SlideShare ist ein Scribd-Unternehmen logo

2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem

A
Ann Van den Bunder

• In mei 2018 wordt de nieuwe Europese privacywetgeving van kracht. De Algemene Verordening Gegevensbescherming is een geheel van regels om de gegevens van Europese burgers beter te beschermen. Deze regelgeving is ook van toepassing op verenigingen. We verwelkomen Karel Holst van het GDPR-experten kantoor IFORI die ons op een toegankelijke wijze wegwijs zal maken in deze complexe materie. Je mag je verwachten aan praktische tips en advies. I.s.m. de adviesraden en Katrien Dossche.

Recht
1 von 39
Downloaden Sie, um offline zu lesen
Dinsdag 20 februari 2018 GDPR INFOSESSIE
Presented by: Karel Holst Legal Counsel – DPO karel.holst@ifori.be Blog: www.gdprexpert.be THE GENERAL DATA PROTECTION REGULATION - GDPR Legal Perspective DE ALGEMENE VERORDENING GEGEVENSBESCHERMING - AVG
4 I. Data Protection – Overview II. GDPR – Key changes/obligations III.Conclusion – Action plan Contents
Overview I. Data Protection
6© 2018 IFORI – All rights reserved Fundamental Rights EU Charter of Fundamental Rights, article 8(1): “Everyone has the right to the protection of personal data concerning him or her.” The Universal Declaration of Human Rights, article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
7© 2018 IFORI – All rights reserved Why a new overriding Regulation? Directive 95/46/EC sought to harmonize national legislations and ensure free flow of data within the EU But: – Still differences in national implementation and application – Limited cooperation between Data Protection Authorities (‘DPA’) – Many technological & societal changes in the 20 years since Dir. 95/45/EC – Strengthen Data Subject's rights
8© 2018 IFORI – All rights reserved Personal Data are everywhere! “Any information relating to an identified or identifiable natural person” E.g. Name, location data, IP-address, customer number, … Stricter rules for special categories of Personal Data (general prohibition) ‒ Racial or ethnic origin ‒ Political options ‒ Genetic and biometric data, solely for identification purposes ‒ Health data ‒ … Personal Data
9© 2018 IFORI – All rights reserved The processing of personal data wholly or partly by automated means AND manual processing if the personal data form part of a filing system or are intended to form part of a filing system Processing: any operation or set of operations which is performed on personal data or on sets of personal data E.g. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Scope of Processing
10© 2018 IFORI – All rights reserved Processing Personal Data e.g. Customer Data ‒ Name ‒ Date of birth ‒ Address ‒ … Controller Determines the purposes and the manner of the processing e.g. IFORI For marketing purposes, through an online registration form Data Subject Processor Separate legal entity processes on behalf of the Controller e.g. Marketer carries out mail marketing
Typical Processors • HR & Payroll management • IT ( ) • Communication
12© 2018 IFORI – All rights reserved Main objective Ensure the right of an individual to make his own decisions regarding the information that relates to him. Principles of processing: ‒ Fair, lawful and transparent ‒ Purpose limitation ‒ Data minimization ‒ Accuracy ‒ Storage limitation ‒ Integrity and confidentiality + Accountability
Key Obligations/Changes II. GDPR
14© 2018 IFORI – All rights reserved I. Territorial Scope The GDPR applies when: ‒ Processing in the context of activities of an establishment in the EU ‒ When the data subjects are located in the EU, and the processing is related to: • Offering goods or services • Monitoring of their behavior (in the EU)
15© 2018 IFORI – All rights reserved II. Lawfulness A valid legal basis to process the data is required: ‒ Consent ‒ Necessary for the performance of a contract ‒ Legitimate interests
16 – Freely given, specific, informed and unambiguous – It must be given by a statement or a clear affirmative action (thus opt-out NOT possible) – Proof of consent to be provided by Controller – Withdrawable – Obtained separately – Children: when offering information society services, processing is only lawful where the child is at least 16 years old. Younger = consent by holder of parental responsibility Consent
17 Necessary for the performance of a contract
18 ― Pursued by the controller ― Balance: interests / fundamental rights and freedoms of the data subject Legitimate interests
19© 2018 IFORI – All rights reserved III. Rights of the data subject Transparency Access Rectify Erasure (right to be forgotten) Restriction Portability Object Not be subject to automated decision making (profiling)
20© 2018 IFORI – All rights reserved IV. Controllers and Processors Controllers ‒ Privacy by default & design ‒ Records (Notification) • Not where <250 employees, unless high risk • Including general description of security measures ‒ Data breach notification ‒ Privacy Impact Assessment(PIA)/Prior consultation of DPA ‒ Choose appropriate processors ( ) – Processing Agreements ‒ Data Protection Officer (DPO) ‒ Data security
