Algemene Verordening Gegevensbescherming © portal gda (via Flickr)

General Data Protection Regulation

The General Data Protection Regulation (GDPR), the new European Privacy Act, will replace the Belgian "Privacy Act" of 25 December 2018 from 8 May 1992.

In English: General Data Protection Regulation (GDPR)
In French: Règlement Général sur la Protection des Données (RGDP)

Requesting and using a loyalty card in a department store or shop, filling in an online form on a webshop or simply participating in a competition, posting photos on social media: we give or send personal data to all kinds of people, companies or institutions every time. These are, in the definition of the European General Data Protection Regulation, the "controllers".

Governments, associations and organisations also often process a great deal of personal data of citizens, members and volunteers as part of their assignment. This is no different for 11.11.11.

What?

De General Data Protection Regulation (AVG), the new European Privacy Act, will replace the Belgian "Privacy Act" of 25 December 2018 from 8 May 1992. In its current form, this was also the national transposition into Belgian law of a European Directive. What is special is that the AVG applies in all member states of the European Union without each country having to translate its content into its own laws. At most, countries can impose additional obligations or adjust certain undefined or rigidly defined privacy aspects within certain limits.

Not entirely new

Many rights and obligations provided for in this new European Privacy Act already existed in whole or in part in our Belgian "Privacy Act". This means that quite a few obligations are already known. However, a number of obligations are now being tightened up and the party that processes personal data must be better able to demonstrate that this is done with the necessary caution and with respect for the privacy rights of every citizen.

Principles of the new privacy law

What is “personal data”?

Personal data is any information about a person that can be used to identify that person directly or indirectly. The term "personal data" is to be interpreted broadly. No distinction is made between confidential/publicly accessible and professional/non-professional information.

For example: a username, a name, a photo, a social security number, an internal registration number, a license plate, a postal address, a telephone number, location data, an online username (such as an IP address), medical data (a CT scan, blood group, medical condition, ...), a sound recording of a conversation, a video posted on YouTube or Facebook, ...

When is processing of personal data permitted?

In general, personal data may only be processed if there is a valid reason for doing so, a legitimate purpose.

What should be taken into account?

There are a number of principles that are important when processing personal data. We summarize the most important ones below:

What is a processing?

Processing is everything we can do with a certain piece of information: retrieve it, put it in a file folder in a filing system, process it in an IT program, store it in a database, enter it in a list, print out such a list or images, publish it on the Internet, etc.

Why do we process personal data?

There must be a “purpose limitation”: the data is collected for a specific and explained purpose and may not simply be used for other purposes.

How do we process personal data?

Processing of personal data must be lawful, fair and transparent: no collection for the sake of collection, the persons whose data is collected, processed, stored, etc. must be informed about what happens next with their data and this must be accountable and justified.
Accuracy: one must strive to obtain and process the data as accurately as possible. If necessary: improve.
Integrity and confidentiality: the data may not be changed and only those who are authorized or have permission to do so may view, use or process the data;
Limitation of storage/retention: personal data may not be kept indefinitely and when it is no longer needed, it must be deleted or destroyed in an appropriate manner.
Data minimization: not collecting and maintaining more personal data than necessary for a specific legal obligation, assignment, task, information gathering.
Extra care must be taken with children's personal data
Security measures must be taken in accordance with the risks that the processing of data may entail
In case of a data breach or data loss, a good incident management organization should enable rapid reporting of this to the Data Protection Authority. If there is a serious risk to privacy and even security, the persons concerned should be notified.
Data may not simply be passed on; there are restrictions and rules to be followed. This also applies, among other things, that passing on to certain countries outside the European Union is not simply possible; in such a case, additional security measures and/or permissions are required.

Note: This European General Data Protection Regulation does not apply to the "domestic sphere". And special rules apply to the police, justice and national security.

Rights of the "data subject" (= every natural person, so you and me)

Right to information (about which personal data of yours is processed and how this is done).
Right of access to personal data (right of inspection).
Right to rectification (if the collected or processed information contains errors).
Right to erasure (this is not absolute).
Right to restriction of processing.
Right to object to certain processing of your personal data.
Right to object to automated decision-making, including profiling (the creation of a profile of you based on aggregated personal data - for example a profile of purchasing or spending behaviour).
NEW! Right to data portability.

Want to know more?

www.privacycommission.be/NL :
All information about the General Data Protection Regulation of the Belgian Privacy Commission can be found in a bundled form at the following link: www.privacycommission.be/nl/algemene-verordening-gegevensbescherming-avg#

ikbeslis.be :
A specific website of the Privacy Commission about young people and privacy. But also recommended for adults, with clear language.

Movie The new privacy law from A to Z van I decide - I decide (YouTube video from the Privacy Commission, 29/01/2018):
This less than 4-minute video briefly discusses the main points of the GDPR. What is the GDPR about? What are the rights and obligations under the GDPR and where can one go if things go wrong?

Data protection - Rules for the protection of personal data within and outside the EU :
Webpage of the European Commission on the new European Privacy Law. Available in all official languages of the European Union.

11.11.11 is the umbrella organization for international solidarity.
We bring people, groups and organizations together and
come together in action for a world where everyone counts.

General Data Protection Regulation

What?

Not entirely new

Principles of the new privacy law

What is “personal data”?

When is processing of personal data permitted?

What should be taken into account?

Rights of the "data subject" (= every natural person, so you and me)

Want to know more?

Find 11.11.11

11.11.11 is the umbrella organization for international solidarity.We bring people, groups and organizations together andcome together in action for a world where everyone counts.

General Data Protection Regulation

What?

Not entirely new

Principles of the new privacy law

What is “personal data”?

When is processing of personal data permitted?

What should be taken into account?

Rights of the "data subject" (= every natural person, so you and me)

Want to know more?

11.11.11 is the umbrella organization for international solidarity.
We bring people, groups and organizations together and
come together in action for a world where everyone counts.