Protection of personal data!

More and more often in the media I hear about changes to the privacy rules and how this will affect my business cardinally. The General Regulation on Personal Data Protection (or as GDPR is still in the General Data Protection Regulation) is due to enter into force on May 25, 2018, and how should I be aware of the new rules and meet the requirements. What are the novelties in the field?

 

Will I have to register as a Personal Data Administrator? What is the principle of accountability?

 If I decide to start a business after May 25, 2018 and it is related to the collection and processing of personal data (name, personal ID number, address, IBAN, etc.), I must know that my obligation to I register as a personal data administrator with the Personal Data Protection Commission (CPDP). If I have a business and already registered as such, this does not relieve me of the obligation to comply with the new rules provided for in the Regulation and to make changes to the organization of my business.

 

Registration as a personal data administrator is shifted from the so- principle of accountability. It is my obligation to be able to prove at any time that I have complied with the requirements of the Regulation, if I am asked to verify with the CPDP what personal data I am processing, for what purposes and for what time, how do I store it (in writing or electronically), do I provide it to third parties and who they are, what measures have I / to ensure the security of personal data.

 

Ready for the new GDPR requirements?

Prepare your business for the new privacy policy. Do not risk huge fines - 20m euros or 4% of your company's annual turnover.

[Learn more]

Do I have the consent of the person to process his or her personal data?

If I do not have a legal or contractual basis (for example, on the basis of a labor / civil contract or a service contract) to store or process personal data of a person, I must have obtained his / her explicit consent. This can be done, for example, by written declaration, including electronically (if, for example, I have an online trading site, I have to ask my users to process their personal data via a field where they give their consent).

 

What is the role of the Data Protection Officer?

In accordance with the requirements of the Regulation, a Data Protection Officer should also be appointed, which may be:

 

my employee, or

natural or legal person on the basis of a service contract.

The Data Protection Officer has the duty to supervise compliance with the Regulation and to advise me on personal data.

 

The Privacy Officer is also the person to whom the CPDP or anyone else may address on issues related to the storage and processing of personal data.

 

Should I always have a Data Protection Officer appointed?

If I am a public authority or body, except for the courts (eg Registry Agency, National Revenue Agency);

If my business requires regular and systematic large-scale processing of personal data (eg call centers);

If my business is also associated with regular and systematic processing of special categories of personal data (data related to health status, political affiliation, sexual orientation, etc.).

What is the registry of processing activities?

As a personal data administrator, I also need to maintain a record of processing activities in written or electronic form. The register should contain information:

 

what personal data is processed;

for what purposes they are being processed;

where the personal data is stored;

for how long they will be stored;

who are the users and recipients of personal data;

what are the security measures taken.

The idea of ​​the registry is at any moment if one of my employees asks for information about my personal data that I process to be able to provide this information.

 

What is the Impact Assessment?

My other duty as a personal data administrator is to do so. assessment of the impact of the activities related to the processing of personal data before the processing itself begins. When doing so, I must also request an opinion from the Data Protection Officer.

 

If the impact assessment shows that the processing will give rise to a high risk (ie, the unlawful treatment can lead to significant damage, identity theft of the person whose personal data are being processed), then prior to the processing of the personal data, consultation with CPDP.

 

I must put in place appropriate technical and organizational measures to ensure data security, such as encryption, pseudonymization, etc.

 

When is it mandatory to do an Impact Assessment?

when assessing the personal aspects of a person based