Les 25/10 Data protection HOE MOET CONTROLLER GDPR NALEVEN
-> Legal Framework
The old framework under the 1995 Data Protection Directive required data
controllers to notify their data processing activities to the Data Protection
Authorities (DPAs). However, this system became outdated with the rise of the internet
and digital transformation, making such notifications impractical and inefficient.
To adapt to the modern digital environment, the General Data Protection Regulation
(GDPR) introduced a shift from external notification requirements to the principle of
accountability.
-> Principle of Accountability; controller is altijd verantwoordelijk
Under the GDPR, the burden of ensuring and demonstrating compliance rests on the
controllers and processors. They are responsible for:
• Implementing appropriate measures to ensure compliance with GDPR.
• Maintaining documentation that can demonstrate compliance to authorities or
courts when necessary.
• Conducting assessments (e.g., Data Protection Impact Assessments, DPIAs) and
maintaining related documentation.
This accountability model requires organizations to “do their homework” by proactively
adopting policies and procedures for compliance rather than relying on external
oversight.
-> Horizontal Scope and Proportionality
The GDPR is a horizontal regulation, meaning it applies universally across all sectors
and types of organizations, from large tech companies to small and medium-sized
enterprises (SMEs).
However, compliance requirements are nuanced by the principle of proportionality,
ensuring that measures are appropriate to the organization’s size, nature, and level of
risk.
Example 1: Small Local Shop vs. Large Corporation
A small local flower shop with minimal personal data processing may need only basic
measures to comply with the GDPR.
In contrast, a large corporation handling vast amounts of personal data, including
sensitive information, must implement more comprehensive measures.
Example 2: Local Medical Practice vs. Local Flower Shop
Even though a small medical practice may have a similar customer base size as the
flower shop, it processes sensitive medical data, which involves higher risks.
Consequently, it must adopt stricter measures (e.g., encryption, more robust access
controls) to ensure compliance.
PLICHT 1 PRIVACY NOTICES
While the GDPR does not explicitly require a “privacy notice,” controllers must provide
information to data subjects (Articles 13 & 14). In practice, this means drafting privacy
notices = Uitleggen waarvoor ze data processen = GDPR opsomming van alle info
meedelen => praktijk ‘I have read the privacy notice’
, Data Retention Policy (to enforce the storage limitation principle) = beleid
gegevensbesch
Data Subject Rights Policy (to handle requests efficiently) = beleid recht
betrokkenen
Data Breach Policy (to detect, manage, and report breaches) = beleid inzake
datalekken (plan hebben als het ooit gebeurt)
Data Breach Register = controllers must document all personal data breaches, even
those not reportable to authorities (Article 33) = datalekregister alle datalekken
bijhouden
Transparency in Privacy Notices?
The GDPR mandates transparency in how organizations handle personal data. This
involves:
< Providing Clear and Comprehensive Privacy Notices
Privacy notices must inform data subjects about:
The purposes of processing.
Categories of personal data processed.
Legal bases for processing.
Data retention periods.
Rights of the data subject.
< Tailoring Privacy Notices for Different Data Subject Groups
Different groups (e.g., employees, customers, suppliers) often require distinct
privacy notices, as their personal data is processed for different purposes.
Examples:
Employee Privacy Notice (internal document).
External Privacy Notice for website users and customers (publicly available).
< Improving Structure and Clarity of Privacy Notices
Early GDPR-compliant notices often listed purposes, categories of data, and legal bases
separately. However, some DPAs (e.g., Belgian DPA) have criticized this approach as
insufficiently transparent.
Best Practice: Use a table format linking purposes, data categories, and legal
bases, ensuring clarity for the data subject.
PLICHT 2 BALANCING TEST
Balancing Test for Legitimate Interest (Three-Step Test) Wanneer mag controller
data processen based on legitimate interest? Controller moet ook bewijzen dat hij zijn
belangenafweging heeft gedaan (authority zal controleren)
When relying on legitimate interest as a legal basis, organizations must conduct a
three-step balancing test:
1. Legitimate interest (purpose)
Ensure the purpose is legitimate and lawful.
