GDPR

GDPR

The GDPR, which stands for General Data Protection Regulation, has been widely known as the privacy law since May 2018. This regulation has standardized the rules regarding the processing of personal data. As an entrepreneur, extra efforts are required from you to ensure the privacy of your contacts. For instance, you are obliged to always ask for the consent of the individual when collecting or using personal data. BAAKN is happy to answer all your questions.

Scroll

GDPR in practice: legal guidance for your company

 

1. What is the GDPR, and is my business subject to it?

The GDPR (General Data Protection Regulation) is a European regulation that has been in effect since May 25, 2018. This legislation sets out how organizations, including businesses and public authorities, must collect, process, store, and secure personal data. The aim is to give individuals more control over their personal data and to harmonize its processing across the European Union.

What is personal data?

Personal data refers to any information that can directly or indirectly identify a person, such as names, addresses, email addresses, IP addresses, and cookies.

Is my business subject to the GDPR?

Yes, if your business processes personal data, it is subject to the GDPR, regardless of its size, sector, or location. This applies as long as you handle data from EU citizens.

What does this mean for my business?

  • Document which personal data you collect, why you collect it, how long you retain it, and with whom you share it.
  • Implement appropriate technical and organizational measures to protect data against loss, theft, or misuse.

What are the risks of non-compliance?

Failure to comply with the GDPR can result in significant fines, up to 20 million euros or 4% of the global annual turnover, whichever is higher. Additionally, non-compliance poses reputational risks.

Ensure your business processes align with the GDPR to avoid these risks and build trust with your customers.

 

2. What steps should I take to make my business GDPR-compliant?

Complying with the GDPR is essential to process personal data safely and legally. Here are the key steps to ensure your business is GDPR-compliant:

 

1. Identify the data you process

  • Document which personal data you collect, process, store, and share.
  • Record this information in a data processing register, including the purposes of the processing and the legal basis (e.g., consent, contractual obligations, legitimate interests).

 

2. Create a privacy policy

  • Clearly explain what data you process, why you process it, how long you retain it, and what rights individuals have.
  • Publish a comprehensive version on your website and provide a concise version for other communications.

3. Develop a detailed data processing register

In the register, document:

  • Document what data you collect (e.g., customer or supplier data).
  • The purposes of the processing.
  • The legal basis for processing (e.g., consent, contractual obligations).
  • How long you retain the data.
  • With whom the data is shared.
  • The technical and organizational measures taken to secure the data.

 

4. Implement appropriate security measures

Protect personal data against loss, unauthorized access, or theft by implementing:

  • Technical measures: Encryption, strong passwords, regular software updates.
  • Organizational measures: Restrict access to data to authorized employees, provide training, and establish internal policies.

By following these steps, you reduce the risk of data breaches and fines while ensuring compliance with GDPR requirements.

 

3. Do I need consent from my customers or employees to process their data?

No, you do not always need consent. Consent is just one of the legal bases for processing personal data. Whether consent is required depends on the purpose of the processing.

When is consent required?

You need consent in situations such as:

  • Sending marketing materials.
  • Using non-essential cookies.
  • Processing sensitive data without another legal basis.

When is consent not required?

For some purposes, you may process data without explicit consent, provided you rely on another legal basis, such as:

  • Performance of a contract: For example, processing customer data to deliver an order.
  • Legal obligation: For instance, processing payroll information for tax purposes.
  • Legitimate interests: Such as securing your systems or preventing fraud.

What should you do?

  • Identify the correct legal basis for each type of data processing.
  • Document this in your data processing register.

Properly establishing the legal basis helps you minimize risks and ensures that your processing aligns with GDPR requirements.

4. What rights do my customers have regarding their personal data?

Under the GDPR, customers, also known as "data subjects," have several rights that give them control over their personal data. These rights include:

 

1. Right of access

Customers can request:

  • Which personal data you hold about them.
  • Why you hold that data.
  • How and for what purpose you process it.
  • You are required to provide a copy of this data upon request.

 

2. Right to rectification

If personal data is incorrect or incomplete, customers have the right to request corrections or updates. These changes must be implemented promptly.

 

3. Right to erasure (“right to be forgotten”)

Customers can request the deletion of their personal data, for example:

  • If the data is no longer needed for the original purpose.
  • If the processing is unlawful or if they withdraw their consent (if consent was the legal basis).

 

4. Right to restrict processing

Customers can request a temporary restriction on the processing of their data, for example:

  • During a dispute over the accuracy of the data.
  • If the processing is unlawful, but they do not want the data deleted.

 

5. Right to data portability

Customers can request their data in a structured, commonly used format, enabling them to transfer it to another organization easily.

