Veelgestelde vragen

No, it is not necessary to make your record of processing public. You must, however, be able to make the record available to the data protection authority upon request.

 

More information:

 

The GDPR distinguishes between two main roles: those of data controller and data processor. This distinction is crucial as the data controller bears more responsibility and has to fulfil more obligations than the processor.

Data controllers and processors can be natural or legal persons, for example: an SME, a public authority, a company, an organisation, a state body, an association etc.

A data controller determines the purposes and means of a processing operation. In other words, the controller decides the how and why of a processing operation. Whereas processors process personal data on behalf of the controller. The processing carried out by processors needs to be regulated by a contract with the data controller or other legal act.

Examples of data controllers:

  • companies that process the personal data of their customers to complete a sale;
  • financial institutions that process personal data of their clients;
  • associations that process the data of their members;
  • schools or universities that process personal data of students and teachers;
  • hospitals that process personal data of their patients;
  • government agencies that process personal data of citizens.
     

Examples of data processors:

  • an SME hires a bookkeeping service to keep its books and records, the SME is a data controller and the bookkeeping service a data processor;
  • a payroll company processes personal data for an SME. The payroll company will act as a processor if it solely processes the personal data on behalf of the SME. The SME determines the purposes and means of the data processing, and is therefore data controller.
  • an SME commissions a marketing company to collect email addresses via third-party websites.  The marketing company does this according to the explicit instructions of the SME and for the SME’s exclusive purposes. The marketing Company acts as processor for this collection.

 

More information:

Personal data means any information relating to an identified or identifiable individual. An identifiable individual is anyone who can be identified, either directly or indirectly. Different pieces of information that added together could lead to the identification of a particular person also constitute personal data.

Examples of personal data include:

  • name and surname;
  • a home address;
  • an email address;
  • an ID card number;
  • location data;
  • an Internet Protocol (IP) address;
  • a cookie ID;
  • bank accounts;
  • tax reports;
  • biometric data (like fingerprint);
  • a social security number;
  • passport number;
  • test results;
  • grades in school;
  • browsing history;
  • photograph of individual;
  • vehicle registration number etc.

 

More information:

 

Generally speaking, every organisation should keep a record of their processing activities. This is an inventory of all processing operations and can help you make correct assumptions of your responsibilities under the GDPR and possible risks.

Each of these processing operations must be described in the record with the following information:

  • the purpose of the processing (e.g. customer loyalty);
  • the categories of data processed (e.g. for payroll: name, first name, date of birth, salary, etc.);
  • who has access to the data (the recipients – e.g.: the department in charge of recruitment, the IT service, management, service providers, partners...);
  • where applicable, information related to transfers of personal data outside the European Economic Area (EEA),
  • where possible, the storage period (the period for which the data are useful from an operational point of view, and from an archiving perspective).
  • where possible, a general description of the security measures.

The record of processing activities falls under the responsibility of your organisation’s manager.

This record must be available to the data protection authority of the EEA country where you operate, if requested.

It is not required for organisations employing fewer than 250 persons to mention purely occasional activities in their record (e.g. data processed for one-off events such as the opening of a shop).

 

More information:

 

The GDPR applies to the use of cookies when these are used to process personal data, but there are also more specific rules for cookies included the ePrivacy Directive.

The storing of a cookie, or the gaining of access to a cookie already stored, in the terminal equipment of a user is only allowed on condition that the subscriber or user concerned has been adequately informed (in particular about the purposes of the processing) and has given their consent.

The only exception are technically necessary cookies. Organisations do not need to ask for consent when using technically necessary cookies on their websites.

 

More information:

 

Yes, your clients must be informed, when they make a telephone call, of the purposes of the recording, the recipients of the recordings, of their right to object and their right to access the recordings.

 

More information:

 

The first step to installing CCTV is to identify the purpose or purposes for doing so. The purposes for installing CCTV can be varied, such as ensuring the security of premises, aiding in the prevention and detection of theft and other crimes, or protection of the lives and health of employees, due to the nature of work.

As with any processing of personal data, the recording of individuals  must have a legal basis under the GDPR. Consent can provide a legal basis for such data processing. However, this is unlikely to apply to the use of CCTV in most cases, as it will be difficult to obtain the freely given consent of everyone likely to be recorded. The most common legal ground for this kind of processing of personal data is legitimate interest. When processing is based on a legitimate interest, you will need to carry out a balancing test to determine whether your legitimate interests outweigh individual’s rights.

You will need to inform individuals that they are being recorded. This can be done by placing easy to read signs in prominent places. In addition, a sign indicating the purpose of the CCTV system and the identity and contact details of the data controller should be placed at all entrances.

Individuals whose images are being recorded by a CCTV system should be provided with, the following information:

  • the identity and contact details of the data controller;
  • the purposes of the processing;
  • the legal basis of the processing (if legitimate interest, specific information about which legitimate interests relate to the specific processing, and about which  entity  pursues  each  legitimate  interest.);
  • the contact details of the Data Protection Officer, DPO (if there is a DPO);
  • the recipients or categories of recipients of the data;
  • the security arrangements for the CCTV footage;
  • the retention period for CCTV footage;
  • the existence of individuals’ rights under the GDPR and the right to lodge a complaint with the national data protection authority.

 

More information:

Yes, you can, but the GDPR places certain obligations on businesses which share personal data. Your organisation must inform individuals that you will share their data with a third party. You must also inform them of your purposes, security, access and the retention measures that will apply.

You should respond without undue delay and at the latest within one month after receipt of the request. This deadline can be extended by another two months if the request is too complex and more time is needed to answer, provided that the individual is informed of this within one month after receiving the request.

You must do this free of charge.

 

More information:

 

Cookies are small files stored on a device, such as a computer, a mobile device or any other device that can store information. Cookies serve a number of important functions, including remembering  users and their previous interactions with a website. They can be used to keep track of items in an online shopping cart or to keep track of information when details are inserted into an online application form.

Authentication cookies are also important to identify users when they log into banking services and other online services. The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address.