-> Legal Framework
The old framework under the 1995 Data Protection Directive required data
controllers to notify their data processing activities to the Data Protection
Authorities (DPAs). However, this system became outdated with the rise of the internet
and digital transformation, making such notifications impractical and inefficient.
To adapt to the modern digital environment, the General Data Protection Regulation
(GDPR) introduced a shift from external notification requirements to the principle of
accountability.
-> Principle of Accountability; controller is altijd verantwoordelijk
Under the GDPR, the burden of ensuring and demonstrating compliance rests on the
controllers and processors. They are responsible for:
• Implementing appropriate measures to ensure compliance with GDPR.
• Maintaining documentation that can demonstrate compliance to authorities or
courts when necessary.
• Conducting assessments (e.g., Data Protection Impact Assessments, DPIAs) and
maintaining related documentation.
This accountability model requires organizations to “do their homework” by proactively
adopting policies and procedures for compliance rather than relying on external
oversight.
-> Horizontal Scope and Proportionality
The GDPR is a horizontal regulation, meaning it applies universally across all sectors
and types of organizations, from large tech companies to small and medium-sized
enterprises (SMEs).
However, compliance requirements are nuanced by the principle of proportionality,
ensuring that measures are appropriate to the organization’s size, nature, and level of
risk.
Example 1: Small Local Shop vs. Large Corporation
A small local flower shop with minimal personal data processing may need only basic
measures to comply with the GDPR.
In contrast, a large corporation handling vast amounts of personal data, including
sensitive information, must implement more comprehensive measures.
Example 2: Local Medical Practice vs. Local Flower Shop
Even though a small medical practice may have a similar customer base size as the
flower shop, it processes sensitive medical data, which involves higher risks.
Consequently, it must adopt stricter measures (e.g., encryption, more robust access
controls) to ensure compliance.
PLICHT 1 PRIVACY NOTICES
While the GDPR does not explicitly require a “privacy notice,” controllers must provide
information to data subjects (Articles 13 & 14). In practice, this means drafting privacy
notices = Uitleggen waarvoor ze data processen = GDPR opsomming van alle info
meedelen => praktijk ‘I have read the privacy notice’
, Data Retention Policy (to enforce the storage limitation principle) = beleid
gegevensbesch
Data Subject Rights Policy (to handle requests efficiently) = beleid recht
betrokkenen
Data Breach Policy (to detect, manage, and report breaches) = beleid inzake
datalekken (plan hebben als het ooit gebeurt)
Data Breach Register = controllers must document all personal data breaches, even
those not reportable to authorities (Article 33) = datalekregister alle datalekken
bijhouden
Transparency in Privacy Notices?
The GDPR mandates transparency in how organizations handle personal data. This
involves:
< Providing Clear and Comprehensive Privacy Notices
Privacy notices must inform data subjects about:
The purposes of processing.
Categories of personal data processed.
Legal bases for processing.
Data retention periods.
Rights of the data subject.
< Tailoring Privacy Notices for Different Data Subject Groups
Different groups (e.g., employees, customers, suppliers) often require distinct
privacy notices, as their personal data is processed for different purposes.
Examples:
Employee Privacy Notice (internal document).
External Privacy Notice for website users and customers (publicly available).
< Improving Structure and Clarity of Privacy Notices
Early GDPR-compliant notices often listed purposes, categories of data, and legal bases
separately. However, some DPAs (e.g., Belgian DPA) have criticized this approach as
insufficiently transparent.
Best Practice: Use a table format linking purposes, data categories, and legal
bases, ensuring clarity for the data subject.
PLICHT 2 BALANCING TEST
Balancing Test for Legitimate Interest (Three-Step Test) Wanneer mag controller
data processen based on legitimate interest? Controller moet ook bewijzen dat hij zijn
belangenafweging heeft gedaan (authority zal controleren)
When relying on legitimate interest as a legal basis, organizations must conduct a
three-step balancing test:
1. Legitimate interest (purpose)
Ensure the purpose is legitimate and lawful.
