Matthias Dobbelaere-Welvaert, profile picture
Uploaded byMatthias Dobbelaere-Welvaert
1,167 views

GDPR: the legal aspects. By Matthias of theJurists Europe.

This document provides an overview of the General Data Protection Regulation (GDPR). It discusses what personal data is, the rights to privacy and data protection under the GDPR and European law. It explains that the GDPR applies broadly to any company that processes personal data of EU residents, regardless of location. Companies have obligations around obtaining permission for data processing, providing transparency around data usage, implementing security measures, and designating a data protection officer if required. The GDPR aims to better protect privacy and give individuals more control over their personal data.

Law

Embed presentation

Downloaded 76 times
1 GDPR. Matthias Dobbelaere-Welvaert So what?
2 About theJurists theJurists is specialized in privacy, digital law, intellectual property law and company law. theJurists believes in digital transformation and artificial intelligence, and works hard on projects that aim at making the law accessible to all. We stand for open, transparent and innovative law.
 
 Gent - Brussel - London - Paris - Amsterdam theJurists Europe is a contemporary legal boutique office and has been a pioneer in digital law for eight years.
• Insert Image 3 About Matthias MATTHIAS DOBBELAERE-WELVAERT Matthias is the Managing Partner of theJurists Europe, which has offices in Ghent, Brussels, Amsterdam, Paris and London. He is a member of the board of directors of FeWeb and Gent Web Valley. He is a ‘Copyright and Mediarights’ professor at the EHB. He is specialized in online privacy, cybercrime and art. 10 ECHR. theJurists Europe. MANAGING PARTNER
4 What is Privacy? Personal data means all data relating to a living individual who is or can be identified from the data.
5 art. 8 ECHR Right to respect for private and family life. 1/ Everyone has the right to respect for his private and family life, his home and his correspondence. 2/ There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society
6 The Data Protection Authority (Privacycommissie) Bart Tommelein, the former state secretary for privacy, created a furore by suing Facebook, winning the case in the first instance, and… eventually losing the case. His successor, Philippe De Backer, now wants to sue Google for alleged violations of privacy. What are the priorities of the DPA? Eager for media attention or actual watchdog?
7 Information is the new gold There is no such thing as a free lunch. If there is no entrance fee or a selling price, the user is the product. Privacy is a new currency. Facebook, Snapchat, Instagram, Gmail, Twitter, etc. all apply this principle. (More) data is always the purpose.
8 Debate MORE OF THE ONE MEANS LESS OF 
 THE OTHER And what do you prefer? Privacy or Safety?
9 A new European regulation which governs the privacy in the EU member states. The General Data Protection Regulation (GDPR) is a regulation with which the European Commission wants to promote the safety of data. The GDPR mainly focuses on the protection of personal information of EU residents as well as on regulating the export of personal data outside the EU. The European Commission wants to give back the control over personal data to the individual. What is the GDPR?
10 The GDPR was adopted in April 2016. It entered into force on 24 May 2016 and shall be fully applicable from 25 May 2018. This gives European governments and enterprises two years time to prepare for the changing legislation. The predecessor of the GDPR is Privacy Directive 95/46/EG which exists since 1995, but which no longer suffices in the current digital era. The GDPR, however, no longer is a directive, but a regulation. 25 may 2018 A directive has to be converted into national legislation, whereas a regulation has direct effect. The member states can still put forward their own priorities and adapt the national legislation to their own customs. There are, for example, regional differences with regard to the maximum age of children.
11 Scope The new privacy regulation or GDPR replaces the current privacy directive. If your company is currently dealing with national privacy laws then you can assume that the new regulation applies to your company.
12 If you are not sure whether the regulation is applicable to you, you should ask yourself the following question: does my company process personal data of EU residents? Do you process data? What is processing? What are personal data?
13 Consequently, personal data is any information which allows to, directly or indirectly, identify a natural person. This includes: IP addresses, human tissue, anonymous vs pseudonymous data: (only in the case of anonymization you no longer have to do with ‘personal data’) What are personal data? Art. 4.1. GDPR: “Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”  RIGHT REFLEX
14 In other words: almost every act relating to personal data. Teach yourself this reflex. What is processing? Art. 4.2. GDPR: “Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” RIGHT REFLEX
15 Where does the GDPR apply? This Regulation applies to the processing of personal data in connection with the activities of a branch of a processor or a processor in the Union, regardless of whether or not processing in the Union takes place.
16 This Regulation applies to the processing of personal data of persons in the Union by a data processor or controller located outside the Union when the processing involves: a) offering goods or services to those concerned in the Union, regardless of whether a payment is required by the parties concerned; or
 
