What does this change for your HR policy?

What?

What does this mean for your company?

Almost every company processes personal data on a large scale of a number of different categories of people: employees, applicants, (contact persons of) customers and suppliers, consultants, consumers, visitors of their website, ...

“Personal data” is an umbrella term for any information by which one can identify a person, directly or indirectly, such as the name, the address, the e-mail address, the national registry number, the salary data, the online profile, the IP address, or the log-in details.

The concept of “processing” is defined so broadly that almost any operation performed on personal data is considered as processing, such as collection, recording, storage, adaptation, alteration, consultation, use, disclosure by transmission, dissemination, or erasure. However, one condition is that the processing is at least partially carried out by automated means or, if not, that the personal data are intended to be contained in a filing system.

Confirmation and reinforcement of existing principles

The GDPR mainly confirms the existing principles, for example with respect to the processing of personal data in an acceptable, legitimate and secure way. The basic rules with respect to the transfer of personal data to countries outside Europe remain largely the same as well. Furthermore, the existing rights and obligations are reinforced.

Think about these persons’ right to have access to, rectify or erase personal data (the so-called “right to be forgotten”) or to transmit them to a third party (“data portability”). But also the companies’ obligation to process personal data as securely as possible, using safeguards such as anonymisation, pseudonymisation or encryption, is reinforced (‘data protection by design and by default’). Processors also will still have to enter into contracts with companies who process personal data on their behalf (e.g. payroll administrators, external IT service providers,...). However, the processors themselves will have greater responsibility than they have today.

The "one-stop-shop" principle

In the future, companies with one or more branches in the European Union performing cross-border processing of personal data in different European Member States will only have to work with one single central administration, whereas previously they had to verify in each Member State separately which actions they had to undertake. In that case, the supervisory authority of the Member State in which the main establishment of the company is situated will be considered as the “lead authority”.

Reinforcement of the information obligation

Under the ’old’ legislation regarding data processing, the processor already had to provide specific information to the data subjects when processing their personal data. For example, the persons concerned had to receive the following information: For which purposes is my data being processed? To whom is my data being communicated? Who can I contact to execute my rights?

This information obligation has been further reinforced by the GDPR.       

Henceforth, the company will for instance have to indicate, in addition to the information which was already required, on which legal ground the processing of personal data is based. This legal ground can for instance be a legal obligation, the consent of the data subject or the ecessity for the performance of a contract to which the data subject is a party. Besides these legal grounds, the company will often be able to use the residual category of the legitimate interests.         

The GDPR now obliges companies to describe this legitimate interest in the information, and - for this purpose - conduct a balancing test.  

Companies will also, for example, have to communicate in advance if they intend to transfer data outside the European Union, the period for which the data will be stored, the right to lodge a complaint with the Belgian supervisory authority (the Data Protection Authority, formerly known as the “Privacy Commission”) the right to withdraw consent (in case the processing is based on that, wholly or in part), the identity of the “Data Protection Officer” (if applicable).

This more extensive information has to be provided in an intelligible and easily accessible form, using clear and plain language. The information should, as a general rule, be provided in writing either on paper or electronically.

Consent as a legal ground for the processing

Under the ‘old’ legislation, the data subject’s consent already was a potential legal ground for the processing of personal data. Nevertheless, there has always been some debate about whether employees - in view of their employment relationship - can “freely” give their consent.

Although the GDPR maintains consent as a legal ground, this consent is subject to stricter conditions.

A declaration of consent should be freely given, specific, informed and unambiguous and should be provided by using clear and intelligible language. In this case, the company will have to demonstrate that the person has given consent. Therefore, consent must be explicit. The data subject also has the right to withdraw consent at any time.

Consequently, consent has become a less solid legal ground. Therefore, whenever possible, we advise to use other legal grounds for the processing of personal data.

Record-keeping obligations

Under the GDPR a large number of companies are obligated to maintain a register of their processing activities. This register had replaced the previous obligation to report to the former Privacy Commission. A recommendation of the Data Protection Authority indicates that the obligation to maintain a register is very broad and applies to almost every company. This register should contain a number of mandatory provisions and should be submitted at the request of the Data Protection Authority.

Mandatory appointment of a "data protection officer" for some companies

Some companies and other entities, such as public authorities or companies whose core activities consist in processing personal or sensitive data, are obliged to designate a so-called “data protection officer”. The data protection officer may be a staff member, or fulfil the tasks on the basis of a service contract. This person will advise the company of the measures which have to be taken pursuant to the GDPR and will also monitor compliance with the principles of the GDPR. This officer should be in a position to perform his duties within the company in an independent manner. He will have to report to the highest management level and may not be dismissed for performing his tasks.

Mandatory notification of breaches

If data subject’s personal data were to fall into the wrong hands, for example because the data have been hacked or due to a human or system error, the company is in some cases obliged to report this to the Data Protection Authority and to the individual concerned. Just think of an employee whose laptop containing personal data is stolen or of an e-mail containing personal data which is accidentally sent to the wrong address. A policy with a description of the various possible situations and its affiliated actions can be useful.

Higher risk of penalties

Before the arrival of the GDPR, we felt that the Belgian companies did not see it as a top priority to comply with the rules on the processing of personal data. This was, among other things, due to the fact that under the previous Belgian legislation, unlike in some of our neighboring countries, there was no real risk of penalties: criminal sanctions were provided, but were rarely applied. The Belgian supervisory authority also did not have sanctioning powers.

This has changed drastically under the GDPR.

Data subjects are able to lodge a complaint with the Data Protection Authority and may file a claim for damages.

Henceforth, companies that do not respect the rules will run the risk of being substantially fined by the Data Protection Authority, with administrative fines of up to EUR 20 million or 4% of the company’s annual global turnover.