This document provides an overview of the General Data Protection Regulation (GDPR) from a legal perspective. It discusses key changes and obligations under the GDPR, including territorial scope, lawfulness of processing, rights of data subjects, roles of controllers and processors, data security requirements, and sanctions for noncompliance. The GDPR aims to strengthen and harmonize data protection across the EU by directly applying in all member states and ensuring free flow of personal data. It applies from May 25, 2018 and organizations should take action now to ensure compliance.

2. Presented by: Karel Holst
Legal Counsel IFORI
karel.holst@ifori.be
Blog: www.gdprexpert.be
THE GENERAL DATA PROTECTION REGULATION - GDPR
Legal Perspective
DE ALGEMENE VERORDENING GEGEVENSBESCHERMING - AVG

3. Overview
Data Protection

4. 4
Fundamental Rights
EU Charter of Fundamental Rights, article 8(1): “Everyone has the right to the
protection of personal data concerning him or her.”
[≠ ECHR/UDHR] [≠ right to privacy]
Through the expansion of the ‘information society’ the public and private
sector increasingly process larger quantities of Personal Data (e.g.
HR/Customer-data)
EU and national legislative initiatives

5. 5
1995: Directive
‒ Requires national
implementation
‒ EU Data Protection Directive
(95/46/EC)
E.g. Belgium: The Privacy Act
EU Legislative Acts
2016: Regulation
‒ Direct effect in the EU
‒ From the day it enters into force
GDPR: 24 May 2016, but applies from 25
May 2018 (2 year transitional period)

6. 6
Why a new overriding Regulation?
Directive 95/46/EC sought to harmonize national legislations and ensure
free flow of data within the EU
But:
– Still differences in national implementation and application
– Limited cooperation between Data Protection Authorities (‘DPA’)
– Many technological & societal changes in the 20 years since Dir. 95/45/EC
– Strengthen Data Subject's rights

7. 7
Personal Data are everywhere!
“Any information relating to an identified or identifiable natural person”
E.g. Name, location data, IP-address, customer number, …
Stricter rules for special categories of Personal Data (general
prohibition)
‒ Racial or ethnic origin
‒ Political options
‒ Genetic and biometric data, solely for identification purposes
‒ Health data
‒ …
Personal Data

8. 8
Processing
Personal Data
e.g. Customer Data
‒ Name
‒ Date of birth
‒ Address
‒ …
Controller
Determines the purposes
and the manner of the
processing
e.g. iFORi
For marketing purposes,
through an online registration
form
Data Subject Processor
Separate legal
entity
processes on behalf
of the Controller
e.g. Marketer
carries out mail
marketing

9. 9
Main objective
Ensure the right of an individual to make his own decisions regarding the
information that relates to him.
Principles of processing:
‒ Fair, lawful and transparent
‒ Purpose limitation
‒ Data minimization
‒ Accuracy
‒ Storage limitation
‒ Integrity and confidentiality

10. Key Obligations/Changes
GDPR

11. 11
I. Territorial Scope
The GDPR applies when:
‒ Processing in the context of activities of an establishment in the EU
‒ When the data subjects are located in the EU, and the processing is
related to:
• Offering goods or services
• Monitoring of their behavior (in the EU)

12. 12
II. Lawfulness
A valid legal basis to process the data is required:
‒ Consent
• Freely given, specific, informed and unambiguous
• It must be given by a statement or a clear affirmative action (thus opt-
out NOT possible)
• Proof of consent to be provided by Controller
• Withdrawable
• Obtained separately
• Children: when offering information society services, processing is only
lawful where the child is at least 16 years old. Younger = consent by
holder of parental responsibility

13. 13
III. Rights of the data subject
‒ Transparency
‒ Access
‒ Rectify
‒ Erasure (right to be forgotten)
‒ Restriction
‒ Portability
‒ Object
‒ Not be subject to automated decision making/profiling

14. 14
IV. Controllers and Processors
Controllers
‒ Privacy by default & design
‒ Records (Notification)
• Not where <250 employees, unless high risk
• Including general description of security measures
‒ Data breach notification
‒ Privacy Impact Assessment(PIA)/Prior consultation of DPA
‒ Data Protection Officer (DPO)
‒ Data security

15. Data Breach Notification
To Data Protection Authority (DPA)
– 72h deadline
– Specific information
– Documentation
To data subject
– High risk to rights and freedoms
– Clear and plain language
– Exceptions

16. Data Protection Officer (DPO)
When?
‒ Public authority or body
‒ Regular and systematic monitoring of data subjects
‒ Processing of special categories of data
Tasks?
‒ Inform and advise on the obligations pursuant the GDPR
‒ Monitor compliance
‒ Advise on draft of PIA
‒ Cooperate with DPA
‒ External contact
Who?