 b) monitoring their behavior, in so far as this behavior occurs in the Union. Do you process data?
17 It no longer matters whether or not the data processing takes place within the European Union or not, as long as data of natural persons in the Union are processed. This is an important advance for the privacy of individuals. In the past, major internet giants like Google and Amazon could escape European privacy laws as they had a headquarters in Silicon Valley. Now the GDPR will also apply to them as soons as they process personal data of European residents. Where?
18 In addition, the obligations in the GDPR apply not only to companies that process personal data for their own purposes (processors) but also companies that process personal data for other companies (processors). When you are hired as a company to take care of another company's marketing, which includes the collection of the contact information of the customers of the latter, you also fall under the scope of the GDPR. Subcontractor?
19 Your obligations under the GDPR: permission, information, security. The existing privacy legislation already imposes many obligations that are also present in the GDPR. However, there are a number of additional obligations your company needs to prepare for in order to be GDPR compliant. What do you have to do?
20 Permission Unlike earlier, in the GDPR permission may be withdrawn, Permission can only be given by an active act. This must indicate that the data provider agrees freely, specifically, informed and unambiguously with the processing of personal data. If the processing has multiple purposes, the provider must give permission for each of the purposes separately. In addition, he or she may withdraw the permission at all times. Withdrawing permission should be as easy as giving it. ART. 6 GDPR
21 For a child under the age of 16, the following rule applies: Processing is only legitimate when consent or permission is granted by the person who carries parental responsibility for the child. This age limit can be reduced by other regional authorities to 13 years, so regional differences may occur. ART. 6 GDPR
22 Agreement This applies for example when you want to buy a car. The seller has to ask your name, etc., in order to sell the car. Permission is not required here. However, when the seller would request your hobbies, he cannot rely on this justification. ART. 6 GDPR
23 Legal obligation For example, if your employer has to pay your wage, he must withhold a part of the wage for social security. For this, he has to send employee information to social security. An employer must pay his employee and pay taxes. 1. Necessary in order to protect the vital interests of the data subject or of another natural person, 2. Processing is necessary for the performance of a task carried out in the public interest, 3. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (balance of interests). ART. 6 GDPR
24 The controller always has to clarify for which purposes. PURPOSE INFORMATION Principle of transparence: Why are these data needed here? Purpose & Information Lee & White consultants.
25 Special personal data or sensitive personal data relate to certain categories for which the legislator considers additional protection is necessary. These are personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or membership of a trade union, or genetic data, biometric data for the unique identification of a person, health or data related to Someone's sexual behavior or sexual orientation. A bit special The processing of these data is normally prohibited, but important exceptions exist here.
26 1. Take appropriate security measures, 2. Respecting the rights of the data subject, 3. Profiling. Data subject must always be able to object. 4. A number of additional obligations regarding data processors. What else?
27 Specific obligations under the GDPR The GDPR also sets out specific new commitments. For example, Data Protection Officers (DPOs) should be put in place if the conditions are met, a data breach should be reported, and there is greater accountability.
28 DPO or Data Protection Officer The DPO has been mentioned several times and is also one of the most significant changes brought on by the regulation. Or at least for some. You are only obliged to assign a DPO if you have to answer yes to one of the following questions: Do you process more than 5000 data subjects per year? > 5000 GOVERNMENT SPECIAL OBSERVATION Are you a governmental organisation or agency? Do you mainly process special categories of data? Do you perform regular observation on a large scale? 1 2 3 4
29 The role of Data Protection Officer or DPO may be assigned to an existing employee. However, his or her other responsibilities must be compatible with the obligations arising from the DPO's role. He or she may not serve conflicting interests. Within a business group, one DPO may be designated as long as he or she is easily accessible for each department or establishment. In addition, the DPO can be hired as an employee by the processor, but can also perform his duties under a service agreement. The role of a DPO
30 Notification data breach A data breach means that there is an infringement of security that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized disclosure of or unauthorized access to personal data. If an infringement of personal data has occurred, the processor shall report to the Privacy Commission without unreasonable delay and, if possible, at the latest 72 hours after becoming aware of a breach, unless it is unlikely that the infringement in relation to personal data presents a risk for the rights and freedoms of natural persons. If the notification to the supervisory authority does not take place within 72 hours, it shall be accompanied by a statement of reasons for the delay. The processor (IT service provider) informs the controller (customer) without unreasonable delay once he has noticed an infringement connected to personal data.
31 Accountability The obligation of accountability entails that companies will have to check for themselves whether their data processing is in line with the GDPR, and they have to be able to show this at any given moment. This is a significant change to the existing privacy directive. Although the concept of accountability is not expressly included in the GDPR, some obligations are included in the GDPR that may fall under the concept. For example: 1. The company must take appropriate technical and organisational measures to ensure that processing is GDPR compliant, 2. Each processing manager keeps a register of processing activities (under his responsibility).
32 Pseudonymization Pseudonymization is a new concept that is introduced in the GDPR. It means that data is processed in such a way that personal data can not be linked to the data subject without additional data being used. This additional data must be kept separately and "technical and organisational" measures must be taken so that the data can not be reconnected to the person. Therefore, data is not completely anonymised by this process (which would mean exclusion from the GDPR) but the data subject can no longer be identified directly. Only the controller has the key to the source data and there are guarantees that will prevent reidentification. But the source data are still present, they are not destroyed so you still have to comply with privacy laws. However, because the privacy risk of the data subject is reduced, privacy legislation will be more flexible in processing pseudonymised personal data.
33 Which rights does the user have? The data subject has many rights under the GDPR. If personal data is being processed, the data subject is entitled to information about (the processing of) this data. What information should be provided depends on whether the personal data were collected directly or indirectly from the data subject. Read articles 13 GDPR and 14 GDPR. IN THE LAW
34 Right to information Already existed, but extended under the GDPR. If personal data is being processed, the data subject is entitled to information about (the processing of) this data. What information should be provided depends on whether the personal data were collected directly or indirectly from the data subject.
35 Right to access Already existed, but extended under the GDPR. The data subject is entitled to know whether or not data of him is being processed, and if this is the case, to obtain access to this information (processing, categories of personal data, recipients, duration, etc.)
36 Right to rectification Art. 16 and 18 GDPR. The GDPR explicitly recognizes the right to correct personal data when they are incorrect or incomplete.
37 Right to object Already existed (extended for profiling). The right to object to direct marketing, processing based on justified grounds and processing for scientific or historical research. Data subjects should also be informed about this right to object.