21 Data Breach Notification Obligation to document all breaches To Data Protection Authority (DPA) – 72h deadline – Specific information – Documentation To data subject – High risk to rights and freedoms – Clear and plain language – Exceptions
Data Protection Officer (DPO) When? ‒ Public authority or body ‒ Regular and systematic monitoring of data subjects on a large scale ‒ Processing of special categories of data on a large scale Tasks? ‒ Inform and advise on the obligations pursuant the GDPR ‒ Monitor compliance ‒ Advise on draft of PIA ‒ Cooperate with DPA ‒ External contact Who?
Data Security Ensure confidentiality, integrity, availability, resilience By implementing appropriate technical and organizational measures Risk based approach (the state of the art, the costs of implementation, …) – Encryption/Pseudonymisation – Audits – Back-up and redundancy
24© 2018 IFORI – All rights reserved Processors ‒ Comply with specific obligations • Records • Data Security • PIA/DPO • Breach notification to Controller ‒ Directly liable IV. Controllers and Processors
25© 2018 IFORI – All rights reserved V. Transfers General prohibition on transfers outside EEA (28+3) – Adequacy Decision • White list • EU-U.S. Privacy Shield – Appropriate Safeguards • Model Clauses (EC/DPA/Ad hoc) • Binding Corporate rules • Codes of conduct/ Certification – Derogations (e.g. explicit consent)
https://www.privacyshield.gov/participant_search EU-U.S. Privacy Shield List
27© 2018 IFORI – All rights reserved VI. Sanctions Administrative Fines by DPA: effective, proportionate & dissuasive – Up to, the greater of €20.000.000 or 4% of total worldwide annual turnover of an undertaking Private claims by data subjects – DPA – Courts for compensation from Controller or Processor Criminal penalties possible where provided by member states
28© 2018 IFORI – All rights reserved Advantages of GDPR • Reduction of administrative burdens & costs • More legal certainty • Same rules within EU • Easier to transfer personal data • One-Stop-Shop
Call to action III. Conclusion
30© 2018 IFORI – All rights reserved 1. DPO(?) - Project team 2. Awareness 3. Register 4. Information Security (IT) 5. Processing Agreements From here: Implement the other GDPR obligations Where to start?
31 Your contact details For each processing activity: • purposes; • categories of data subjects & personal data; • the categories of recipients; • transfers to a third country + safeguards; • retention period; • description of security measures. Article 30 GDPR Register WHO ProcessingActivity Purposes Categoriesof Subjects Categoriesof PD Specific Sourc e Legal Ground Retention Storage Measures Receivers Outsid e EEA Measures Identificatiegegevens naam, voornaam, leeftijd, docmilie en verblijf Uitvoering AO Onbeperkt Papier/AD MB- tool/Mailb ox Informatieveiligheids beleid AMNB N/A N/A Opleiding envorming CV's, opleidingen, certificering (clarck), vakbekwaamheid Uitvoering AO Onbeperkt Papier/AD MB- tool/Volta (federatie Informatieveiligheids beleid ADMB N/A N/A Interims/Vakantiejobber Identificatiegegevens naam, contract, adres, rijksregisternumm er, Uitvoering AO Onbeperkt Mailbox/ contract papier Informatieveiligheids beleid Interimkantoor N/A N/A Opleiding en vorming/Beroep en betrekking CV Uitvoering AO Onbeperkt Mailbox Informatieveiligheids beleid N/A N/A N/A Identificatiegegevens email/naam Uitvoering AO Onbeperkt mailbox Informatieveiligheids beleid N/A N/A N/A Maaltijdcheques Huidigpersoneel identificatiegegevens naam, rijksregisternumm er Uitvoering AO Onbeperkt Edenred Informatieveiligheids beleid Edenred N/A N/A Werkplanning Huidigpersoneel Organisatie vanhetwerk Verlof Uitvoering AO Onbeperkt ADMB Informatieveiligheids beleid N/A N/A N/A Leveranciersadministratie Leveranciersbeheer Contacten bij leveranciers Identificatiegegevens naam, email, telefoon, adres Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid CloudCRM N/A N/A B2C: webshop identificatiegegevens zie webshop Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid N/A N/A N/A Werknemers identificatiegegevens zie webshop Uitvoering CT Onbeperkt Excel + CRM Informatieveiligheids beleid Microsoft (Onedrive) VS Model Clauses Invoicing identificatiesgegevens user-id Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev aOnline N/A N/A Boekhouding identificatiegevens naam, email, adres Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev aOnline N/A N/A Email marketing Klanten Identificatiegegevens emailadres Toestemming Onbeperkt CRM Informatieveiligheids beleid Mailchimp N/A N/A Telemarketing contactgegevens identificatiegegevens telefoonnummer Legitiem Belang Onbeperkt CRM Informatieveiligheids beleid Yello/Trendstop N/A N/A Bezoekersadministratie Bezoekers Elektronische identificatiegegevens IP-adres Legitiem Belang Onbeperkt Cloud CRM Informatieveiligheids beleid CloudCRM, Google Analytics VS Model Clauses/P rivacy Contactformulier Bezoekers contactgegevens Naam, email, vraag Toestemming Onbeperkt Cloud CRM Informatieveiligheids beleid CloudCRM N/A N/A Camerabewaking Bewaking Bezokers Afbeeldingen Video Toestemming (sticker) 31dagen On premisse server Informatieveiligheids beleid N/A N/A N/A HR Marketing Klantenbeheer Website Records of processing activities Company XYZ TRANSFER Boekhouding WHERE Klantenadministratie WHY WHAT Beheer van personeel (Selectie/verwerving) Sollicitanten Personeeladministratie Huidigpersoneel/Oud personeel/Leercontract Klanten
