GDPR: Time for action…
The General Data Protection Regulation, hereinafter the ‘GDPR’, will come into force on 25 May 2018.
Since data protection is still not up-to-date in many companies and the GDPR imposes an active protection obligation, in many cases a difficult exercise will have to be made.
In concrete terms, the GDPR deals with the processing of personal data. This includes the processing, whether or not via automated procedures (including collecting, recording, organising, structuring, storing, retrieving, consulting, using, …) of all information about an identified or identifiable natural person.
A natural person shall be regarded as identifiable if that person can be identified directly or indirectly, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of the person concerned.
When processing such data, a number of basic principles must be observed.
In particular, the processing must be lawful, proper and transparent; the processed data must be correct; a satisfactory level of security must be provided during processing; the processing may only be minimal and serve a specific purpose, and the retention period of the data must be limited.
‘Lawful’ processing takes place either with the permission of the natural person or because this processing is necessary (e.g. to execute an agreement, to comply with a legal obligation, to protect specific interests, …).
Furthermore, the natural person must be informed in clear and simple language of who will process the data and why this will be done.
The natural person must also be informed about the other risks, rules, guarantees and rights relating to data processing.
The obligation to process only correct data has created a number of rights for the natural person. For example, there is a right to inspect the data available to the processor, there is a right of objection as well as a right to limited processing and a right to correct or even delete the data.
To ensure adequate security, appropriate technical and organisational measures must be taken before and during the processing.
Finally, only the data that is necessary for the established purposes may be processed. Processing may only take place if the purpose cannot be achieved in any other way than by processing the relevant personal data.
It goes without saying that to comply with these basic principles, the importance of adequate legal and IT support cannot be exaggerated.