38 Profiling Explicit consent is now required. The data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, that has legal consequences for him or her or otherwise affects his or her to a significant extent.
39 This requirement does not apply if the profiling: a) is necessary for the establishment or execution of an agreement between the data subject and a processor; b) is permitted by Union or national law applicable to the processor and which also provides for appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or c) relies on the explicit consent of the data subject. Exception
40 Right to be forgotten New in the GDPR: 
 lots of commotion. The right to be forgotten means that in some cases data subjects have the right to obtain the removal of personal data. This right may apply in the following cases:
41 (1)The data is no longer required for the purposes for which the data was collected. (2)The data subject withdraws his consent for processing his personal data and there is no other legal basis for the processing. (3)The data subject objects to the processing. (4)The personal data of the person concerned were processed illegally. (5)The personal data must be deleted to comply with a legal obligation under Union law or in accordance with national law. (6)The personal data were collected in connection with the provision of services to children.
 When is there a right to be forgotten?
42 Right to data portability New in the GDPR: art. 20 Data provided to one service provider must be easily recoverable. This way, it is easy to go from one service provider to another.
43 (1)It should concern a data processing that is based on consent or on an agreement. The GDPR expressly states that this right is not valid in processing necessary to fulfill a public interest mission or to exercise public authority. (2)There is the right to recover the personal data provided to the processor and to transfer the data to another processor or service provider without the first processor being able to contest this. When is there a right to portability?
44 By design & by default New in the GDPR. Art. 25 Article 25 GDPR states that technical and organisational measures must be taken. These must be taken throughout the process of processing personal data.
45 By design & by default Both at the time of the determination of the means of processing and during the processing itself. The purpose of these technical and organisational measures is to effectively execute the data protection principles. For example, minimal data processing. In addition, the necessary safeguards must be incorporated in the processing to comply with the GDPR and to protect the rights of the parties concerned. What are technical and organisational measures? Consider pseudonomisation, transparency regarding the functions and processing of personal data, enabling the data subject to control information processing, and enable the processor to create and improve security features.
46 Sanctions Everyone is talking about it: the enormous GDPR sanctions. The GDPR will give the Belgian Privacy Commission the power to impose an administrative fine. The maximum fine (eg for absence of required consent or non-compliance with data exchange rules with non-EU countries) is 20 million euros or 4% of worldwide turnover. Although it is a matter of maximum amounts, the GDPR determines that the Privacy Commission must ensure that the fine is deterrent. Therefore, it will not be possible to just ´buy off´ an infringement. So it’s important to be aware of all personal data being processed!
47 Time to practice. Some user cases.
48 User case 1 A Chinese sold robots in the EU.
49 I’m a Chinese producer of robots. I would like to start a web shop with a distribution centre in The Netherlands in order to sell my robots to Belgian consumers, to start with. I want to keep things simple for my customers so I only ask for their email address and their favourite animal for identification at purchase. But I would like to use that email address and the list of addresses for targeted marketing, through analysis and potentially selling off those email adresses. That way, I could even make some money out of the email addresses themselves. What should I pay attention to to be entirely GDPR compliant? The assignment
50 How does a Chinese producer become GDPR compliant? China: not European, so doesn’t fall under the GDPR? Wrong: because he directs his activities through an establishment in a Member State of the EU (The Netherlands). Also, his activities are directed at Belgian consumers, therefore he is processing data of EU nationals. 
 Just email adresses: personal data are data that could directly or indirectly identity a natural person. Only email addresses such as ‘info@, contact@, team@’ will be considered as too impersonal. Other email addresses do fall under the GDPR. 
 Their favourite animal: the principle of data minimisation implies that only those data that are strictly necessary for the intended purposes of the processing can be collected. Asking for their favourite animal is a collection of data that is not necessary to the purchase of a robot and will therefore no longer be allowed under the GDPR.
 Targeted marketing + reselling of the list: these are processing purposes about which the subject must receive clear information. He needs to be made aware (through a privacy policy or general terms and conditions) of the reasons for the processing. These need to be as specific as possible. Moreover, it needs to be mentioned per specific purpose, so targeted marketing must be mentioned separately from reselling. This form of marketing requires explicit consent in the general terms and conditions. 
 Further GDPR compliance: reasonable and adequate security measures against possible data breaches on the basis of estimation severity of breach and degree of security. Keeping of a data register and of the data being processed. Consent for the processing can be given in the general terms and conditions. The answer.
51 User case 2 A Belgian once used a Chinese robot.
52 I’m a Belgian software developer for Japanese robots that are used as greeting host at establishments of AXA Belgium. For AXA, the purpose of the software is to greet Belgian consumers and to ask them for some information in order to make the introductory meeting with the insurance broker run smoothly. The robot asks for their name, email address, address and a couple of questions for risk analysis. Who is responsible for ensuring GDPR compliance, me as software developer of AXA Belgium? Who is liable for data breaches? The assignment
53 The Belgian software developer is going to process personal data for another company, AXA Belgium, through the software that it develops. In this case, the software developer is the processor and AXA data controller (AXA determines the ultimate purposes for which the data are processed: insurance purposes). In the other case it’s different: if users put data in the robot, that data ends up in a database, that database is created by an IT’er, but the question here is if the management of the database is outsourced to the IT’er or is directly taken care of by AXA (most probably by AXA itself). If AXA manages and hosts the database, AXA also processes and controls the data; if the IT’er just creates the software and does not process the data beforehand, it is not a processor. If the IT’er is also responsible for hosting the platform, with updates and keeping servers and bandwidth available, the IT’er falls under the term processor. Then it processes data on behalf of the controller. It is important to have a processor agreement between AXA and the software developer. In the absence of such an agreement, there can be high fines. This needs to include arrangements on the type of personal data being processed, data processing purposes, what the software developer will undertake in case of a data breach, etc. The answer (1).
54 Under the current directive the obligations mainly concern the data controller, but not under the GDPR: processors are subjected to more obligations and can be held liable when they are not compliant with the GDPR. Both have to comply with the GDPR. In terms of liability: the IT’er will have the responsibility to ensure technical measures that can safeguard from data breaches. Whether or not this is included in the assignment, will depend on context. It is of course expected of an IT’er to develop safe platforms/ software. Unless AXA is itself fully responsible for hosting and updating/security of the software. Furthermore, both controller and processor need to keep a data register and have to agree on the duty to report a data breach, most likely in a processor agreement. The answer (2).
55 There is still some time left. 2017 What is your GDPR question? May 2018
theJurists 56 theJurists Europe. GENT (BELGIUM) HQ Brussel & London. AMSTERDAM, PARIS, + 5 offices in 4 European Countries.
57 Get in touch. You’ll love our beer. Webchat & Slack app
 contact@dejuristen.be Chat & E-mail ! Heernislaan 19
 B-9000 GENT Address " +32 9 298 04 58 Phone

