Each Member State has to provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR.
In Belgium the authorized public authority is the Data Protection Authority (previously Commission for the Protection of Privacy).
The data controller is the one who determines the purposes and means of the processing of personal data. He can do this alone, or jointly with others.
Where the purposes and means of the processing of personal data is determined by joint controllers, the GDPR requires that they determine in a transparent manner their respective responsibilities by means of an arrangement between them. This arrangement shall reflect the respective roles and relationships of the joint controllers vis-à-vis the data subjects. The essence of the arrangement has to be made available to the data subject.
Under the GDPR a data controller is obliged to inform its data subject about certain information and certain rights. Each data subject may exercise his or her rights in respect of and against each of the data controllers.
Different templates to ensure your data subjects are properly informed can be found on this website under the tab “Do it yourself”.
The Data Protection Officer (DPO) has a security leadership role within the company and is ideally placed to ensure GDPR-compliance. The DPO has to ensure that the data protection rules are respected within the company.
Both the controller and the processor need to appoint a DPO when they process or store large amounts of personal data. A DPO must also be appointed for all public authorities, and where the core activities of the controller or the processor require regular and systematic monitoring of data subjects on a large scale, or where the controller or the processor conducts processing on a large scale of special categories of personal data.
A controller can appoint a data processor who processes data on his behalf. The data processor is thus the one who deals with personal data as instructed by a controller for specific purposes and services offered to the data controller that involve the processing of personal data.
Examples of processors are payroll offices, insurance companies, webhost, etc.
Under the GDPR, the data processor is subject to different obligations:
- A data processor can’t bring another processor in without clear permission from the data controller;
- There must be a contract (or other legal act) between the data processor and the data controller that clearly mentions the subject-matter, duration, nature and purpose of the processing of personal data, as well as the type of personal data and categories of data subjects;
- A data processor must keep record of all categories of processing activities it has carried out on behalf of a data controller.
Furthermore, data processors need to assist data controllers in various circumstances where relevant, for example in a potential personal data breach notification or in considering a Data Protection Impact Assessment.
Under the GDPR, the data subject is defined as an identified or identifiable person whose personal data is processed by a data controller. In other words, it implies every natural person to whom the personal information relates to (directly or indirectly).
The GDPR grants the data subjects 8 specific rights they can exercise under particular conditions. These rights include:
- Insofar the processing is based on consent, the right to withdraw this consent;
- The right to consult its personal data and to access specific information about the processing of its personal data;
- The right to request the data controller to rectify inaccurate personal data (concerning him or her);
- The right to request the data controller to erase its personal data;
- The right to limit the processing regarding him/her;
- The right to object against processing;
- The right of data transferability;
- The right to file claim at the supervisory authority.
There are two levels of fines based on the GDPR. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial years, whichever is higher. The second is up to €20 million or 4% of the global annual turnover of the previous financial year, whichever is higher.
The lower level shall be issued for infringements of:
- Processing personal data of children below the age of 16 years without the consent of the holder or parental responsibility;
- The absence of a contract between joint controllers;
- Violation of the requirement to notify personal data breaches;
- The absence of technical and organisational measures;
- The absence of a register;
The upper level shall be issued for infringements of:
- The basic principles for processing, including conditions for consent;
- The data subjects’ rights;
- The transfer of personal data to a recipient in a third country or an international organisation without appropriate safeguards;
- Any obligations pursuant to Member State law adopted under Chapter IX of the GDPR;
- Any non-compliance with an order by a supervisory authority
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
In case a personal data breach occurs, the company needs to report this to the supervisory authority. This has to be done without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach, unless the data breach is unlikely to result in a risk to the rights and freedoms of natural persons (your employees). This latter is for example the case when the personal data was already public data.
When the data breach is likely to result in a high risk to the right and freedoms of the natural persons (your employees), the company has to communicate the personal data breach to the person concerned.
Each data breach needs to be documented.