Personal data One of the central concepts of the GDPR is the concept of ‘personal data’. This notion determines whether the GDPR applies to the processing of data or not. Only if personal data are involved, the processing must be in accordance with the GDPR. Therefore, it is important to fill in this concept correctly.
The GDPR defines personal data as “any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
This definition was deliberately drafted as broadly as possible. As a result, many processing operations fall under the scope of the GDPR, as it can quickly be decided that data qualifies as personal data. Any form of information that can lead to a natural person is personal data. It is therefore inevitable that
your organisation will process personal data, and you must therefore comply with the GDPR.
There are two different categories of personal data, namely “ordinary” personal data and “sensitive” personal data. Sensitive personal data is personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs. But also the processing of genetic and biometric data and data from which a person’s sexual behaviour can be inferred, fall under this category. The processing of these data is in principle prohibited. The GDPR only provides a few strict permissibility conditions such as the explicit consent of the data subject, necessary processing in the framework of employment and social security law, protection of vital interests of the data subject…
If you have doubts whether the processing that your organisation wants to carry out is a processing of personal data, you should check whether you can trace the data back to a natural person. If it can be traced, the act is a processing of personal data and you must follow the rules of the GDPR.
Grounds for processing
According to the GDPR, a processing is only lawful if it is based
on a legal processing ground. The GDPR provides six grounds:
1. the data subject has consented to the processing of their personal data for one or more specific purposes;
2. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract;
3. the processing is necessary for compliance with a legal obligation to which the controller is subject; or
4. processing is necessary in order to protect the vital interests of the data subject or of another natural person;
5. processing is necessary for the fulfilment of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6. processing is necessary for the purposes of safeguarding the legitimate interests of the controller or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Where the processing of personal data cannot be based on any of the aforementioned grounds, the processing shall be unlawful. In that case, the personal data may not be processed.
By basing your processing solely on consent, you as a processor are at the mercy of the whims of the data subject. We therefore advise you to base your processing on one of the other processing grounds (possibly in addition to consent). In most cases, a legitimate interest or the performance of an agreement will be the best argument. It is best to base the processing on the consent of the person concerned only when no other processing grounds are available.
Consent The concept of consent has a broad interpretation, since the GDPR is based on the principle that the data subject must be informed in such a transparent and simple manner that he or she voluntarily chooses to have his or her personal data processed. To this end, consent must not only be (i) free, (ii) specific and (iii) informed, but also (iv) unambiguous and (v) given by means of a statement or an unambiguous active act.
For consent to be legally valid, the data subject must have a genuine choice and there must be no deception, intimidation or coercion, nor must the data subject be exposed to the risk of significant negative consequences if he or she does not consent.
If the consequences of consent restrict the individual’s freedom of choice, there can be no question of ‘free’ consent. Next, the permission must be specific. A general consent without a clear indication of the exact purpose of the processing is not acceptable according to the spirit of the GDPR. Giving consent for a specific purpose covers all processing activities related to that specific purpose, so that a separate consent is not required for each processing activity. In other words, where consent is sought for several purposes, the controller must provide the opportunity to consent separately for each of those purposes.
Before the data subject’s consent is sought, he or she should be informed about the processing. This also means that the data subject must be informed of the fact that he or she can always withdraw or refuse consent without adverse consequences. In order for consent to be given in full knowledge, the data subject should at least be familiar with the identity of the controller and the purposes of the processing of personal data. In other words
there is a clear link between the transparency obligations as a basic principle and consent.
The fourth element concerns the unambiguous nature of consent. The expression of the data subject’s consent to the processing of their personal data must be unambiguous. If there is reasonable doubt about this, there is ambiguity.
Finally, the GDPR requires that consent must be given by way of a statement or active act. Consent can never be inferred from the inaction/stillness of the data subject. The above does not mean that consent must also be given in writing. A verbal statement or an act from which consent can be inferred without doubt also suffice in principle. However, since the burden of proof rests with the party responsible for processing, it is strongly recommended that consent is given in writing.
In summary, consent can be considered the clearest and simplest ground for processing. On the other hand it is also the weakest ground for processing, as consent can always be withdrawn by the person concerned.
Controller & processor
The identity of the data controller is essential, because it determines which entity will be held responsible for complying with the obligations under data protection law and ensuring that data subjects can exercise their rights. Controller means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
It may be that your organisation acts as a joint controller. This is the case if, together with one or more organisations, it provides joint answers to the questions of why and how personal data should be processed. They should enter into an arrangement that defines their respective responsibilities for compliance with the GDPR.