More Related Content

PDF
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
PPTX
How to get started with being GDPR compliant
bySiddharth Ram Dinesh
 
PPTX
Do You Have a Roadmap for EU GDPR Compliance?
byUlf Mattsson
 
PPTX
Gdpr action plan
byUlf Mattsson
 
PPTX
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
byOmo Osagiede
 
PDF
The Essential Guide to GDPR
byTim Hyman LLB
 
DOCX
Do You Have a Roadmap for EU GDPR Compliance? Article
byUlf Mattsson
 
PPTX
An Overview Of GDPR (General Data Protection Regulation)
byMadhumita Mantri
 
GDPR Basics - General Data Protection Regulation
byVicky Dallas
 
How to get started with being GDPR compliant
bySiddharth Ram Dinesh
 
Do You Have a Roadmap for EU GDPR Compliance?
byUlf Mattsson
 
Gdpr action plan
byUlf Mattsson
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
byOmo Osagiede
 
The Essential Guide to GDPR
byTim Hyman LLB
 
Do You Have a Roadmap for EU GDPR Compliance? Article
byUlf Mattsson
 
An Overview Of GDPR (General Data Protection Regulation)
byMadhumita Mantri
 

What's hot

PPTX
Preparing for GDPR: What Every B2B Marketer Must Know
byIntegrate
 
PDF
GDPR for Dummies
byCaroline Boscher
 
PPTX
Getting to grips with General Data Protection Regulation (GDPR)
byZoodikers
 
PPTX
EU GDPR(general data protection regulation)
byRAKESH S
 
PDF
VMTN6642E - GDPR Slide Deck
byKyle Davies
 
PDF
What about GDPR?
byMartin Hawksey
 
PPTX
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
PPTX
What is GDPR?
byFaidepro
 
PPTX
The GDPR for Techies
byLilian Edwards
 
PPTX
GDPR Presentation slides
byNaomi Holmes
 
PDF
How IBM Supports Clients around GDPR and Cybersecurity Legislation
byIBM Security
 
PPTX
Get you and your business GDPR ready
byHarrison Clark Rickerbys
 
PPTX
The Practical Impact of the General Data Protection Regulation
byGhostery, Inc.
 
PDF
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
byHackerOne
 
PPTX
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
PDF
What's Next - General Data Protection Regulation (GDPR) Changes
byOgilvy Consulting
 
PDF
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
byMailjet
 
PPTX
GDPR and evolving international privacy regulations
byUlf Mattsson
 
PDF
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
byDATUM LLC
 
PPTX
Gdpr action plan - ISSA
byUlf Mattsson
 
Preparing for GDPR: What Every B2B Marketer Must Know
byIntegrate
 
GDPR for Dummies
byCaroline Boscher
 
Getting to grips with General Data Protection Regulation (GDPR)
byZoodikers
 
EU GDPR(general data protection regulation)
byRAKESH S
 
VMTN6642E - GDPR Slide Deck
byKyle Davies
 
What about GDPR?
byMartin Hawksey
 
General Data Protection Regulation
byBCC - Solutions for IBM Collaboration Software
 
What is GDPR?
byFaidepro
 
The GDPR for Techies
byLilian Edwards
 
GDPR Presentation slides
byNaomi Holmes
 
How IBM Supports Clients around GDPR and Cybersecurity Legislation
byIBM Security
 
Get you and your business GDPR ready
byHarrison Clark Rickerbys
 
The Practical Impact of the General Data Protection Regulation
byGhostery, Inc.
 
GDPR Guide: The ICO's 12 Recommended Steps To Take Now
byHackerOne
 
GDPR: Training Materials by Qualsys
byQualsys Ltd
 
What's Next - General Data Protection Regulation (GDPR) Changes
byOgilvy Consulting
 
"GDPR - All You Need To Know" presentation from event Nov 16th in Berlin
byMailjet
 
GDPR and evolving international privacy regulations
byUlf Mattsson
 
GDPR: Is Your Organization Ready for the General Data Protection Regulation?
byDATUM LLC
 
Gdpr action plan - ISSA
byUlf Mattsson
 

Similar to GDPR: the legal aspects. By Matthias of theJurists Europe.

PDF
Guide to-the-general-data-protection-regulation
byN N
 
PPTX
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
PDF
Engage 2018: GDPR Three Days To Go
bypanagenda
 
PPTX
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
byKarel Holst
 
PPTX
Gdpr presentation
bySudarsan Reddy
 
PDF
GDPR - Are you ready?
byVILT
 
PDF
GDPR, what you need to know and how to prepare for it e book
byPlr-Printables
 
PPTX
Board Priorities for GDPR Implementation
byJoseph V. Moreno
 
PPTX
ABM Display Advertising Success in the World of GDPR [PPT]
byKwanzoo Inc
 
PPTX
GDPR presentation BE-Com - IFORI
byKarel Holst
 
PPTX
Introduction to GDPR
byPriyab Satoshi
 
PDF
Webinar: An EU regulation affecting companies worldwide - GDPR
bypanagenda
 
PDF
GDPR and Copyright Law
byGiovanni Maria Riccio
 
PPTX
Practical Guide to GDPR 2017
byDryden Geary
 
PPTX
Domain management and brand protection in the era of the EU's GDPR
byBartLieben
 
PDF
EU Privacy Laws and Start-Ups
byExove
 
PPTX
Data Protection - GDPR - Lantern fundforum 2017 Leonardi Andrea - Michelotti ...
byAndrea Leonardi
 
PDF
Key Issues on the new General Data Protection Regulation
byOlivier Vandeputte
 
PDF
GDPR- Get the facts and prepare your business
byMark Baker
 
PDF
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 
Guide to-the-general-data-protection-regulation
byN N
 
General Data Protection Regulation (GDPR)
byExtentia Information Technology
 
Engage 2018: GDPR Three Days To Go
bypanagenda
 
2017 09 13_VOKA The Big Refresh - GDPR - IFORI
byKarel Holst
 
Gdpr presentation
bySudarsan Reddy
 
GDPR - Are you ready?
byVILT
 
GDPR, what you need to know and how to prepare for it e book
byPlr-Printables
 
Board Priorities for GDPR Implementation
byJoseph V. Moreno
 
ABM Display Advertising Success in the World of GDPR [PPT]
byKwanzoo Inc
 
GDPR presentation BE-Com - IFORI
byKarel Holst
 
Introduction to GDPR
byPriyab Satoshi
 
Webinar: An EU regulation affecting companies worldwide - GDPR
bypanagenda
 
GDPR and Copyright Law
byGiovanni Maria Riccio
 
Practical Guide to GDPR 2017
byDryden Geary
 
Domain management and brand protection in the era of the EU's GDPR
byBartLieben
 
EU Privacy Laws and Start-Ups
byExove
 
Data Protection - GDPR - Lantern fundforum 2017 Leonardi Andrea - Michelotti ...
byAndrea Leonardi
 
Key Issues on the new General Data Protection Regulation
byOlivier Vandeputte
 
GDPR- Get the facts and prepare your business
byMark Baker
 
Introduction to EU General Data Protection Regulation: Planning, Implementati...
byFinancial Poise
 

More from Matthias Dobbelaere-Welvaert

PDF
Privacy bestaat niet. Of wel?
byMatthias Dobbelaere-Welvaert
 
PDF
Business 2 Students: AI & de impact op de juridische wereld.
byMatthias Dobbelaere-Welvaert
 