32 WHO Processing Activity Purposes Categories of Subjects Categories of PD Specific Sourc e Legal Ground Retention Storage Measures Receivers Outsid e EEA Measures Identificatiegegevens naam, voornaam, leeftijd, docmilie en verblijf Uitvoering AO Onbeperkt Papier/AD MB- tool/Mailb ox Informatieveiligheids beleid AMNB N/A N/A Opleiding en vorming CV's, opleidingen, certificering (clarck), vakbekwaamheid Uitvoering AO Onbeperkt Papier/AD MB- tool/Volta (federatie Informatieveiligheids beleid ADMB N/A N/A Interims/Vakantiejobber Identificatiegegevens naam, contract, adres, rijksregisternumm er, Uitvoering AO Onbeperkt Mailbox/ contract papier Informatieveiligheids beleid Interimkantoor N/A N/A Opleiding en vorming/Beroep en betrekking CV Uitvoering AO Onbeperkt Mailbox Informatieveiligheids beleid N/A N/A N/A Identificatiegegevens email/naam Uitvoering AO Onbeperkt mailbox Informatieveiligheids beleid N/A N/A N/A Maaltijdcheques Huidig personeel identificatiegegevens naam, rijksregisternumm er Uitvoering AO Onbeperkt Edenred Informatieveiligheids beleid Edenred N/A N/A Werkplanning Huidig personeel Organisatie van het werk Verlof Uitvoering AO Onbeperkt ADMB Informatieveiligheids beleid N/A N/A N/A Leveranciersadministratie Leveranciersbeheer Contacten bij leveranciers Identificatiegegevens naam, email, telefoon, adres Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid Cloud CRM N/A N/A B2C: webshop identificatiegegevens zie webshop Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid N/A N/A N/A Werknemers identificatiegegevens zie webshop Uitvoering CT Onbeperkt Excel + CRM Informatieveiligheids beleid Microsoft (Onedrive) VS Model Clauses Invoicing identificatiesgegevens user-id Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev a Online N/A N/A Boekhouding identificatiegevens naam, email, adres Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev a Online N/A N/A Email marketing Klanten Identificatiegegevens emailadres Toestemming Onbeperkt CRM Informatieveiligheids beleid Mailchimp N/A N/A Telemarketing contactgegevens identificatiegegevens telefoonnummer Legitiem Belang Onbeperkt CRM Informatieveiligheids beleid Yello/Trendstop N/A N/A Bezoekersadministratie Bezoekers Elektronische identificatiegegevens IP-adres Legitiem Belang Onbeperkt Cloud CRM Informatieveiligheids beleid Cloud CRM, Google Analytics VS Model Clauses/P rivacy Contactformulier Bezoekers contactgegevens Naam, email, vraag Toestemming Onbeperkt Cloud CRM Informatieveiligheids beleid Cloud CRM N/A N/A Camerabewaking Bewaking Bezokers Afbeeldingen Video Toestemming (sticker) 31 dagen On premisse server Informatieveiligheids beleid N/A N/A N/A HR Marketing Klantenbeheer Website Records of processing activities Company XYZ TRANSFER Boekhouding WHERE Klantenadministratie WHY WHAT Beheer van personeel (Selectie/verwerving) Sollicitanten Personeeladministratie Huidig personeel/Oud personeel/Leercontract Klanten
33 Useful resources www.privacycommission.be • Action Plan • Register template https://cst.cnpd.lu/portal/ • GDPR self-assessment
34© 2018 IFORI – All rights reserved Take Action Not everything has changed, just as not everything has been harmonized New obligations but also removal of some administrative burdens and further guidance (New) technologies introduce new compliance risks, but technologies can also be used to mitigate risk and/or ensure compliance Take action now! GDPR applies from 25 May 2018
Victor Braeckmanlaan 107 9040 Gent, Belgium Tel: +32 9 230 36 62 Fax: +32 9 231 63 71 E-mail: info@ifori.be IFORI BVBA RPR: 472.073.759 (Gent) BTW: BE 472.073.759 IBAN: BE14 0689 0654 8283 BIC: GKCCBEBB Thank you Questions? WWW.IFORI.BE WWW.GDPREXPERT.BE Presentation available online: www.gdprexpert.be/gdprblog
Cookies, Network Infrastructure, Employees Related Legal Acts
37© 2018 IFORI – All rights reserved Directive on privacy and electronic communications - Telecoms Law (Be) – Information – Consent GDPR – Processing of personal data ‒ Controller: You/Third party cookie provider ‒ Processor: Third party cookie provider Cookies
38© 2018 IFORI – All rights reserved Monitoring: Belgium: CAO nr. 81 & Privacy Act/GDPR Principles: Finality, Proportionality, Transparency – Professional communications(?): Access (?) – Non-professional communications: Individualization Procedure See also recommendations by Privacy Commission Employment
39© 2018 IFORI – All rights reserved “One-stop-shop” Controllers and Processors answer to a ‘lead supervisory authority’ – Based on their single or main establishment in the EU – For cross-border processing But supervisory authorities may still address infringements – If it relates to an establishment in its MS or; – If it substantially affects data subjects in its MS Consistency through cooperation between DPA’s with EDPB oversight

