Table of Contents
Part 1: Knowledge Building
1.1 Legal GDPR and Cookies
1.2 Legal Intro and Intellectual Property
1.3 Digital Business Model Design
1.4 General and Data Selected IT Topics
1.5 Business Model Innovation – Exploitation
1.6 Company and Innovation Culture
1.7 Business Model Innovation – Exploration
Part 2: Practical Application
2.1 Business in a Digital Age
2.2 Solution Design 1
2.3 Value Proposition Design
2.4 Data Driven Decision Making
2.5 Understanding the Impact of New Technologies on Business and Society
2.6 Solution Design 2
1
, Part 1: Knowledge Building
1..1 Legal GDPR and Cookies
1) Personal Data Protection
Legal Scope
A. Legal Basis
Europe: GDPR
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27
April 2016 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation)
Regulation (vs directive): directly applicable, but further measures
Belgium
Belgium: Wet van 30 juli 2018 betreffende de bescherming van natuurlijke personen met
betrekking tot de verwerking van persoonsgegevens
Mainly relevant for public sector, but also determination age for consent (13 years), exceptions,
criminal matters
Privacy: Article 8 of the European Convention on Human Rights– Right to respect for private
and family life
“1. Everyone has the right to respect for his private and family life, his home and his
correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as
is in accordance with the law and is necessary in a democratic society in the interests of national
security, public safety or the economic wellbeing of the country, for the prevention of disorder or
crime, for the protection of health or morals, or for the protection of the rights and freedoms of
others.”
B. Relevant Authorities and Jurisdiction
Advice
Local Data Protection Authorities
➢ Belgium: Gegevensbeschermingsautoriteit
➢ + Vlaamse Toezicht commissie (commission for Flemish governments)
ENISA: European Union Agency for Cybersecurity
2
, EDPS: European Data Protection Supervisor: supervision of EU organisations/authorities
EDPB: European Data Protection Board (before WP29)
Decision Making
Local Authorities
➢ Belgium: Gegevensbeschermingsautoriteit and Vlaamse Toezichtcommissie
➢ + Marktenhof Court of appeal Brussels
Constitutional court, Raad van State and other local courts
European Court of Justice (e.g. in case of prejudicial questions)
European Court of Human Rights
C. Scope of the GDPR
Material Scope
“This Regulation applies to the processing of personal data wholly or partly by automated means
and to the processing other than by automated means of personal data which form part of a filing
system or are intended to form part of a filing system.”
Some exceptions: Public Security, Purely Personal or Household Activity
Territorial Scope
Establishment of a controller or a processor in the Union, regardless of whether the processing
takes place in the Union or not
Processing of personal data of data subjects who are in the Union by a controller or processor
not established in the Union, where the processing activities are related to:
➢ the offering of goods or services, irrespective of whether a payment of the data subject is
required, to such data subjects in the Union; or
➢ the monitoring of their behavior as far as their behavior takes place within the Union.
Processing of personal data by a controller not established in the Union, but in a place where
Member State law applies by virtue of public international law.
➔ Extraterritorial effects!
D. What is Personal Data?
Generic Personal Data
“‘Personal Data means any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person”
Examples: IP address? Login-data?
Sensitive Personal Data
Article 9 GDPR: “Processing of personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union membership, and the processing
of genetic data, biometric data for the purpose of uniquely identifying a natural person,
data concerning health or data concerning a natural person’s sex life or sexual orientation
shall be prohibited.(…)”
3
, Article 10 GDPR: “Processing of personal data relating to criminal convictions and offences
or related security measures based on Article 6(1) shall be carried out only under the control
of official authority or when the processing is authorized by Union or Member State law
providing for appropriate safeguards for the rights and freedoms of data subjects. Any
comprehensive register of criminal convictions shall be kept only under the control of official
authority.”
➔ Special regimes apply
Not considered Personal Data
Examples:
▪ Company number
▪ ?
▪ Anonymized personal data
▪ Data related to a deceased individual
E. Other Relevant Definitions
Filing System
“‘Filing System’ means any structured set of personal data which are accessible according to
specific criteria, whether centralized, decentralized or dispersed on a functional or geographical
basis.”
Not: mere phone call
Processing
“‘Processing’ means any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.”
Basic processing activities for SME’s:
Customer management, direct marketing, provider management, accounting,
communication/PR, HR management and salary administration
Controller
“‘Controller’ means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of
personal data.”
E.g. employer
Joint controllership possible
Essential definition => be transparent
▪ For data subjects
▪ For authorities
Processor
“‘Processor’ means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller.”
