From May 25, 2018, each Belgian company must comply with the dispositions of the General Data Protection Regulation (GDPR), which defines, at European level, the new rules on the protection of personal data of European citizens. The GDPR will modify the operation of the company in the areas where it comes into contact with the processing of personal data in a structural way.
GDPR Vademecum for Employers? Does the GDPR apply to you?
Your main obligations:
The GDPR requires that each person responsible for the processing of personal data keep internal documentation of the personal data processing activities that take place under his responsibility.
You can work with your own template or use the Group S template document.
The registry contains at least the following information:
- Name and coordinates of the controller
- The processing of personal data with reference to
o Reason for treatment
o Categories of people involved
o Categories of personal data
o Recipients and transfer to the third country
o Documents on appropriate guarantees
- The expected storage period for the data
- Technical and organizational security measures
The model that Group S puts at your disposal is pre-filled with two examples of treatment. It goes without saying that you must check with your own company which personal data processing takes place within your company and that you must add it yourself to the register.
Every employee is entitled to certain information when his employer processes his personal data and draws certain rights from it. This information and these rights are described in a policy on the protection of data processing. This policy must be adapted to the processes specific to the company and the data processed in it. We advise you to transfer this policy to the employee against acknowledgment of receipt (an email with confirmation of receipt is also possible) so that you can prove that he has informed the employee of his right to privacy in the context of GDPR and the processing of his personal data.
We recommend that you do not include this privacy statement in the working rules. In this way, you can evolve the content of this document without having to adjust the working rules each time. Indeed, the procedure for modifying the working regulations is strictly regulated.
The model document we provide you present the following information:
- The data controller and his representatives: to be completed in the document
- The policy concerns categories of personal data. We have already indicated by default a number of categories that may be applicable. Remove what's wrong and add specific categories to your business.
- For added categories, please specify:
o the legal basis and the reasons for the treatment
o the source of the personal data
Group S as external processor. What does Group S do to be compliant with the GDPR ?
In addition, Group S has taken the following actions:
- Drafting of a sectoral code of conduct
Within the accredited social secretariats sector, a code of conduct is being established at this time on the application of the GDPR at the sectoral level. This code of conduct will reflect the minimum common rules that each SSA will respect with respect to the GDPR. Group S participates in the development of this sectoral code of conduct and will implement it.
- Adaptation of our affiliation agreement
Group S offers a revised privacy statement. This declaration will contain all the elements which will give the customer the necessary guarantees that the processing of the personal data of his workers meets the requirements of the GDPR. As a result, Group S adapted its affiliation agreement by incorporating the following annex :
- Written treatment agreement.
Many of you are already busy with the implementation of the GDPR and they themselves propose to Group S a written treatment agreement or an extended questionnaire. Group S can not answer such requests.
We will first implement our code of conduct and an adaptation of our affiliation agreement and assume that it meets your requests. If you still wish to submit a treatment agreement or have a questionnaire completed, these documents can then be sent to our DPO, via the address DPO@groups.be, who will review the request.
What can Group S do for you?
Group S can answer your questions about the privacy of your workers and the processing of their personal data:
- Can the employer film his workers ?
- Can he access a worker's mailbox ?
- What information can he provide to a bailiff ?
- Should he appoint a data protection officer (DPO) ?
- Which mentions should be included in the treatment activities register?
There may be times when you are looking for help to implement the GDPR in your company. This kind of help can be offered jointly with our partner Wolters Kluwer.
Information from the Data Protection Authority
1. You and the GDPR