Empfohlen

GDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIGDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORI
Karel Holst
 
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
2017 09 13_VOKA The Big Refresh - GDPR - IFORI2017 09 13_VOKA The Big Refresh - GDPR - IFORI
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
Karel Holst
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
BCC - Solutions for IBM Collaboration Software
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
Richard Hogg,Global GDPR Offerings Evangelist
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPR
Hans Demeyer
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
Legal update
Legal updateLegal update
Legal update
Rachel Aldighieri
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
Richard Hogg,Global GDPR Offerings Evangelist
 

Empfohlen

GDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORIGDPR presentation BE-Com - IFORI
GDPR presentation BE-Com - IFORI
Karel Holst
 
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
2017 09 13_VOKA The Big Refresh - GDPR - IFORI2017 09 13_VOKA The Big Refresh - GDPR - IFORI
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
Karel Holst
 
Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...Using Social Business Software and being compliant with EU data protection la...
Using Social Business Software and being compliant with EU data protection la...
BCC - Solutions for IBM Collaboration Software
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
Richard Hogg,Global GDPR Offerings Evangelist
 
Sophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPRSophie's Privacy - a story about GDPR
Sophie's Privacy - a story about GDPR
Hans Demeyer
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
 
Legal update
Legal updateLegal update
Legal update
Rachel Aldighieri
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
Richard Hogg,Global GDPR Offerings Evangelist
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
Lilian Edwards
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
Mark Honeyball
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
IT Governance Ltd
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Qualsys Ltd
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
IT Governance Ltd
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshell
Initio
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
Olivier BARROT
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
Cyber Watching
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
Findwise
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Trish McGinity, CCSK
 
12 steps to gdpr compliance unleashed
12 steps to gdpr compliance unleashed12 steps to gdpr compliance unleashed
12 steps to gdpr compliance unleashed
Chris Gilmour
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
Nordic APIs
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
Trish McGinity, CCSK
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
Craig Clark ITIL, CIS LI,EU GDPR P
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
Stephanie Vasey
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
Gydeline Ltd
 
Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0
Aaron Banham
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
EMMAIntl
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
Joseph V. Moreno
 

Weitere ähnliche Inhalte

Was ist angesagt?

Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
Mark Honeyball
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
Nordic APIs
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
VYTIS MALECKAS
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
Stephanie Vasey
 

Was ist angesagt? (19)

The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
Datum DPO outsourced May 2016
Datum DPO outsourced May 2016Datum DPO outsourced May 2016
Datum DPO outsourced May 2016
 
EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer EU GDPR: The role of the data protection officer
EU GDPR: The role of the data protection officer
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 
EU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketingEU GDPR and you: requirements for marketing
EU GDPR and you: requirements for marketing
 
GDPR in a nutshell
GDPR in a nutshellGDPR in a nutshell
GDPR in a nutshell
 
GDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your businessGDPR what you should know and how to minimize impact on your business
GDPR what you should know and how to minimize impact on your business
 
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
"Legal tips and compliance requirements" - Anastasia Botsi, ICT Legal
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
 
12 steps to gdpr compliance unleashed
12 steps to gdpr compliance unleashed12 steps to gdpr compliance unleashed
12 steps to gdpr compliance unleashed
 
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)New General Data Protection Regulation (Agnes Andersson Hammarstrand)
New General Data Protection Regulation (Agnes Andersson Hammarstrand)
 
Privacy 101
Privacy 101Privacy 101
Privacy 101
 
GDPR: Key Article Overview
GDPR: Key Article OverviewGDPR: Key Article Overview
GDPR: Key Article Overview
 
EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?EY General Data Protection Regulation: Are you ready?
EY General Data Protection Regulation: Are you ready?
 
Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...Preparing for general data protection regulations (gdpr) within the hous...
Preparing for general data protection regulations (gdpr) within the hous...
 
