GDPR : General Data Protection Regulation
From May 25, 2018, each Belgian company must comply with the dispositions of the General Data Protection Regulation (GDPR), which defines, at European level, the new rules on the protection of personal data of European citizens. The GDPR will modify the operation of the company in the areas where it comes into contact with the processing of personal data in a structural way.
GDPR Vademecum for Employers? Does the GDPR apply to you?
Your main obligations:
1. Maintain a record of processing activities (Group S template document: Word or PDF)
The GDPR requires that each person responsible for the processing of personal data keep internal documentation of the personal data processing activities that take place under his responsibility.
You can work with your own template or use the Group S template document.
The registry contains at least the following information:
- Name and coordinates of the controller
- The processing of personal data with reference to
- Reason for treatment
- Categories of people involved
- Categories of personal data
- Recipients and transfer to the third country
- Documents on appropriate guarantees
- The expected storage period for the data
- Technical and organizational security measures
The model that Group S puts at your disposal is pre-filled with two examples of treatment. It goes without saying that you must check with your own company which personal data processing takes place within your company and that you must add it yourself to the register.
Every employee is entitled to certain information when his employer processes his personal data and draws certain rights from it. This information and these rights are described in a policy on the protection of data processing. This policy must be adapted to the processes specific to the company and the data processed in it. We advise you to transfer this policy to the employee against acknowledgment of receipt (an email with confirmation of receipt is also possible) so that you can prove that he has informed the employee of his right to privacy in the context of GDPR and the processing of his personal data.
We recommend that you do not include this privacy statement in the working rules. In this way, you can evolve the content of this document without having to adjust the working rules each time. Indeed, the procedure for modifying the working regulations is strictly regulated.
The model document we provide you present the following information:
- The data controller and his representatives: to be completed in the document
- The policy concerns categories of personal data. We have already indicated by default a number of categories that may be applicable. Remove what's wrong and add specific categories to your business.
- For added categories, please specify:
- the legal basis and the reasons for the treatment
- the source of the personal data
Group S as external processor. What does Group S do to be compliant with the GDPR?
Declaration of confidentiality
In addition, Group S has taken the following actions:
1. Drafting of a sectoral code of conduct
Within the accredited social secretariats sector, a code of conduct is being established at this time on the application of the GDPR at the sectoral level. This code of conduct will reflect the minimum common rules that each SSA will respect with respect to the GDPR. Group S participates in the development of this sectoral code of conduct and will implement it.
2. Adaptation of our affiliation agreement
Group S offers a revised privacy statement. This declaration will contain all the elements which will give the customer the necessary guarantees that the processing of the personal data of his workers meets the requirements of the GDPR. As a result, Group S adapted its affiliation agreement by incorporating the following annex:
3. Written treatment agreement
Many of you are already busy with the implementation of the GDPR and they themselves propose to Group S a written treatment agreement or an extended questionnaire. Group S can not answer such requests.
We will first implement our code of conduct and an adaptation of our affiliation agreement and assume that it meets your requests. If you still wish to submit a treatment agreement or have a questionnaire completed, these documents can then be sent to our DPO, via the address DPO@groups.be, who will review the request.
What can Group S do for you?
Group S can answer your questions about the privacy of your workers and the processing of their personal data:
- Can the employer film his workers?
- Can he access a worker's mailbox?
- What information can he provide to a bailiff?
- Should he appoint a data protection officer (DPO)?
- Which mentions should be included in the treatment activities register?
There may be times when you are looking for help to implement the GDPR in your company. This kind of help can be offered jointly with our partner Wolters Kluwer.
Information from the Data Protection Authority
Vademecum for SMEs (in French)
Generic Model of a Treatments Register (in French)
1. You and the GDPR
- What is the GDPR?
The GDPR (General Data Protection Regulation) is a European regulation issued by the European Union which imposes rules on natural persons, private companies and public organisations in order to protect natural persons concerning the use of their personal data. The aim is to strengthen and unify the protection of these individuals' data within the European Union. Of course, it is not entirely new. A good number of these concepts and fundamental principles are already present in directive 95/46/CE and the current Belgian "privacy law" of 8 December 1992. So someone who is already compliant with the current legislation can take this approach as a valid point of departure for implementing the GDPR. But there are nevertheless several new features and significant improvements, notably related to the rights granted to the persons concerned, which will slightly change the current approach.
- When does it come into force?
The GDPR is a regulation dating from 14 April 2016, which came into force on 24 May 2016 and which will be applicable within all member states of the European Union from 25 May 2018.
- Who is concerned?