PDF
'Alexa, how about the legal aspects of artificial intelligence (AI)?'
byMatthias Dobbelaere-Welvaert
 
PDF
Digital Transformation Summit: theJurists Europe case
byMatthias Dobbelaere-Welvaert
 
PDF
Flanders DC, E-Commerce Lab: juridische aspecten van webshops.
byMatthias Dobbelaere-Welvaert
 
PDF
GDPR. Et alors?
byMatthias Dobbelaere-Welvaert
 
PDF
Presentatie voor Tradetracker: 'Cookies, Privacy, Mailings. En het recht'
byMatthias Dobbelaere-Welvaert
 
PDF
ERASMUS: 2. Auteursrecht
byMatthias Dobbelaere-Welvaert
 
PDF
ERASMUS: 1. Intellectuele rechten
byMatthias Dobbelaere-Welvaert
 
PDF
ERASMUS: 0. Introductie
byMatthias Dobbelaere-Welvaert
 
PDF
Ziekenhuizen & Sociale Media. Een praktische & juridische inkijk.
byMatthias Dobbelaere-Welvaert
 
PDF
Law, as a marketing tool. E-commerce & legal.
byMatthias Dobbelaere-Welvaert
 
Privacy bestaat niet. Of wel?
byMatthias Dobbelaere-Welvaert
 
Business 2 Students: AI & de impact op de juridische wereld.
byMatthias Dobbelaere-Welvaert
 
'Alexa, how about the legal aspects of artificial intelligence (AI)?'
byMatthias Dobbelaere-Welvaert
 
Digital Transformation Summit: theJurists Europe case
byMatthias Dobbelaere-Welvaert
 
Flanders DC, E-Commerce Lab: juridische aspecten van webshops.
byMatthias Dobbelaere-Welvaert
 
GDPR. Et alors?
byMatthias Dobbelaere-Welvaert
 
Presentatie voor Tradetracker: 'Cookies, Privacy, Mailings. En het recht'
byMatthias Dobbelaere-Welvaert
 
ERASMUS: 2. Auteursrecht
byMatthias Dobbelaere-Welvaert
 
ERASMUS: 1. Intellectuele rechten
byMatthias Dobbelaere-Welvaert
 
ERASMUS: 0. Introductie
byMatthias Dobbelaere-Welvaert
 
Ziekenhuizen & Sociale Media. Een praktische & juridische inkijk.
byMatthias Dobbelaere-Welvaert
 
Law, as a marketing tool. E-commerce & legal.
byMatthias Dobbelaere-Welvaert
 

Recently uploaded

PPTX
When Did DUI Become Illegal: A Complete Guide
byJosh Mcdowell
 
PDF
ADR. Part one Definition and Basic features
byyusufwerkineh4
 
PPTX
PPT ON MSME SCHEMES INCLUSING DEFINITIONS msme.pptx
bycaveerandra
 
PPTX
Week-15--ICT-in-Daily-Life-Smart-Homes--Banking--Online-Shopping-20092025-111...
byomamanouman4
 
PDF
DEVELOPMENT OF CHEMICAL AND PHARMACEUTICAL DOCUMENTATION
bylingher1
 
PPTX
volenti non fit injuria .pptx dsjbf v d s sdj w
byajbjsba724
 
PDF
Cases penned by Justice-Zalameda 2019-2025
byGenpsyPacada
 
PPTX
Labour Codes 2025, ppt on new labour codes
byYASHJAIN886310
 
PPTX
Women Security society and cyber security concentrating on legal provisions a...
byjaykumar39894
 
PDF
For-Website-251218-CJP-complaint-to-NCM-on-hate-speech-vigilantism-etc-target...
bysabranghindi
 
PDF
122392022_2024-11-13-bulldozer-justice-judgment-1.pdf
bysabranghindi
 
PDF
Inheritance: How to Avoid Family Disputes
byDr Edgar Paltzer
 
PDF
Final Judgement - Glen Blanco v Paul Jerome Case No. 2018-034632-CA-01
byRaymond R. Dieppa
 
PDF
Final Judgment Angelina Martinz v Isabel Maria Aguilar Broward Case No. CACE-...
byRaymond R. Dieppa
 
PDF
Cecilia Alvarez v Supreme Rent a Car jury verdict $5,643,981.00 (Miami-Dade 2...
byRaymond R. Dieppa
 
PDF
Judge Cynthia Lopez - Served As Family Court Judge
byJudge Cynthia Lopez
 
PDF
Verdict Form - Glen Blanco v Paul Jerome Miami-Dade Case No. 2018-034632-CA-01
byRaymond R. Dieppa
 
PDF
Crimes_Against_Women_PSU_Training (1).pdf
byPrashansa Srivastava
 
PDF
Morgan Ramsey Miller Lawsuit: Mantis Funding vs. Honor Tech LLC and Morgan Ra...
byLady Whistledowntherail
 
When Did DUI Become Illegal: A Complete Guide
byJosh Mcdowell
 
ADR. Part one Definition and Basic features
byyusufwerkineh4
 
PPT ON MSME SCHEMES INCLUSING DEFINITIONS msme.pptx
bycaveerandra
 
Week-15--ICT-in-Daily-Life-Smart-Homes--Banking--Online-Shopping-20092025-111...
byomamanouman4
 
DEVELOPMENT OF CHEMICAL AND PHARMACEUTICAL DOCUMENTATION
bylingher1
 
volenti non fit injuria .pptx dsjbf v d s sdj w
byajbjsba724
 
Cases penned by Justice-Zalameda 2019-2025
byGenpsyPacada
 
Labour Codes 2025, ppt on new labour codes
byYASHJAIN886310
 
Women Security society and cyber security concentrating on legal provisions a...
byjaykumar39894
 
For-Website-251218-CJP-complaint-to-NCM-on-hate-speech-vigilantism-etc-target...
bysabranghindi
 
122392022_2024-11-13-bulldozer-justice-judgment-1.pdf
bysabranghindi
 
Inheritance: How to Avoid Family Disputes
byDr Edgar Paltzer
 
Final Judgement - Glen Blanco v Paul Jerome Case No. 2018-034632-CA-01
byRaymond R. Dieppa
 
Final Judgment Angelina Martinz v Isabel Maria Aguilar Broward Case No. CACE-...
byRaymond R. Dieppa
 
Cecilia Alvarez v Supreme Rent a Car jury verdict $5,643,981.00 (Miami-Dade 2...
byRaymond R. Dieppa
 
Judge Cynthia Lopez - Served As Family Court Judge
byJudge Cynthia Lopez
 
Verdict Form - Glen Blanco v Paul Jerome Miami-Dade Case No. 2018-034632-CA-01
byRaymond R. Dieppa
 
Crimes_Against_Women_PSU_Training (1).pdf
byPrashansa Srivastava
 
Morgan Ramsey Miller Lawsuit: Mantis Funding vs. Honor Tech LLC and Morgan Ra...
byLady Whistledowntherail
 

GDPR: the legal aspects. By Matthias of theJurists Europe.