17. Data Security
Ensure confidentiality, integrity, availability, resilience
By implementing appropriate technical and organizational measures
Risk based approach (the state of the art, the costs of implementation, …)
– Encryption/Pseudonymisation
– Audits
– Back-up and redundancy

18. Pseudonymisation
“The processing of personal data in such a way that the data can no longer be
attributed to a specific data subject without the use of additional information”
– Process beyond original collection purposes;
– Safeguard for processing personal data for scientific, historical and statistical purposes;
– Feature of data protection by design;
– Helps meet Data Security requirements;
– Limits the rights of Data Subjects

19. 19
Processors
‒ Comply with specific obligations
• Records
• Data Security
• PIA/DPO
• Breach notification to Controller
‒ Directly liable

20. 20
V. Transfers
General prohibition on transfers outside EEA (28+3)
– Adequacy Decision
• White list
• Privacy Shield (US)
– Appropriate Safeguards
• Model Clauses (EC/DPA/Ad hoc)
• Binding Corporate rules
• Codes of conduct/ Certification
– Derogations (e.g. explicit consent)

21. 21
VI. Sanctions
Administrative Fines by DPA: effective, proportionate & dissuasive
– Up to, the greater of €20.000.000 or 4% of total worldwide annual turnover of
an undertaking
Private claims by data subjects
– DPA
– Courts for compensation from Controller or Processor
Criminal penalties possible where provided by member states

22. 22
VII. “One-stop-shop”
Controllers and Processors answer to a ‘lead supervisory authority’
– Based on their single or main establishment in the EU
– For cross-border processing
But supervisory authorities may still address infringements
– If it relates to an establishment in its MS or;
– If it substantially affects data subjects in its MS
Consistency through cooperation between DPA’s with EDPB oversight

23. Cookies, Network Infrastructure, Employees
Related Legal Acts

24. 24
Directive on privacy and electronic communications - Telecoms Law
– Information
– Consent
GDPR
– Processing of personal data
‒ Controller: You/Third party cookie provider
‒ Processor: Third party cookie provider
Cookies

25. 25
 Strengthening Cybersecurity within the EU
 For sectors which are vital for economy and society:
– Operators Of Essential Services
– Energy
– Transport
– Banking
– Financial market infrastructures
– Health sector
– Drinking water supply and distribtuion
– Digital infrastructure
– Digital Service Providers
– Online Marketplaces
– Online search engines
– Cloud computing services
NIS: Network and Information Security Directive

26. 26
Monitoring E-mail: Belgium: CAO nr. 81 & Privacy Act
Principles: Finality, Proportionality, Transparency
– Professional communications(?): Access (?)
– Non-professional communications: Individualization Procedure
See also recommendations by Privacy Commission
GDPR allows for more specific national rules in the context of employment
Employees

27. Call to action
Conclusion

28. 28
Take Action
Not everything has changed, just as not everything has been harmonized
New obligations but also removal of some administrative burdens and
further guidance
(New) technologies introduce new compliance risks, but technologies can
also be used to mitigate risk and/or ensure compliance
Take action now!
GDPR applies from 25 May 2018

29. IFORI GENT
Victor Braeckmanlaan 107
9040 Gent, Belgium
Tel: +32 9 230 36 62
Fax: +32 9 231 63 71
E-mail: info@ifori.be
IFORI ANTWERPEN
Satellietkantoor
Kapelsesteenweg 195/1
2180 Antwerpen, Belgium
FACTURATIEGEGEVENS
IFORI BVBA
RPR: 472.073.759 (Gent)
BTW: BE 472.073.759
IBAN: BE17 2900 5044 0021
BIC: GEBABEBB
Thank you
Questions?
WWW.IFORI.BE
WWW.GDPREXPERT.BE