This regulation applies to the processing of personal data, automated wholly or partly, relative to persons, carried out as part of the activity of an establishment of a data controller or a data processor on the territory of the Union. All natural persons, private companies or public organisations acting as data controllers or data processors on personal data are therefore concerned.
- What is personal data?
Personal data is all information relating to a natural person who is identified or is identifiable directly or indirectly, notably by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more elements specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity.
- What is a data controller?
A data controller is a natural person, a private company or a public organisation who determines the purposes and resources for processing.
- What is a data processor?
A data processor is a natural person, a private company or a public organisation which processes personal data on behalf of a data controller.
- Which processing is concerned?
The extent of this regulation is very broad because it concerns all processing of personal data relative to natural persons who are identified or identifiable (from codified data). For example, a process which handles personal data based on numbers in a national register is concerned by the GDPR because the persons concerned can be identified from these numbers. Only data that is totally pseudonymised (or anonymised) escapes these provisions. The pseudonymisation of data consists of assigning, to each item of data that can directly or indirectly identify a natural person, a value which ensures that it is anonymous. After pseudonymisation, it is no longer possible to identify a person based on the available data.
- What is a Data Protection Officer (DPO)?
It is a key person working on GDPR compliance enablement and maintenance in the company. The tasks of the data protection officer are as follows:
- to inform and advise the data controller or the data processor on the obligations arising from the GDPR,
- to check compliance with the regulations in matters of protection of personal data,
- to give advice on the implementation of an impact analysis,
- to cooperate with the supervisory authority,
- to act as the point of contact for the supervisory authority.
The data protection officer may be a member of the personnel of the data controller or of the data processor or an external person, based on a service contract.
- Must a Data Protection Officer (DPO) be appointed?
The appointment of a data protection officer is not mandatory, unless:
- processing is done by a public organisation,
- the basic activities of the data controller or the data processor concern regular and systematic large-scale monitoring
- the basic activities of the data controller or the data processor concern processing of specific categories (racial origin, political opinions, religious beliefs, trade union membership, genetic data, data concerning health or sexual orientation)
Beyond this obligation, it is nevertheless recommended to appoint a responsible contact person to centralise any requests or complaints on this subject and coordinate with the supervisory authority.
- What must be done to comply with the GDPR?
The GDPR implies significant changes in the company to ensure the protection of the personal data of natural persons. It is therefore judicious to designate a person or team who will coordinate the various actions related to this matter. In case of an external inspection, you must be able to show (demonstrate) that the company has taken all necessary measures to minimise the risks of a data leak.
The following obligations are expected, according to the characteristics of the company:
1. Inform the worker
The employer will be required to communicate this information to workers already in service, to new workers and to candidates through information sessions or ad hoc documents (employment regulations, individual contracts and agreements).
2. Keep a register of processing
The employer must establish a register of processing activities and regularly update it. This register will cover all processing and, for each process, will mention the following elements:
- the identity of the data controller
- the data processed
- the origin of the processed data
- the intended purpose of this processing
- who receives the data (e.g.: the company secretarial services, to process salaries)
- the data retention period
- the security measures put in place.
3. Appoint a data protection officer
The employer will check whether it is required to appoint a data protection officer. If so, it will provide him/her with the necessary information and ensure that he/she can correctly fulfil his/her assignment.
4. Plan to cope with losses and leaks of data
The employer must define a procedure including the actions that will be taken in case of a data leak. It must consequently inform the persons concerned and inform them of their respective responsibilities, keep a register of data leaks and, in certain cases, make a declaration to the Belgian Data Protection Authority.
5. Oversee compliance with the GDPR externally
The employer must list the various data processors who process the personal data of people who are active in the company and make sure that they comply with the GDPR.
6. Oversee compliance with the GDPR internally
The employer must prepare a map of processing, to identify the checks that are sufficient and those that must be broadened or approved. This map may then be used to bring the administration of personnel into compliance with the provisions of the GDPR and notably the obligation to respect the rights of workers: right to anonymisation, right to information, right to be forgotten, right of rectification, right for portability, right to access, right to oppose and right to dispute.
- Does certification exist in GDPR?
Certification in GDPR does not currently exist, but this situation will probably change over the forthcoming months. Dedicated organisations will then be designated to assign this certification.
- What are the risks in case of non-compliance?
This point is a major difference compared to the current situation, because fines are specified by the regulations. In case of non-compliance with the regulations, very severe fines can be applied, up to 4% of the amount of the company's worldwide turnover or €20 million in case of non-compliance, by the supervisory authority.
- What is the role of the supervisory authority?
The supervisory authority, designated within each member state, is responsible for monitoring the application of the GDPR in order to protect the freedoms and fundamental rights of natural persons and facilitate the free flow of personal data within the Union. It is the supervisory authority who will decide on the application of any fines in case of non-compliance with the regulations.
