Extensive reforms of privacy legislation, time for action!

The General Data Protection Regulation (the "GDPR") was adopted on April 27, 2016 by the European Parliament. This regulation will profoundly change privacy legislation in the entire European Union.

The GDPR applies to all companies processing personal data. The terms "personal data" and "processing" are broadly defined, in such a way that almost every company will have to face these new regulations sooner or later.

The GDPR expands on the existing privacy legislation, but also modifies it substantially.

A selection from the most important obligations with respect to the GDPR:

  • Certain privacy sensitive companies will have to appoint a Data Protection Officer (DPO);
  • Every company that has other companies (for example, certain IT-services, personnel administration, or subcontractors) involved in the processing of its personal data has the legal obligation to conclude a written agreement in compliance with the GDPR, in which all obligations of the service provider or the subcontractor are defined with respect to data protection;
  • All companies that process personal data have to keep an internal record of their data processing activities, and have to provide an appropriate privacy policy. In addition, the necessary measures have to be taken in order to comply with the privacy by design and privacy by default concepts;
  • All companies have to execute a Privacy Impact Assessment (PIA) (In the GDPR, the term “data protection impact assessment” (DPIA) is used) prior to specific new data processing activities of personal data;
  • In certain cases, personal data breaches must be notified to a supervising authority within 72 hours (in Belgium, the privacy commission should be notified);
  • The conditions for a valid data subject consent for the processing of personal data have been strengthened;
  • Companies can be fined up to 4% of the annual global turnover or up to €20 Million for breaching the GDPR.

The GDPR will enter into force on May 25, 2018. Until then, companies will have the time to comply with the GDPR.

The implementation of all these rules however requires some time to make the necessary changes within the company.

Therefore, we advise companies to address this issue as soon as possible. The first step consists in analysing the personal data that are being processed within the company and which new obligations they will impose on the company under this new legislation.

Do not hesitate to contact us in the event you would require more information or legal advice.

 

Me Johan Van Driessche (johan.vandriessche@everest-law.be)

Me Jasper D'Hooghe (Jasper.DHooghe@everest-law.be)