  • 1.
  • 2.
    2 About theJurists theJurists is specializedin privacy, digital law, intellectual property law and company law. theJurists believes in digital transformation and artificial intelligence, and works hard on projects that aim at making the law accessible to all. We stand for open, transparent and innovative law.
 
 Gent - Brussel - London - Paris - Amsterdam theJurists Europe is a contemporary legal boutique office and has been a pioneer in digital law for eight years.
  • 3.
    • Insert Image 3 About Matthias MATTHIASDOBBELAERE-WELVAERT Matthias is the Managing Partner of theJurists Europe, which has offices in Ghent, Brussels, Amsterdam, Paris and London. He is a member of the board of directors of FeWeb and Gent Web Valley. He is a ‘Copyright and Mediarights’ professor at the EHB. He is specialized in online privacy, cybercrime and art. 10 ECHR. theJurists Europe. MANAGING PARTNER
  • 4.
    4 What is Privacy? Personaldata means all data relating to a living individual who is or can be identified from the data.
  • 5.
    5 art. 8 ECHR Rightto respect for private and family life. 1/ Everyone has the right to respect for his private and family life, his home and his correspondence. 2/ There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society
  • 6.
    6 The Data Protection Authority(Privacycommissie) Bart Tommelein, the former state secretary for privacy, created a furore by suing Facebook, winning the case in the first instance, and… eventually losing the case. His successor, Philippe De Backer, now wants to sue Google for alleged violations of privacy. What are the priorities of the DPA? Eager for media attention or actual watchdog?
  • 7.
    7 Information is the new gold Thereis no such thing as a free lunch. If there is no entrance fee or a selling price, the user is the product. Privacy is a new currency. Facebook, Snapchat, Instagram, Gmail, Twitter, etc. all apply this principle. (More) data is always the purpose.
  • 8.
    8 Debate MORE OF THEONE MEANS LESS OF 
 THE OTHER And what do you prefer? Privacy or Safety?
  • 9.
    9 A new Europeanregulation which governs the privacy in the EU member states. The General Data Protection Regulation (GDPR) is a regulation with which the European Commission wants to promote the safety of data. The GDPR mainly focuses on the protection of personal information of EU residents as well as on regulating the export of personal data outside the EU. The European Commission wants to give back the control over personal data to the individual. What is the GDPR?
  • 10.
    10 The GDPR wasadopted in April 2016. It entered into force on 24 May 2016 and shall be fully applicable from 25 May 2018. This gives European governments and enterprises two years time to prepare for the changing legislation. The predecessor of the GDPR is Privacy Directive 95/46/EG which exists since 1995, but which no longer suffices in the current digital era. The GDPR, however, no longer is a directive, but a regulation. 25 may 2018 A directive has to be converted into national legislation, whereas a regulation has direct effect. The member states can still put forward their own priorities and adapt the national legislation to their own customs. There are, for example, regional differences with regard to the maximum age of children.
  • 11.
    11 Scope The new privacyregulation or GDPR replaces the current privacy directive. If your company is currently dealing with national privacy laws then you can assume that the new regulation applies to your company.
  • 12.
    12 If you arenot sure whether the regulation is applicable to you, you should ask yourself the following question: does my company process personal data of EU residents? Do you process data? What is processing? What are personal data?
  • 13.
    13 Consequently, personal datais any information which allows to, directly or indirectly, identify a natural person. This includes: IP addresses, human tissue, anonymous vs pseudonymous data: (only in the case of anonymization you no longer have to do with ‘personal data’) What are personal data? Art. 4.1. GDPR: “Personal data means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”  RIGHT REFLEX
  • 14.
    14 In other words:almost every act relating to personal data. Teach yourself this reflex. What is processing? Art. 4.2. GDPR: “Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” RIGHT REFLEX
  • 15.
    15 Where does the GDPR apply? ThisRegulation applies to the processing of personal data in connection with the activities of a branch of a processor or a processor in the Union, regardless of whether or not processing in the Union takes place.
  • 16.
    16 This Regulation appliesto the processing of personal data of persons in the Union by a data processor or controller located outside the Union when the processing involves: a) offering goods or services to those concerned in the Union, regardless of whether a payment is required by the parties concerned; or
 