 

6. Right to object

Customers can object to specific types of data processing, such as:

  • Direct marketing.
  • Profiling for commercial or other purposes.

Your obligations as an organization

  • Respond promptly: You must respond to requests within one month.
  • Clear communication: Inform customers about how they can exercise their rights.
  • Set boundaries: Requests that are clearly unfounded or excessive may be refused or subject to a reasonable fee, as outlined in Article 12(5) of the GDPR.

Ensure your processes, documentation, and staff are prepared to meet these obligations. Proper compliance minimizes legal and reputational risks.

 

5. What should I do in the event of a data breach?

A data breach is a security incident that results in unauthorized access to or loss of personal data. In the event of a breach, the following steps must be taken:

 

1. Notify the Data Protection Authority (DPA)

  • You must report the breach to the DPA within 72 hours of discovery if there is a risk to the rights and freedoms of the individuals involved.
  • The notification must include details about:
    • The nature of the breach.
    • Its potential impact.
    • The measures taken to address it.

 

2. Inform affected individuals (if necessary)

  • If the breach is likely to result in serious consequences for the individuals, such as identity theft or financial harm, you must notify them directly.
  • Provide clear information about:
    • What happened.
    • What steps they can take to protect themselves.

 

3. Document the incident in your internal data breach register

You are required to record all breaches, even those that do not need to be reported to the DPA or affected individuals. This register serves as proof of compliance and helps improve your data security practices.

What should be included in the data breach register?

Your register must include the following information:

  1. Date of the breach: When was the incident discovered?
  2. Description of the breach: What happened, and which data was affected?
  3. Impact analysis: What are the possible consequences for the individuals involved?
  4. Notifications: Was the breach reported to the DPA and/or individuals? If so, when and how?
  5. Corrective measures: What actions were taken to mitigate the effects and prevent recurrence?
  6. Involved parties: Which departments, external entities, or the Data Protection Officer (DPO) were involved?

When should a breach be reported?

  • To the DPA: Reporting is mandatory if there is a risk to the rights and freedoms of individuals.
  • To individuals: Notification is required if the breach could result in serious consequences, such as financial or reputational harm.
  • No notification needed: If there is no risk, you do not need to notify the DPA or individuals, but the breach must still be documented in the register.

By following these steps, you ensure compliance with GDPR requirements and protect the rights of affected individuals.

 

6. Can I send mailings to customers and prospects?

Sending mailings to customers and prospects is allowed under the GDPR, but strict rules apply. Below is an overview of what is and isn’t permitted.

Mailings to prospects (potential customers)

  • Explicit consent (opt-in) is required to send commercial mailings to prospects.
  • This consent must be freely given, specific, informed, and unambiguous.
  • Prospects must be able to easily unsubscribe (opt-out) from further communication.

Mailings to existing customers

You may email existing customers without explicit consent, provided that:

  • The content relates to offers or information about products or services that are similar to previous purchases.
  • You always include a clear and simple opt-out option in every mailing.

Mailings to purchased email addresses

  • You may only use purchased email addresses if the supplier has obtained valid consent (opt-in) from the individuals.
  • Verify that this consent meets GDPR requirements, and clearly communicate this to the recipients of your mailings.

Key considerations

  • Maintain a mailing list that records which recipients have given consent, including when and how.
  • Ensure every email contains an opt-out link that allows recipients to easily unsubscribe.
  • Avoid sending mailings to individuals who have not provided consent or whose consent is unclear to prevent fines or reputational damage.

By following these guidelines, you ensure compliance with the GDPR and avoid unnecessary complaints or legal risks.

 

7. What are the rules for cookies on my website?

The GDPR and ePrivacy legislation impose strict requirements on the use of cookies on your website. Below are the key rules:

Consent for cookies

  • Consent is required for non-essential cookies, such as:
    • Analytical cookies (unless anonymized).
    • Tracking cookies.
    • Marketing cookies.
  • Consent is not required for strictly necessary cookies, such as:
    • Cookies essential for the website’s functionality (e.g., shopping cart or login cookies).

What do you need to implement?

  1. Cookie banner: Provide a clear cookie banner that allows visitors to choose to accept, reject, or adjust preferences for cookies.
  2. Accessible information: Offer a clear and comprehensive cookie policy on your website, explaining:
    • Which cookies are used.
    • For what purposes.
    • How long cookies are retained.
    • How visitors can withdraw their consent.
  3. Differentiated consent: Allow visitors to accept or reject individual cookie categories, such as:
    • Functional cookies: Necessary for website functionality.
    • Analytical cookies: For website statistics.
    • Marketing cookies: For personalized advertisements.

Key considerations

  • Log consent: Record when and how visitors provided their consent.
  • Block non-essential cookies before consent: Do not place non-essential cookies until visitors have provided consent.
  • Transparency: Use clear language in your cookie policy and settings.