Simple GDPR Overview
Simple GDPR OverviewSimple GDPR Overview
Simple GDPR Overview
 

Ähnlich wie 2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem

Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
Acquia
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
Cvent
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
SecurityScorecard
 

Ähnlich wie 2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem (20)

Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0Associates quick guide to gdpr v 1.0
Associates quick guide to gdpr v 1.0
 
GDPR in the Healthcare Industry
GDPR in the Healthcare IndustryGDPR in the Healthcare Industry
GDPR in the Healthcare Industry
 
Board Priorities for GDPR Implementation
Board Priorities for GDPR ImplementationBoard Priorities for GDPR Implementation
Board Priorities for GDPR Implementation
 
Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)Understanding the EU's new General Data Protection Regulation (GDPR)
Understanding the EU's new General Data Protection Regulation (GDPR)
 
GDPR 101
GDPR 101 GDPR 101
GDPR 101
 
ACI Europe - GDPR CUPPS Presentation
ACI Europe - GDPR CUPPS PresentationACI Europe - GDPR CUPPS Presentation
ACI Europe - GDPR CUPPS Presentation
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...General Data Protection Regulations (GDPR): Do you understand it and are you ...
General Data Protection Regulations (GDPR): Do you understand it and are you ...
 
GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?GDPR Is Coming – Are Emailers Ready?
GDPR Is Coming – Are Emailers Ready?
 
Payslip gdpr deck nov 2017
Payslip gdpr deck nov 2017Payslip gdpr deck nov 2017
Payslip gdpr deck nov 2017
 
3 minute reading time on how you can comply with GDPR.
3 minute reading time on how you can comply with GDPR.3 minute reading time on how you can comply with GDPR.
3 minute reading time on how you can comply with GDPR.
 
Employee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdfEmployee Monitoring and Privacy.pdf
Employee Monitoring and Privacy.pdf
 
EENA2019: Track2 session3 Impact of GDPR on public safety organisations by M...
EENA2019: Track2 session3 Impact of GDPR on public safety organisations by M...EENA2019: Track2 session3 Impact of GDPR on public safety organisations by M...
EENA2019: Track2 session3 Impact of GDPR on public safety organisations by M...
 
Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17Csa privacy by design &amp; gdpr austin chambers 11-4-17
Csa privacy by design &amp; gdpr austin chambers 11-4-17
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
Privacy by design Austin Chambers 11-9-17
Privacy by design Austin Chambers 11-9-17Privacy by design Austin Chambers 11-9-17
Privacy by design Austin Chambers 11-9-17
 
Engage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To GoEngage 2018: GDPR Three Days To Go
Engage 2018: GDPR Three Days To Go
 
GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready? GDPR Enforcement is here. Are you ready?
GDPR Enforcement is here. Are you ready?
 

Kürzlich hochgeladen

Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
SUHANI PANDEY
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
JosephCanama
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
MollyBrown86
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
Aurora Consulting
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
Airst S
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
James Watkins, III JD CFP®
 
Contract law. Indemnity
Contract law. IndemnityContract law. Indemnity
Contract law. Indemnity
mahikaanand16
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
PoojaGadiya1
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
Airst S
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
ShashankKumar441258
 

Kürzlich hochgeladen (20)

Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
Independent Call Girls Pune | 8005736733 Independent Escorts & Dating Escorts...
 
Code_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.pptCode_Ethics of_Mechanical_Engineering.ppt
Code_Ethics of_Mechanical_Engineering.ppt
 
Relationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdfRelationship Between International Law and Municipal Law MIR.pdf
Relationship Between International Law and Municipal Law MIR.pdf
 
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxAudience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
Audience profile - SF.pptxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptxPresentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
Presentation on Corporate SOCIAL RESPONSIBILITY- PPT.pptx
 
一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理一比一原版赫瑞瓦特大学毕业证如何办理
一比一原版赫瑞瓦特大学毕业证如何办理
 
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULELITERAL RULE OF INTERPRETATION - PRIMARY RULE
LITERAL RULE OF INTERPRETATION - PRIMARY RULE
 
The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...The Active Management Value Ratio: The New Science of Benchmarking Investment...
The Active Management Value Ratio: The New Science of Benchmarking Investment...
 
Contract law. Indemnity
Contract law. IndemnityContract law. Indemnity
Contract law. Indemnity
 
Police Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. SteeringPolice Misconduct Lawyers - Law Office of Jerry L. Steering
Police Misconduct Lawyers - Law Office of Jerry L. Steering
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理一比一原版赫尔大学毕业证如何办理
一比一原版赫尔大学毕业证如何办理
 
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptxAnalysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
Analysis of R V Kelkar's Criminal Procedure Code ppt- chapter 1 .pptx
 
Jim Eiberger Redacted Copy Of Tenant Lease.pdf
Jim Eiberger Redacted Copy Of Tenant Lease.pdfJim Eiberger Redacted Copy Of Tenant Lease.pdf
Jim Eiberger Redacted Copy Of Tenant Lease.pdf
 
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
6th sem cpc notes for 6th semester students samjhe. Padhlo bhai
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
 