 b) monitoring their behavior, in so far as this behavior occurs in the Union. Do you process data?
  • 17.
    17 It no longermatters whether or not the data processing takes place within the European Union or not, as long as data of natural persons in the Union are processed. This is an important advance for the privacy of individuals. In the past, major internet giants like Google and Amazon could escape European privacy laws as they had a headquarters in Silicon Valley. Now the GDPR will also apply to them as soons as they process personal data of European residents. Where?
  • 18.
    18 In addition, theobligations in the GDPR apply not only to companies that process personal data for their own purposes (processors) but also companies that process personal data for other companies (processors). When you are hired as a company to take care of another company's marketing, which includes the collection of the contact information of the customers of the latter, you also fall under the scope of the GDPR. Subcontractor?
  • 19.
    19 Your obligations underthe GDPR: permission, information, security. The existing privacy legislation already imposes many obligations that are also present in the GDPR. However, there are a number of additional obligations your company needs to prepare for in order to be GDPR compliant. What do you have to do?
  • 20.
    20 Permission Unlike earlier, inthe GDPR permission may be withdrawn, Permission can only be given by an active act. This must indicate that the data provider agrees freely, specifically, informed and unambiguously with the processing of personal data. If the processing has multiple purposes, the provider must give permission for each of the purposes separately. In addition, he or she may withdraw the permission at all times. Withdrawing permission should be as easy as giving it. ART. 6 GDPR
  • 21.
    21 For a childunder the age of 16, the following rule applies: Processing is only legitimate when consent or permission is granted by the person who carries parental responsibility for the child. This age limit can be reduced by other regional authorities to 13 years, so regional differences may occur. ART. 6 GDPR
  • 22.
    22 Agreement This applies forexample when you want to buy a car. The seller has to ask your name, etc., in order to sell the car. Permission is not required here. However, when the seller would request your hobbies, he cannot rely on this justification. ART. 6 GDPR
  • 23.
    23 Legal obligation For example, ifyour employer has to pay your wage, he must withhold a part of the wage for social security. For this, he has to send employee information to social security. An employer must pay his employee and pay taxes. 1. Necessary in order to protect the vital interests of the data subject or of another natural person, 2. Processing is necessary for the performance of a task carried out in the public interest, 3. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (balance of interests). ART. 6 GDPR
  • 24.
    24 The controller alwayshas to clarify for which purposes. PURPOSE INFORMATION Principle of transparence: Why are these data needed here? Purpose & Information Lee & White consultants.
  • 25.
    25 Special personal dataor sensitive personal data relate to certain categories for which the legislator considers additional protection is necessary. These are personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, or membership of a trade union, or genetic data, biometric data for the unique identification of a person, health or data related to Someone's sexual behavior or sexual orientation. A bit special The processing of these data is normally prohibited, but important exceptions exist here.
  • 26.
    26 1. Take appropriatesecurity measures, 2. Respecting the rights of the data subject, 3. Profiling. Data subject must always be able to object. 4. A number of additional obligations regarding data processors. What else?
  • 27.
    27 Specific obligations under the GDPR TheGDPR also sets out specific new commitments. For example, Data Protection Officers (DPOs) should be put in place if the conditions are met, a data breach should be reported, and there is greater accountability.
  • 28.
    28 DPO or Data ProtectionOfficer The DPO has been mentioned several times and is also one of the most significant changes brought on by the regulation. Or at least for some. You are only obliged to assign a DPO if you have to answer yes to one of the following questions: Do you process more than 5000 data subjects per year? > 5000 GOVERNMENT SPECIAL OBSERVATION Are you a governmental organisation or agency? Do you mainly process special categories of data? Do you perform regular observation on a large scale? 1 2 3 4
  • 29.
    29 The role ofData Protection Officer or DPO may be assigned to an existing employee. However, his or her other responsibilities must be compatible with the obligations arising from the DPO's role. He or she may not serve conflicting interests. Within a business group, one DPO may be designated as long as he or she is easily accessible for each department or establishment. In addition, the DPO can be hired as an employee by the processor, but can also perform his duties under a service agreement. The role of a DPO
  • 30.
    30 Notification data breach A databreach means that there is an infringement of security that accidentally or unlawfully leads to the destruction, loss, alteration or unauthorized disclosure of or unauthorized access to personal data. If an infringement of personal data has occurred, the processor shall report to the Privacy Commission without unreasonable delay and, if possible, at the latest 72 hours after becoming aware of a breach, unless it is unlikely that the infringement in relation to personal data presents a risk for the rights and freedoms of natural persons. If the notification to the supervisory authority does not take place within 72 hours, it shall be accompanied by a statement of reasons for the delay. The processor (IT service provider) informs the controller (customer) without unreasonable delay once he has noticed an infringement connected to personal data.
  • 31.
    31 Accountability The obligation of accountabilityentails that companies will have to check for themselves whether their data processing is in line with the GDPR, and they have to be able to show this at any given moment. This is a significant change to the existing privacy directive. Although the concept of accountability is not expressly included in the GDPR, some obligations are included in the GDPR that may fall under the concept. For example: 1. The company must take appropriate technical and organisational measures to ensure that processing is GDPR compliant, 2. Each processing manager keeps a register of processing activities (under his responsibility).
  • 32.
    32 Pseudonymization Pseudonymization is a newconcept that is introduced in the GDPR. It means that data is processed in such a way that personal data can not be linked to the data subject without additional data being used. This additional data must be kept separately and "technical and organisational" measures must be taken so that the data can not be reconnected to the person. Therefore, data is not completely anonymised by this process (which would mean exclusion from the GDPR) but the data subject can no longer be identified directly. Only the controller has the key to the source data and there are guarantees that will prevent reidentification. But the source data are still present, they are not destroyed so you still have to comply with privacy laws. However, because the privacy risk of the data subject is reduced, privacy legislation will be more flexible in processing pseudonymised personal data.
  • 33.
    33 Which rights does the user have? Thedata subject has many rights under the GDPR. If personal data is being processed, the data subject is entitled to information about (the processing of) this data. What information should be provided depends on whether the personal data were collected directly or indirectly from the data subject. Read articles 13 GDPR and 14 GDPR. IN THE LAW
  • 34.
    34 Right to information Already existed,but extended under the GDPR. If personal data is being processed, the data subject is entitled to information about (the processing of) this data. What information should be provided depends on whether the personal data were collected directly or indirectly from the data subject.
  • 35.
    35 Right to access Already existed,but extended under the GDPR. The data subject is entitled to know whether or not data of him is being processed, and if this is the case, to obtain access to this information (processing, categories of personal data, recipients, duration, etc.)
  • 36.
    36 Right to rectification Art. 16and 18 GDPR. The GDPR explicitly recognizes the right to correct personal data when they are incorrect or incomplete.
  • 37.
    37 Right to object Already existed(extended for profiling). The right to object to direct marketing, processing based on justified grounds and processing for scientific or historical research. Data subjects should also be informed about this right to object.
  • 38.