4
Part 1: Knowledge Building
1.1 Legal GDPR and Cookies
1.2 Legal Intro and Intellectual Property
1.3 Digital Business Model Design
1.4 General and Data Selected IT Topics
1.5 Business Model Innovation – Exploitation
1.6 Company and Innovation Culture
1.7 Business Model Innovation – Exploration
Part 2: Practical Application
2.1 Business in a Digital Age
2.2 Solution Design 1
2.3 Value Proposition Design
2.4 Data Driven Decision Making
2.5 Understanding the Impact of New Technologies on Business and Society
2.6 Solution Design 2
1
, Part 1: Knowledge Building
1..1 Legal GDPR and Cookies
1) Personal Data Protection
Legal Scope
A. Legal Basis
Europe: GDPR
REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27
April 2016 on the protection of natural persons with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46/EC (General Data
Protection Regulation)
Regulation (vs directive): directly applicable, but further measures
Belgium
Belgium: Wet van 30 juli 2018 betreffende de bescherming van natuurlijke personen met
betrekking tot de verwerking van persoonsgegevens
Mainly relevant for public sector, but also determination age for consent (13 years), exceptions,
criminal matters
Privacy: Article 8 of the European Convention on Human Rights– Right to respect for private
and family life
“1. Everyone has the right to respect for his private and family life, his home and his
correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as
is in accordance with the law and is necessary in a democratic society in the interests of national
security, public safety or the economic wellbeing of the country, for the prevention of disorder or
crime, for the protection of health or morals, or for the protection of the rights and freedoms of
others.”
B. Relevant Authorities and Jurisdiction
Advice
Local Data Protection Authorities
➢ Belgium: Gegevensbeschermingsautoriteit
➢ + Vlaamse Toezicht commissie (commission for Flemish governments)
ENISA: European Union Agency for Cybersecurity
2
, EDPS: European Data Protection Supervisor: supervision of EU organisations/authorities
EDPB: European Data Protection Board (before WP29)
Decision Making
Local Authorities
➢ Belgium: Gegevensbeschermingsautoriteit and Vlaamse Toezichtcommissie
➢ + Marktenhof Court of appeal Brussels
Constitutional court, Raad van State and other local courts
European Court of Justice (e.g. in case of prejudicial questions)
European Court of Human Rights
C. Scope of the GDPR
Material Scope
“This Regulation applies to the processing of personal data wholly or partly by automated means
and to the processing other than by automated means of personal data which form part of a filing
system or are intended to form part of a filing system.”
Some exceptions: Public Security, Purely Personal or Household Activity
Territorial Scope
Establishment of a controller or a processor in the Union, regardless of whether the processing
takes place in the Union or not
Processing of personal data of data subjects who are in the Union by a controller or processor
not established in the Union, where the processing activities are related to:
➢ the offering of goods or services, irrespective of whether a payment of the data subject is
required, to such data subjects in the Union; or
➢ the monitoring of their behavior as far as their behavior takes place within the Union.
Processing of personal data by a controller not established in the Union, but in a place where
Member State law applies by virtue of public international law.
➔ Extraterritorial effects!
D. What is Personal Data?
Generic Personal Data
“‘Personal Data means any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or
indirectly, in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural person”
Examples: IP address? Login-data?
Sensitive Personal Data
Article 9 GDPR: “Processing of personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, or trade union membership, and the processing
of genetic data, biometric data for the purpose of uniquely identifying a natural person,
data concerning health or data concerning a natural person’s sex life or sexual orientation
shall be prohibited.(…)”
3
, Article 10 GDPR: “Processing of personal data relating to criminal convictions and offences
or related security measures based on Article 6(1) shall be carried out only under the control
of official authority or when the processing is authorized by Union or Member State law
providing for appropriate safeguards for the rights and freedoms of data subjects. Any
comprehensive register of criminal convictions shall be kept only under the control of official
authority.”
➔ Special regimes apply
Not considered Personal Data
Examples:
▪ Company number
▪ ?
▪ Anonymized personal data
▪ Data related to a deceased individual
E. Other Relevant Definitions
Filing System
“‘Filing System’ means any structured set of personal data which are accessible according to
specific criteria, whether centralized, decentralized or dispersed on a functional or geographical
basis.”
Not: mere phone call
Processing
“‘Processing’ means any operation or set of operations which is performed on personal
data or on sets of personal data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction.”
Basic processing activities for SME’s:
Customer management, direct marketing, provider management, accounting,
communication/PR, HR management and salary administration
Controller
“‘Controller’ means the natural or legal person, public authority, agency or other body which,
alone or jointly with others, determines the purposes and means of the processing of
personal data.”
E.g. employer
Joint controllership possible
Essential definition => be transparent
▪ For data subjects
▪ For authorities
Processor
“‘Processor’ means a natural or legal person, public authority, agency or other body which
processes personal data on behalf of the controller.”
4