2018 02 20 GDPR SEMINAR - Gemeente Sint-Martens-Latem

  • 1.
  • 2. Dinsdag 20 februari 2018 GDPR INFOSESSIE
  • 3. Presented by: Karel Holst Legal Counsel – DPO karel.holst@ifori.be Blog: www.gdprexpert.be THE GENERAL DATA PROTECTION REGULATION - GDPR Legal Perspective DE ALGEMENE VERORDENING GEGEVENSBESCHERMING - AVG
  • 4. 4 I. Data Protection – Overview II. GDPR – Key changes/obligations III.Conclusion – Action plan Contents
  • 6. 6© 2018 IFORI – All rights reserved Fundamental Rights EU Charter of Fundamental Rights, article 8(1): “Everyone has the right to the protection of personal data concerning him or her.” The Universal Declaration of Human Rights, article 12: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
  • 7. 7© 2018 IFORI – All rights reserved Why a new overriding Regulation? Directive 95/46/EC sought to harmonize national legislations and ensure free flow of data within the EU But: – Still differences in national implementation and application – Limited cooperation between Data Protection Authorities (‘DPA’) – Many technological & societal changes in the 20 years since Dir. 95/45/EC – Strengthen Data Subject's rights
  • 8. 8© 2018 IFORI – All rights reserved Personal Data are everywhere! “Any information relating to an identified or identifiable natural person” E.g. Name, location data, IP-address, customer number, … Stricter rules for special categories of Personal Data (general prohibition) ‒ Racial or ethnic origin ‒ Political options ‒ Genetic and biometric data, solely for identification purposes ‒ Health data ‒ … Personal Data
  • 9. 9© 2018 IFORI – All rights reserved The processing of personal data wholly or partly by automated means AND manual processing if the personal data form part of a filing system or are intended to form part of a filing system Processing: any operation or set of operations which is performed on personal data or on sets of personal data E.g. collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction Scope of Processing
  • 10. 10© 2018 IFORI – All rights reserved Processing Personal Data e.g. Customer Data ‒ Name ‒ Date of birth ‒ Address ‒ … Controller Determines the purposes and the manner of the processing e.g. IFORI For marketing purposes, through an online registration form Data Subject Processor Separate legal entity processes on behalf of the Controller e.g. Marketer carries out mail marketing
  • 11. Typical Processors • HR & Payroll management • IT ( ) • Communication
  • 12. 12© 2018 IFORI – All rights reserved Main objective Ensure the right of an individual to make his own decisions regarding the information that relates to him. Principles of processing: ‒ Fair, lawful and transparent ‒ Purpose limitation ‒ Data minimization ‒ Accuracy ‒ Storage limitation ‒ Integrity and confidentiality + Accountability
  • 14. 14© 2018 IFORI – All rights reserved I. Territorial Scope The GDPR applies when: ‒ Processing in the context of activities of an establishment in the EU ‒ When the data subjects are located in the EU, and the processing is related to: • Offering goods or services • Monitoring of their behavior (in the EU)
  • 15. 15© 2018 IFORI – All rights reserved II. Lawfulness A valid legal basis to process the data is required: ‒ Consent ‒ Necessary for the performance of a contract ‒ Legitimate interests
  • 16. 16 – Freely given, specific, informed and unambiguous – It must be given by a statement or a clear affirmative action (thus opt-out NOT possible) – Proof of consent to be provided by Controller – Withdrawable – Obtained separately – Children: when offering information society services, processing is only lawful where the child is at least 16 years old. Younger = consent by holder of parental responsibility Consent
  • 18. 18 ― Pursued by the controller ― Balance: interests / fundamental rights and freedoms of the data subject Legitimate interests
  • 19. 19© 2018 IFORI – All rights reserved III. Rights of the data subject Transparency Access Rectify Erasure (right to be forgotten) Restriction Portability Object Not be subject to automated decision making (profiling)
  • 20. 20© 2018 IFORI – All rights reserved IV. Controllers and Processors Controllers ‒ Privacy by default & design ‒ Records (Notification) • Not where <250 employees, unless high risk • Including general description of security measures ‒ Data breach notification ‒ Privacy Impact Assessment(PIA)/Prior consultation of DPA ‒ Choose appropriate processors ( ) – Processing Agreements ‒ Data Protection Officer (DPO) ‒ Data security
  • 21. 21 Data Breach Notification Obligation to document all breaches To Data Protection Authority (DPA) – 72h deadline – Specific information – Documentation To data subject – High risk to rights and freedoms – Clear and plain language – Exceptions