By adhering to these rules, your website complies with legal requirements and respects the privacy of your visitors.

 

8. Are there rules for using surveillance cameras in my business?

Yes, the use of surveillance cameras in your business is subject to both the Camera Act and the GDPR. You must comply with specific legal requirements to protect the privacy of customers, employees, and other individuals.

What are the obligations when using surveillance cameras?

  1. Register with the police: Register your surveillance cameras via www.aangiftecamera.be.
  2. Display a pictogram: Use a clear pictogram to indicate that the area is under surveillance.
  3. Maintain a record of processing activities: Keep a record of video processing activities, documenting:
    • The purpose of the surveillance (e.g., security or theft prevention).
    • The stored footage and retention period.
    • Who has access to the footage.
    • The technical and organizational security measures in place.
  4. Limit recording to what is necessary: Footage may only be used for the specific purpose for which the cameras were installed (e.g., security).

Key considerations

  • Retention period: Footage must not be kept longer than strictly necessary, usually no more than one month, unless required for an investigation.
  • Access to footage: Footage should only be accessible to authorized personnel.
  • Rights of individuals: Individuals have the right to be informed about the recording and may request access to or deletion of their footage.

By following these rules, you ensure compliance with the Camera Act and GDPR while protecting the privacy of individuals involved.

 

9. Do I need to appoint a Data Protection Officer (DPO)?

Under the GDPR, appointing a Data Protection Officer (DPO) is mandatory for certain organizations. A DPO plays a key role in ensuring compliance with data protection regulations.

When is a DPO mandatory?

You must appoint a DPO if your organization:

  • Processes large amounts of sensitive data: This includes special categories of personal data, such as health, ethnicity, political opinions, religion, or criminal records.
  • Systematically monitors individuals: For example, through large-scale monitoring, such as video surveillance, behavioural profiling, or user tracking.
  • Is a public authority or body: Except for courts acting in their judicial capacity.

When is a DPO not mandatory?

For most small businesses, such as retail shops or local service providers, appointing a DPO is usually not required. However, your organization may still need a DPO if you:

  • Carry out complex data processing.
  • Operate in sectors handling sensitive data, such as healthcare, financial services, or education.

o   Healthcare

o   Financial services

o   Education

Why appoint a DPO even if not mandatory?

Although not always required, appointing a DPO or an internal data protection officer can provide significant benefits:

  • Improved GDPR compliance: A DPO offers advice on regulations and best practices.
  • Risk management: A DPO helps prevent data breaches and responds effectively to incidents.
  • Point of contact: The DPO serves as a liaison for the Data Protection Authority (DPA) and individuals.

Who can be a DPO?

  • Internal DPO: An employee who works independently and is qualified for the role.
  • External DPO: A specialist hired externally, ideal for smaller organizations lacking internal resources.

Key considerations

  • A DPO must work independently and avoid conflicts of interest.
  • Ensure the DPO is well-qualified and stays updated on regulations and best practices.
  • The decision to appoint a DPO depends on the nature, scale, and context of your data processing activities.

If in doubt, seek legal or professional advice to determine whether a DPO is required in your specific situation.

 

10. What are the penalties for non-compliance with the GDPR?

Non-compliance with the GDPR can have far-reaching consequences, both financially and reputationally. The penalties are designed to promote compliance and can vary significantly depending on the severity of the violation.

 

1. Fines

  • Serious violations: For major breaches, such as processing personal data without a legal basis or ignoring the rights of individuals, fines can reach up to €20 million or 4% of the global annual turnover, whichever is higher.
  • Less serious violations: For administrative failures, such as not maintaining a data processing register or failing to report a data breach on time, fines can reach up to €10 million or 2% of the global annual turnover.

 

2. Other consequences

  • Reputational damage: Public reports of breaches can severely damage the trust of customers and business partners.
  • Legal actions: Individuals affected by non-compliance may file claims for damages incurred.
  • Corrective measures: Supervisory authorities can require you to stop certain activities or adjust your processes.

 

3. How can you avoid penalties?

To prevent fines and other negative outcomes, your organization should:

  • Comply with GDPR requirements: This includes maintaining a processing register, respecting the rights of individuals, and securing personal data.
  • Regularly review and update internal processes and systems to align with the legislation.
  • Raise awareness among staff about privacy rules and ensure their compliance.

Why is GDPR compliance important? Compliance is not just a legal obligation but also an investment in the trust of your customers and business partners. Demonstrating adherence to data protection rules enhances your credibility and reduces the risk of financial and reputational harm.

Baakn
Your interests are our point of orientation.

Your interests are our point of orientation.

Contact us
logo logo