The GDPR refers to a processor as a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller. Usually, a processor will be a third party outside the company, but there are also situations where a controller and processor are identified by the same organisation. The specific duties of the processor towards the controller will be set out in a processor agreement.
If your organisation processes personal data, a register must be created regarding these processing activities. However, the GDPR includes an exemption for organisations with less than 250 employees. In principle, they do not have to create a register unless:
1. the processing they carry out is likely to present a risk to the rights and freedoms of data subjects;
2. the processing is not incidental;
3. the processing involves special categories of data or personal data relating to criminal convictions and offences.
This register contains mandatory data imposed by the GDPR. Exactly what data should be included here depends on your organisation’s role, namely whether your organisation acts as a data controller or processor.
In the case your organisation is the data controller, the following information must be included:
1. the name and contact details of the data controller and any joint controllers and, if applicable, the data controller’s representative and data protection officer;
2. the purposes of the processing;
3. a description of the categories of data subjects and of the categories of personal data;
4. the categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organisations;
5. if applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, if required by the GDPR, the documentation of the appropriate safeguards;
6. if possible, the envisaged time limits within the different categories of data must be deleted;
7. if possible, a general description of the technical and organisational security measures.
In the event that your organisation acts as a processor, the following information must be included in the register:
1. the name and contact details of the processors and of each controller on whose behalf the processor acts, and, if applicable, of the controller’s or processor’s representative and of the data protection officer;
2. the categories of processing carried out on behalf of each controller;
3. if applicable, transfers of personal data to a third country or an international organisation, specifying that third country or international organisation and, if required by the GDPR, the documentation of appropriate safeguards;
4. if possible, a general description of the technical and organisational security measures.
These records should always be available for consultation in your organisation. This way, the competent data protection authority can request them during an audit. It is therefore important that you draw them up and keep them. Cooperation by the data controller or processor is mandatory. For the preservation,
it is allowed that this is done electronically, but consider the possibility that in case of a problem with the electronic carrier, you can no longer access these records. Therefore, it may be appropriate to store these documents in different ways, e.g., hard disk, cloud server, paper, etc.
If you would like help in setting up these registers, you can always contact us.
Generally, your organisation will make use of the services of other companies as part of its activities. Think of payroll administration, website management, accounting, etc. When carrying out these assignments, it is possible that these companies will process personal data on your behalf. This means that your organisation is seen as the data controller and the other company as a processor.
According to the GDPR, this relationship should be included in a processing agreement. They can choose to use an individual agreement or standard contractual clauses, which are adopted either directly by the Commission or by a supervisory authority under the consistency mechanism and then by the Commission.
This agreement is often annexed to the main agreement as an addendum, but can also form part of the main agreement. This agreement should include the following elements:
In addition, the GDPR stipulates that the agreement must provide that the processor:
1. process the personal data only on the basis of written instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless a provision of Union or Member State law applicable to the processor obliges him to process. In that case, the processor shall notify the controller of that legal provision prior to the processing, unless that law prohibits such notification for important public interest reasons;
2. ensures that the persons authorised to process the personal data have undertaken to observe confidentiality or are bound by an appropriate legal obligation of confidentiality;
3. takes all necessary technical and organisational measures;
4. may or may not employ another processor;
5. provides assistance in fulfilling the controller’s duty to respond to requests concerning the exercise of the data subject’s rights;
6. provides assistance in relation to the controller’s technical and organisational measures and DPIA;
7. erases the personal data or returns it to the controller upon termination of the agreement;
8. provides the controller with any information necessary to demonstrate compliance with the foregoing obligations and allows and contributes to audits, including inspections, by the controller or an auditor authorised by the controller.
If your organisation agrees new contracts, it is important that these matters are included in the agreement. For pre-existing agreements, it is best to opt for an addendum to the existing agreement in order to bring your organisation in accordance with the GDPR.
Data Protection Officer
The GDPR requires in a number of cases the appointment of a data protection officer, the so-called “DPO”. A DPO is a data protection officer who oversees a company that processes personal data on a large scale. He plays an important role in simplifying the complicated and sometimes vague regulations. He will inform and advise the data controller and his employees about the obligations imposed by the GDPR. The controller and processor will ensure that the Data Protection Officer is properly and timely involved in all matters relating to the protection of personal data. Moreover, he will monitor compliance with the legal provisions as well as the policies set out to implement the GDPR. With respect to the performance of his duties, the DPO is bound to secrecy or confidentiality.
