2. Today’s short menu…
1. Kind reminder of what GDPR is, with its basic principles and
consequences
2. What happened since May 2018?
3. Misconceptions, questions and focus points
4. It ain’t over ‘till… the ePrivacy Regulation sings...
3. 1. Kind reminder…
All e-commerce and online marketing run on personal data
This is no different in today’s digital travel industry
GDPR applies to ALL databases (clients, marketing, sales, HR, purchasing,
accounting, …)
In the words of the European Commission: “data has become a currency”
(cfr. Draft Directive 2015/0287 on digital content delivery contracts)
Fines up to 4% of annual turnover or 20 mio euro
4. 1. Kind reminder
Basic principles
Accountability
Transaprancy
Data Protection by design
Data protection by default
Purpose limitation
Data minimisation
Accuracy
Limited retention time
Data security
5. 1. Kind reminder
Your main to do’s under GDPR
Impact / Risk Assessment
Action plan with “appropriate” measures
Data Processing Agreements + possibly Data Export Agreements
Data register
Information duties
Data Protection Officer
6. 2. What happened since May 2018?
National Data Protection Laws to “implement” GDPR (in Belgium last September 2018)
Data Protection Authority was launched (Gegevensbeschermingsautoriteit)
First spontaneous information requests by Belgian DPA
First background checks of DPO’s in the Netherlands
First fines in Germany, England, Spain
7. 2. What happened since May 2018?
In our practice
A number of data breaches (also with clients in the travel industry)
Discussions on the content of Data Processing Agreements
Data Protection Impact Assessments on new apps, new processing activities
Start of DPO missions
Phishing expeditions (often initiating in Germany)
Consumer protection organisations investigations (Test-Aankoop)
8. 3. Misconceptions...
“I am not a data processor” (travel agents and TO’s)
“I can keep and use my customer data forever” (any marketeer you talk to)
“My external IT is responsible for security” (anyone with external IT)
“We don’t treat sensitive data, so we are not concerned” (far too many managers)
“We don’t use cookies, so we are GDPR compliant” (those same managers)
“We have to throw away our entire existing database” (panicking marketeer)
9. 3. Misconceptions, questions...
Do I need a DPO? Can I still buy data? Can I still exchange data with partners?...
4 basic questions to answer all questions...
DO I have a legal ground?
Did I inform the data subjects?
Is the data stored and processed safely?
Is an activity “proportional” (data minimisation, purpose limitation, limited retention time, …)?
10. 3. Misconceptions, questions and attention points...
Data breaches and how to (re)act
Data export limitations
Respecting information obligations (and avoiding unnecessary complaints)
Liability and false promises
“Saving” your existing database
11. 4. We’re not home yet…: ePrivacy Regulation
Another Regulation on privacy? Yes...
Number of problems not solved in GDPR
Timing: “probably somewhere in 2020” is the latest guess
will complement GDPR with a number of practical matters
12. 4. We’re not home yet…: ePrivacy Regulation
Review and simplification of cookie rules
Review and simplification of direct marketing rules
Stricter rules for telemarketing
Stricter rules on privacy protection of electronic communication
13. Helping hand
Code of Conduct
= “ethical code” of associations
Contain rules on how to handle data for their members
Can be approved by authorities
Association has to provide control/supervision
Advantage: once approved can create presumption of compliance with series of
obligations for association members
ABTO / VVR / …?
14. Don’t be this guy, be prepared…
All e-commerce and online marketing run on personal data
This is no different in today’s digital travel industry
GDPR applies to ALL databases (clients, marketing, sales, HR, purchasing, accounting, …)
In the words of the European Commission: “data has become a currency” (cfr. Draft Directive
2015/0287 on digital content delivery contracts)
Fines up to 4% of annual turnover or 20 mio euro
15. Media & advertising law
IP law
Internet & e-commerce
Privacy & data protection
Gambling law
Travel & consumer protection
Commercial & contracts
Corporate - tax - labour - real estate
bart@siriuslegal.be
www.siriuslegal.be
@BartVdBrande
Linkedin.com/in/bartvdb