GDPR in a nutshell

GDPR (EU 2016/679) : General Data Protection Regulation.

Purpose and scope of GDPR

Strengthening current personal data protection regulation (EU 95/46), GDPR lays down rules relating to protection of natural persons with regard to processing and free movement of personal data. It applies to all entities in EU member states processing personal data by automated means and processing which form part of a filing system. Application of GDPR will be supervised in Belgium by the privacy commission.

Personal Data Processing Principles

  • Personal data shall be collected for specified and legitimate purpose only.
  • Personal data shall be processed transparently, lawfully (consent required or processing necessary for compliance/contract performance) and ensuring security, accuracy, etc.
  • Data subject has several rights related to his personal data: right to receive info from controller , right to be forgotten, right to data portability, etc

Controllers/processors obligations*

Controllers/processors :

  • Shall implement technical and organizational measures to ensure that:
    • Processing is performed in accordance with regulation and that only personal data necessary for each specific processing purpose are processed
    • An appropriate level of security (encryption, confidentiality, integrity, availability and resilience of processing systems) is applied
  • Maintain record of processing activities describing the processing
  • Notify personal data breacheswithout undue delay to supervisory authority

(* Data protection by design and by default)

Data protection assessment andData Protection Officer (DPO)

Supervision authority defined situations in which :

  • Controller has to carry out an impact assessment of intended processing and consult supervisory authority prior to processing
  • A DPO should be appointed to monitor compliance, advise on impact assessment, raise awareness, train staff and cooperate with supervisory authority

Miscellaneous

  • Member States, supervisory authorities and Commission shall encourage establishment of data protection  certifications andcodes of conduct
  • Significant increase of fines and penalties for non-compliance (up to 20 M€ or 4% of worldwideturnover)
  • Creation of European Data Protection Board  to ensure consistent application of GDPR in member states.