    38 Profiling Explicit consent isnow required. The data subject has the right not to be subjected to a decision based solely on automated processing, including profiling, that has legal consequences for him or her or otherwise affects his or her to a significant extent.
  • 39.
    39 This requirement doesnot apply if the profiling: a) is necessary for the establishment or execution of an agreement between the data subject and a processor; b) is permitted by Union or national law applicable to the processor and which also provides for appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or c) relies on the explicit consent of the data subject. Exception
  • 40.
    40 Right to be forgotten Newin the GDPR: 
 lots of commotion. The right to be forgotten means that in some cases data subjects have the right to obtain the removal of personal data. This right may apply in the following cases:
  • 41.
    41 (1)The data isno longer required for the purposes for which the data was collected. (2)The data subject withdraws his consent for processing his personal data and there is no other legal basis for the processing. (3)The data subject objects to the processing. (4)The personal data of the person concerned were processed illegally. (5)The personal data must be deleted to comply with a legal obligation under Union law or in accordance with national law. (6)The personal data were collected in connection with the provision of services to children.
 When is there a right to be forgotten?
  • 42.
    42 Right to data portability Newin the GDPR: art. 20 Data provided to one service provider must be easily recoverable. This way, it is easy to go from one service provider to another.
  • 43.
    43 (1)It should concerna data processing that is based on consent or on an agreement. The GDPR expressly states that this right is not valid in processing necessary to fulfill a public interest mission or to exercise public authority. (2)There is the right to recover the personal data provided to the processor and to transfer the data to another processor or service provider without the first processor being able to contest this. When is there a right to portability?
  • 44.
    44 By design & bydefault New in the GDPR. Art. 25 Article 25 GDPR states that technical and organisational measures must be taken. These must be taken throughout the process of processing personal data.
  • 45.
    45 By design & bydefault Both at the time of the determination of the means of processing and during the processing itself. The purpose of these technical and organisational measures is to effectively execute the data protection principles. For example, minimal data processing. In addition, the necessary safeguards must be incorporated in the processing to comply with the GDPR and to protect the rights of the parties concerned. What are technical and organisational measures? Consider pseudonomisation, transparency regarding the functions and processing of personal data, enabling the data subject to control information processing, and enable the processor to create and improve security features.
  • 46.
    46 Sanctions Everyone istalking about it: the enormous GDPR sanctions. The GDPR will give the Belgian Privacy Commission the power to impose an administrative fine. The maximum fine (eg for absence of required consent or non-compliance with data exchange rules with non-EU countries) is 20 million euros or 4% of worldwide turnover. Although it is a matter of maximum amounts, the GDPR determines that the Privacy Commission must ensure that the fine is deterrent. Therefore, it will not be possible to just ´buy off´ an infringement. So it’s important to be aware of all personal data being processed!
  • 47.
  • 48.
    48 User case 1 A Chinesesold robots in the EU.
  • 49.
    49 I’m a Chineseproducer of robots. I would like to start a web shop with a distribution centre in The Netherlands in order to sell my robots to Belgian consumers, to start with. I want to keep things simple for my customers so I only ask for their email address and their favourite animal for identification at purchase. But I would like to use that email address and the list of addresses for targeted marketing, through analysis and potentially selling off those email adresses. That way, I could even make some money out of the email addresses themselves. What should I pay attention to to be entirely GDPR compliant? The assignment
  • 50.
    50 How does aChinese producer become GDPR compliant? China: not European, so doesn’t fall under the GDPR? Wrong: because he directs his activities through an establishment in a Member State of the EU (The Netherlands). Also, his activities are directed at Belgian consumers, therefore he is processing data of EU nationals. 
 Just email adresses: personal data are data that could directly or indirectly identity a natural person. Only email addresses such as ‘info@, contact@, team@’ will be considered as too impersonal. Other email addresses do fall under the GDPR. 
 Their favourite animal: the principle of data minimisation implies that only those data that are strictly necessary for the intended purposes of the processing can be collected. Asking for their favourite animal is a collection of data that is not necessary to the purchase of a robot and will therefore no longer be allowed under the GDPR.
 Targeted marketing + reselling of the list: these are processing purposes about which the subject must receive clear information. He needs to be made aware (through a privacy policy or general terms and conditions) of the reasons for the processing. These need to be as specific as possible. Moreover, it needs to be mentioned per specific purpose, so targeted marketing must be mentioned separately from reselling. This form of marketing requires explicit consent in the general terms and conditions. 
 Further GDPR compliance: reasonable and adequate security measures against possible data breaches on the basis of estimation severity of breach and degree of security. Keeping of a data register and of the data being processed. Consent for the processing can be given in the general terms and conditions. The answer.
  • 51.
    51 User case 2 A Belgianonce used a Chinese robot.
  • 52.
    52 I’m a Belgiansoftware developer for Japanese robots that are used as greeting host at establishments of AXA Belgium. For AXA, the purpose of the software is to greet Belgian consumers and to ask them for some information in order to make the introductory meeting with the insurance broker run smoothly. The robot asks for their name, email address, address and a couple of questions for risk analysis. Who is responsible for ensuring GDPR compliance, me as software developer of AXA Belgium? Who is liable for data breaches? The assignment
  • 53.
    53 The Belgian softwaredeveloper is going to process personal data for another company, AXA Belgium, through the software that it develops. In this case, the software developer is the processor and AXA data controller (AXA determines the ultimate purposes for which the data are processed: insurance purposes). In the other case it’s different: if users put data in the robot, that data ends up in a database, that database is created by an IT’er, but the question here is if the management of the database is outsourced to the IT’er or is directly taken care of by AXA (most probably by AXA itself). If AXA manages and hosts the database, AXA also processes and controls the data; if the IT’er just creates the software and does not process the data beforehand, it is not a processor. If the IT’er is also responsible for hosting the platform, with updates and keeping servers and bandwidth available, the IT’er falls under the term processor. Then it processes data on behalf of the controller. It is important to have a processor agreement between AXA and the software developer. In the absence of such an agreement, there can be high fines. This needs to include arrangements on the type of personal data being processed, data processing purposes, what the software developer will undertake in case of a data breach, etc. The answer (1).
  • 54.
    54 Under the currentdirective the obligations mainly concern the data controller, but not under the GDPR: processors are subjected to more obligations and can be held liable when they are not compliant with the GDPR. Both have to comply with the GDPR. In terms of liability: the IT’er will have the responsibility to ensure technical measures that can safeguard from data breaches. Whether or not this is included in the assignment, will depend on context. It is of course expected of an IT’er to develop safe platforms/ software. Unless AXA is itself fully responsible for hosting and updating/security of the software. Furthermore, both controller and processor need to keep a data register and have to agree on the duty to report a data breach, most likely in a processor agreement. The answer (2).
  • 55.
    55 There is stillsome time left. 2017 What is your GDPR question? May 2018
  • 56.
    theJurists 56 theJurists Europe. GENT (BELGIUM) HQ Brussel& London. AMSTERDAM, PARIS, + 5 offices in 4 European Countries.
  • 57.
    57 Get in touch. You’ll loveour beer. Webchat & Slack app
 contact@dejuristen.be Chat & E-mail ! Heernislaan 19
 B-9000 GENT Address " +32 9 298 04 58 Phone