The presence of a DPO is certainly not mandatory for everyone.
The GDPR only prescribes the appointment of a DPO for three categories:
Examples of systematic processing on a large scale are the processing of patient data by hospitals, the collection of travel data of citizens on buses, the processing of customer data by insurers or banks, the processing of data by telecom networks and the tracking of location data. It looks at the number of data subjects, volume of data, duration of data processing and the geographical area of processing.
The GDPR does not impose specific certifications for a
DPO, but it does require them to have the necessary data protection expertise and competence. The DPO must be able to demonstrate that they are well informed about the protections required for the type of data being processed and demonstrate a high degree of professionalism. For this reason, it is strongly encouraged that the DPO receives appropriate training if one chooses to appoint someone within the company or to appoint an externally trained DPO.
In addition, the DPO acts as the first point of contact for the Data Protection Authority and is expected to cooperate with the authority. Data subjects may always contact the DPO on all matters concerning the processing of their data and the exercise of their rights.
Although the appointment of a DPO is not mandatory in all cases, it is appropriate for larger companies (> 50 employees) to have a data protection officer. The complexity of the legislation and its implementation in the company takes a lot of time and energy. It is therefore more reassuring for many companies to be assisted in this regard. After all, the fines for non-compliance with the GDPR are not minuscule. Organisations that do not comply with the GDPR risk a fine of up to 4% of their
worldwide turnover, with a maximum of 20 million euros.
If you wish, we can assist you in this regard. We have certified DPOs who can advise and assist your organisation with regard to the GDPR.
Data Protection Impact Assessment
A Data Protection Impact Assessment (DPIA) is required by the GDPR in some cases. The obligation applies when a high-risk data processing operation is carried out using new technologies.
The GDPR itself gives three cases in which these conditions are met:
1. it is a systematic and comprehensive assessment of personal aspects of natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects for the natural person or that substantially affect the natural person in a similar way;
2. it involves the large-scale processing of special categories of personal data or of data relating to criminal convictions and offences;
3. there is systematic and large-scale monitoring of publicly accessible areas.
These conditions will only be met in a very limited number of situations, which means that a DPIA is not mandatory for most processing operations.
However, this does not mean that it is not a good idea to perform a DPIA. Whenever your organisation is, or will be, processing personal data, it is interesting to have a good overview of the processing. Your organisation should always handle the personal data processed in a responsible way.
Some of the things you need to know to handle personal data responsibly are:
1. the place where the data are stored;
2. what happens to the data;
3. on what legal basis the data are processed;
4. and the technical and organisational measures that your organisation will (have to) take in order to protect the data,…
These are the elements that are examined in a DPIA.
If your organisation wants to deal with personal data in a responsible way, you will have to carry out a kind of impact assessment concerning the processing. If you meet the conditions set by the GDPR, this is called a formalised DPIA. If you do not meet the conditions, this assessment will closely resemble a DPIA, albeit less formalised.
1. who processes the personal data?
2. why are they being processed?
3. what is the ground for processing?
4. what personal data are stored?
5. how long are they kept?
6. what security measures are taken?
7. to whom can one turn in case of questions/complaints?
It is not sufficient that you offer an answer to these questions, it is required that these answers are also understandable for the data subjects. Therefore, avoid jargon, complicated terms and overly technical language. If these terms are unavoidable, try to explain them so that the person concerned can understand them.
The GDPR requires that the personal data an organisation processes is adequately secured. Such security is extremely important. In order to test whether your systems are (still) sufficiently secure, it is best to have regular penetration tests performed.
Penetration tests are essentially a controlled form of hacking where a professional tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to look for vulnerabilities in the company’s networks or applications.
Penetration tests can be carried out on a finished system, or at one of the stages in the development of a new system.
Having such tests carried out will make it easier for you to take the technical measures required by the GDPR to protect the processed data. You will in fact find out what the weaknesses of your infrastructure are, which will allow you to take targeted actions against these weaknesses. These tests may later prove to be very important. For instance, in case of a data leak, the Data Protection Authority (DPA) will check whether you have taken sufficient measures to prevent this leak. One of the things that may play a role in this assessment is whether or not penetration tests have been carried out. Penetration tests are therefore an inherent part of an organisation that wants to act in accordance with the GDPR.
If you would like to subject your organisation to such penetration tests, you can call on our services. We offer tests at network, server and application level. For more information on such tests and a free quote, please contact us.