  • 22. Data Protection Officer (DPO) When? ‒ Public authority or body ‒ Regular and systematic monitoring of data subjects on a large scale ‒ Processing of special categories of data on a large scale Tasks? ‒ Inform and advise on the obligations pursuant the GDPR ‒ Monitor compliance ‒ Advise on draft of PIA ‒ Cooperate with DPA ‒ External contact Who?
  • 23. Data Security Ensure confidentiality, integrity, availability, resilience By implementing appropriate technical and organizational measures Risk based approach (the state of the art, the costs of implementation, …) – Encryption/Pseudonymisation – Audits – Back-up and redundancy
  • 24. 24© 2018 IFORI – All rights reserved Processors ‒ Comply with specific obligations • Records • Data Security • PIA/DPO • Breach notification to Controller ‒ Directly liable IV. Controllers and Processors
  • 25. 25© 2018 IFORI – All rights reserved V. Transfers General prohibition on transfers outside EEA (28+3) – Adequacy Decision • White list • EU-U.S. Privacy Shield – Appropriate Safeguards • Model Clauses (EC/DPA/Ad hoc) • Binding Corporate rules • Codes of conduct/ Certification – Derogations (e.g. explicit consent)
  • 27. 27© 2018 IFORI – All rights reserved VI. Sanctions Administrative Fines by DPA: effective, proportionate & dissuasive – Up to, the greater of €20.000.000 or 4% of total worldwide annual turnover of an undertaking Private claims by data subjects – DPA – Courts for compensation from Controller or Processor Criminal penalties possible where provided by member states
  • 28. 28© 2018 IFORI – All rights reserved Advantages of GDPR • Reduction of administrative burdens & costs • More legal certainty • Same rules within EU • Easier to transfer personal data • One-Stop-Shop
  • 29. Call to action III. Conclusion
  • 30. 30© 2018 IFORI – All rights reserved 1. DPO(?) - Project team 2. Awareness 3. Register 4. Information Security (IT) 5. Processing Agreements From here: Implement the other GDPR obligations Where to start?
  • 31. 31 Your contact details For each processing activity: • purposes; • categories of data subjects & personal data; • the categories of recipients; • transfers to a third country + safeguards; • retention period; • description of security measures. Article 30 GDPR Register WHO ProcessingActivity Purposes Categoriesof Subjects Categoriesof PD Specific Sourc e Legal Ground Retention Storage Measures Receivers Outsid e EEA Measures Identificatiegegevens naam, voornaam, leeftijd, docmilie en verblijf Uitvoering AO Onbeperkt Papier/AD MB- tool/Mailb ox Informatieveiligheids beleid AMNB N/A N/A Opleiding envorming CV's, opleidingen, certificering (clarck), vakbekwaamheid Uitvoering AO Onbeperkt Papier/AD MB- tool/Volta (federatie Informatieveiligheids beleid ADMB N/A N/A Interims/Vakantiejobber Identificatiegegevens naam, contract, adres, rijksregisternumm er, Uitvoering AO Onbeperkt Mailbox/ contract papier Informatieveiligheids beleid Interimkantoor N/A N/A Opleiding en vorming/Beroep en betrekking CV Uitvoering AO Onbeperkt Mailbox Informatieveiligheids beleid N/A N/A N/A Identificatiegegevens email/naam Uitvoering AO Onbeperkt mailbox Informatieveiligheids beleid N/A N/A N/A Maaltijdcheques Huidigpersoneel identificatiegegevens naam, rijksregisternumm er Uitvoering AO Onbeperkt Edenred Informatieveiligheids beleid Edenred N/A N/A Werkplanning Huidigpersoneel Organisatie vanhetwerk Verlof Uitvoering AO Onbeperkt ADMB Informatieveiligheids beleid N/A N/A N/A Leveranciersadministratie Leveranciersbeheer Contacten bij leveranciers Identificatiegegevens naam, email, telefoon, adres Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid CloudCRM N/A N/A B2C: webshop identificatiegegevens zie webshop Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid N/A N/A N/A Werknemers identificatiegegevens zie webshop Uitvoering CT Onbeperkt Excel + CRM Informatieveiligheids beleid Microsoft (Onedrive) VS Model Clauses Invoicing identificatiesgegevens user-id Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev aOnline N/A N/A Boekhouding identificatiegevens naam, email, adres Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev aOnline N/A N/A Email marketing Klanten Identificatiegegevens emailadres Toestemming Onbeperkt CRM Informatieveiligheids beleid Mailchimp N/A N/A Telemarketing contactgegevens identificatiegegevens telefoonnummer Legitiem Belang Onbeperkt CRM Informatieveiligheids beleid Yello/Trendstop N/A N/A Bezoekersadministratie Bezoekers Elektronische identificatiegegevens IP-adres Legitiem Belang Onbeperkt Cloud CRM Informatieveiligheids beleid CloudCRM, Google Analytics VS Model Clauses/P rivacy Contactformulier Bezoekers contactgegevens Naam, email, vraag Toestemming Onbeperkt Cloud CRM Informatieveiligheids beleid CloudCRM N/A N/A Camerabewaking Bewaking Bezokers Afbeeldingen Video Toestemming (sticker) 31dagen On premisse server Informatieveiligheids beleid N/A N/A N/A HR Marketing Klantenbeheer Website Records of processing activities Company XYZ TRANSFER Boekhouding WHERE Klantenadministratie WHY WHAT Beheer van personeel (Selectie/verwerving) Sollicitanten Personeeladministratie Huidigpersoneel/Oud personeel/Leercontract Klanten
