including the amendment of the Flemish Housing Code and the Land and Property Policy Decree); the parliamentary debate is still ongoing.
- There will also be a decision from the Flemish Government that will adapt other decisions to the GDPR.
Two hatches:
- Protection of privacy
- Protection of personal data
Concepts:
- person concerned
- An identified natural person
- A natural person who can be identified directly or indirectly (by name, location data, identification number,…)
eg. (prospective) tenant, (prospective) lessor, (prospective) buyer, (prospective) seller, borrower, customer of housing counter, premium applicant, owner, etc.
- Personal data: any information about a data subject
- Processing: any processing of personal data, both on paper and electronically (this includes collecting, storing, recording, organizing, structuring, updating, retrieving, consulting, using, disseminating, deleting, destroying and even storing data
- eg. the input of data in software packages, the storage or adaptation in documents or worksheets, emails, use of e.g. Dropbox or WeTransfer for data transfer.
- Controller : a natural person, legal person, public authority, service or other body that determines the purpose AND means of processing personal data (determines how and why data is processed)
eg. a population service of a municipality, an intermunicipal partnership with or without legal personality, an employer. - Processor : a natural person, legal person, government agency, service or other body that processes personal data on behalf of the controller
This concerns all kinds of services where one calls on another party “outsourcing”, for the processing of personal data, such as a software supplier, system administrators, web service supplier
On what basis can you lawfully process personal data?
- Legal obligation
- Public interest or exercise of public authority
- Protection of vital interests
- Consent (note: it must be free, specific, informed, unambiguous and explicit, and can be withdrawn at any time)
- Contractual relationship (necessity for the execution of the agreement)
PLEASE NOTE: Government agencies can NOT invoke “legitimate interest” in the performance of their duties.
Basics
The GDPR provides that both processors and controllers must comply with a number of principles when processing personal data.
Data processing must:
- be lawful, fair and transparent
- have a clearly defined goal ( principle of finality ))
- are limited to what is strictly necessary ( minimum data processing )
- contain correct and up-to-date data ( accuracy )
- Limit the storage of data to as long as necessary/mandatory ( storage limitation)
- Protecting data against unauthorized or unlawful processing or destruction, loss or damage ( integrity and confidentiality )
In addition, the GDPR provides for an accountability obligation . The accountability obligation means that, unlike in current privacy legislation, the processor must be able to demonstrate on what basis the processing took place. The burden of proof is reversed in the GDPR. So it is important to document agreements, permissions and the like.
Rights of data subject:
- Right to information and access to personal data: purpose of processing, retention period, third party recipients, rights of data subject;
- Right of access: free of charge and within one month (create standard report);
- Right to correction of incorrect data;
- Right to erasure (better known as the “right to be forgotten”;
- Right to restrict processing;
- Right to object;
- Right to data portability.
Is your website in order? Failure to do so can result in very high fines. the GBA can also have your website taken offline by DNS Belgium in case of violations of the GDPR.
If in doubt, you can request a GDPR scan. We will screen your website and/or other web solutions.