by Hannelore Durieu and Evelien Callewaert
On May 25 2018, the General Data Protection Regulation ('GDPR') will enter into force. This Regulation encapsulates the European legislation on the processing of personal data - in other words, it is all about privacy.
Frequently the misunderstanding arises that "Belgium will not be ready yet" and therefore there is no reason to panic. However, this time, the new privacy legislation is a regulation and not a directive. This means that Belgium does not have to do anything at all and the regulation can simply be invoked before the Belgian courts as from May 25 2018. From that date on, the Regulation is fully in force and in case of breach, fines can be imposed. Anyone who has not done anything to make sure they can comply with the law as of May 25 2018 has a real problem. If you do not adhere with the GDPR rules, you will run the risk of substantial penalties, with administrative fines of up to € 20 million or 4% of the company's annual global turnover.
The scope of the GDPR is so wide-ranging that each business that processes personal data in the EU or offers services in the EU falls under the scope. The size of your company or your activity does not play a role. Even if you are only B2B-active, you are subject to the GDPR rules. Every company that keeps customer records or has its own staff, processes personal data and thus is subject to the GDPR.
The GDPR's central objective is to give control back to the individual. Every individual has the right to know the purposes or which their personal data are collected for and what happens to these data. Your company can no longer just casually process personal data. You must always have a clear legal basis. 'Consent' is the most well-known legal basis, but processing may also be necessary for the execution of an agreement or under a legal obligation that applies to you. As a company you must communicate very clearly why you process personal data, what legal basis you are relying on and to whom this information is passed onto.
It is very important that you as a company are responsible for the data you retain with regard to your customers and your employees. This will also be the case if you have this data processed by a third party (e.g. storage of your database in the cloud, payroll administration by your social secretariat, etc.). It is your responsibility to pass on personal data only to third companies that comply with the GDPR.
With less than 40 working days to go, the GDPR is right around the corner. Let our team of experts help you so that you're well on your way by 25 May 2018 and can avoid any fines.
In our opinions, we rely on current legislation, interpretations and legal doctrine. This does not prevent the administration from disputing them or from changing existing interpretations.
Read our latest insights and news releases to stay abreast of changes in your industry.