  • 32. 32 WHO Processing Activity Purposes Categories of Subjects Categories of PD Specific Sourc e Legal Ground Retention Storage Measures Receivers Outsid e EEA Measures Identificatiegegevens naam, voornaam, leeftijd, docmilie en verblijf Uitvoering AO Onbeperkt Papier/AD MB- tool/Mailb ox Informatieveiligheids beleid AMNB N/A N/A Opleiding en vorming CV's, opleidingen, certificering (clarck), vakbekwaamheid Uitvoering AO Onbeperkt Papier/AD MB- tool/Volta (federatie Informatieveiligheids beleid ADMB N/A N/A Interims/Vakantiejobber Identificatiegegevens naam, contract, adres, rijksregisternumm er, Uitvoering AO Onbeperkt Mailbox/ contract papier Informatieveiligheids beleid Interimkantoor N/A N/A Opleiding en vorming/Beroep en betrekking CV Uitvoering AO Onbeperkt Mailbox Informatieveiligheids beleid N/A N/A N/A Identificatiegegevens email/naam Uitvoering AO Onbeperkt mailbox Informatieveiligheids beleid N/A N/A N/A Maaltijdcheques Huidig personeel identificatiegegevens naam, rijksregisternumm er Uitvoering AO Onbeperkt Edenred Informatieveiligheids beleid Edenred N/A N/A Werkplanning Huidig personeel Organisatie van het werk Verlof Uitvoering AO Onbeperkt ADMB Informatieveiligheids beleid N/A N/A N/A Leveranciersadministratie Leveranciersbeheer Contacten bij leveranciers Identificatiegegevens naam, email, telefoon, adres Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid Cloud CRM N/A N/A B2C: webshop identificatiegegevens zie webshop Uitvoering CT Onbeperkt CRM Informatieveiligheids beleid N/A N/A N/A Werknemers identificatiegegevens zie webshop Uitvoering CT Onbeperkt Excel + CRM Informatieveiligheids beleid Microsoft (Onedrive) VS Model Clauses Invoicing identificatiesgegevens user-id Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev a Online N/A N/A Boekhouding identificatiegevens naam, email, adres Uitvoering CT Onbeperkt EVA Online Informatieveiligheids beleid Boekhouder/Ev a Online N/A N/A Email marketing Klanten Identificatiegegevens emailadres Toestemming Onbeperkt CRM Informatieveiligheids beleid Mailchimp N/A N/A Telemarketing contactgegevens identificatiegegevens telefoonnummer Legitiem Belang Onbeperkt CRM Informatieveiligheids beleid Yello/Trendstop N/A N/A Bezoekersadministratie Bezoekers Elektronische identificatiegegevens IP-adres Legitiem Belang Onbeperkt Cloud CRM Informatieveiligheids beleid Cloud CRM, Google Analytics VS Model Clauses/P rivacy Contactformulier Bezoekers contactgegevens Naam, email, vraag Toestemming Onbeperkt Cloud CRM Informatieveiligheids beleid Cloud CRM N/A N/A Camerabewaking Bewaking Bezokers Afbeeldingen Video Toestemming (sticker) 31 dagen On premisse server Informatieveiligheids beleid N/A N/A N/A HR Marketing Klantenbeheer Website Records of processing activities Company XYZ TRANSFER Boekhouding WHERE Klantenadministratie WHY WHAT Beheer van personeel (Selectie/verwerving) Sollicitanten Personeeladministratie Huidig personeel/Oud personeel/Leercontract Klanten
  • 33. 33 Useful resources www.privacycommission.be • Action Plan • Register template https://cst.cnpd.lu/portal/ • GDPR self-assessment
  • 34. 34© 2018 IFORI – All rights reserved Take Action Not everything has changed, just as not everything has been harmonized New obligations but also removal of some administrative burdens and further guidance (New) technologies introduce new compliance risks, but technologies can also be used to mitigate risk and/or ensure compliance Take action now! GDPR applies from 25 May 2018
  • 35. Victor Braeckmanlaan 107 9040 Gent, Belgium Tel: +32 9 230 36 62 Fax: +32 9 231 63 71 E-mail: info@ifori.be IFORI BVBA RPR: 472.073.759 (Gent) BTW: BE 472.073.759 IBAN: BE14 0689 0654 8283 BIC: GKCCBEBB Thank you Questions? WWW.IFORI.BE WWW.GDPREXPERT.BE Presentation available online: www.gdprexpert.be/gdprblog
  • 36. Cookies, Network Infrastructure, Employees Related Legal Acts
  • 37. 37© 2018 IFORI – All rights reserved Directive on privacy and electronic communications - Telecoms Law (Be) – Information – Consent GDPR – Processing of personal data ‒ Controller: You/Third party cookie provider ‒ Processor: Third party cookie provider Cookies
  • 38. 38© 2018 IFORI – All rights reserved Monitoring: Belgium: CAO nr. 81 & Privacy Act/GDPR Principles: Finality, Proportionality, Transparency – Professional communications(?): Access (?) – Non-professional communications: Individualization Procedure See also recommendations by Privacy Commission Employment
  • 39. 39© 2018 IFORI – All rights reserved “One-stop-shop” Controllers and Processors answer to a ‘lead supervisory authority’ – Based on their single or main establishment in the EU – For cross-border processing But supervisory authorities may still address infringements – If it relates to an establishment in its MS or; – If it substantially affects data subjects in its MS Consistency through cooperation between DPA’s with EDPB oversight