- Who is the supervisory authority?
Each member state designates its own supervisory authority. In Belgium, the Privacy Protection Commission (CPVP) is changing its name and becoming the Data Protection Authority (APD) to perform its role as supervisory authority.
- What is becoming of the Privacy Protection Commission?
The Privacy Protection Commission (CPVP) is changing its name and becoming the Data Protection Authority (APD), responsible for acting as supervisory authority.
- What is a data leak?
A data leak is a breach of security, leading, accidentally or illegally, to the destruction, loss, impairment, or unauthorised disclosure of personal data that is transmitted, retained or processed in another manner, or unauthorised access to such data.
- What is to be done in case of a data leak?
When a breach of data occurs, it must, under certain conditions, be communicated within 72 hours to the supervisory authority. If Group S itself discovers a data leak, it will inform you as quickly as possible of this incident, based on an internally-described procedure.
- What will happen from 25 May 2018?
25 May 2018 will be the date of entry into force of the regulation. A priori, from that date, the data controller and the data processor are liable to have fines applied for non-compliance. However, not all companies will be able to demonstrate 100% compliance with the regulations. The presence of a co-ordinated action plan within the company will enable arguments to be put forward to the supervisory authority that the company is committed in the matter. The effort that began 2 years ago will continue well beyond that date. It must be borne in mind that it is an essential ongoing investment that must be perpetuated by daily actions in the matter, whether this is during the implementation of new processing, new procedures, new technologies or new contracts.
What can Group S do to help?
Group S can answer your questions on the privacy of their workers and on the processing of the personal data of their workers. Group S can also provide you with model documents (data processing register and confidentiality declaration). You can find them on our site on the page dedicated to the GDPR. If you want help implementing GDPR within your company, we can help you with the aid of our partners Wolters Kluwer.
2. Group S and the GDPR
- What is Group S doing in relation to the GDPR?
Numerous actions have been carried out over many months by Group S to comply with the new regulations:
- information to workers,
- appointment of a DPO,
- use of a register of processing for mapping all processes that use personal data,
- review of existing contracts with our data processors to make sure that they comply with the GDPR,
- participation in drawing up a sectoral code of conduct adopting minimum common rules that each accredited social secretariat will comply with concerning the GDPR,
- adaptation of our affiliation agreement and our declaration of confidentiality. This declaration will cover all elements that will give you the necessary guarantees that the processing of the personal data of its workers complies with the requirements of the GDPR. This declaration by Group S will form an addendum to our affiliation agreement and will be made available in May,
- application of the guarantee of the rights of the persons concerned,
- setting up internal procedures in case of a data leak.
- Is Group S the data controller?
In the context of its usual assignment providing social secretarial services, Group S acts as a data processor. The data controller remains the employer, who delegates to us the administration of salaries, the application of social-security laws, the declaration to organisations, the monitoring of payments,. In the context of activities for which Group S itself determines the intended purposes and resources for processing, it will be considered as the data controller.
- Does Group S comply with the GDPR?
As an important player in the social secretarial services sector, Group S has taken the necessary measures to be compliant with the GDPR. As no official certification exists, Group S has established a complete action plan to check that the internal procedures comply with the regulations and highlight the areas for which dedicated actions must be undertaken. This plan is currently being produced. The various documents adapted in the context of the GDPR are being validated by a law firm specialised in the matter. Also, Group S has ISAE 3402 type II certification, enabling it to offer a guarantee of the reliability and quality of the internal controls covering its services.
- Has Group S designated a DPO?
Yes, a person internal to Group S has been designated to coordinate the various actions for setting up the GDPR in the company and to be the contact person concerning the securing of personal data.
- Where is the data processed by Group S kept?
Group S itself manages and archives the data necessary to performing its assignment. All of the servers on which this data is stored are in Belgium on the various IT sites of Group S.
- Must a new contract to be signed with Group S?
No. Through an appendix, Group S has adapted its affiliation agreement to include the statements required by the GDPR. Also, the declaration of confidentiality will cover all elements that give you the necessary guarantees that the processing of the personal data of your workers fulfils the requirements of the GDPR.
- May Group S transfer data to a third party, according to your expectations?
When you want Group S to transfer personal data to a third party, we want you to give Group S an explicit mandate to do so, in accordance with article 5.3 of the annex to the affiliation agreement. It will be also up to you, as controller, to ensure that the people from whom you transfer personnel to a third party are informed of this transfer and that this third party complies with all the rules relating to the protection of personal data mentioned in the GDPR.
In order to facilitate your task in this administrative process, Group S provides you with a form that allows you to mandate it in this mission.