GDPR legal aspects. For more information: http://thejurists.eu

1. 1
GDPR.
Matthias Dobbelaere-Welvaert
So what?

2. 2
About
theJurists
theJurists is specialized in privacy, digital law,
intellectual property law and company law.
theJurists believes in digital transformation and
artificial intelligence, and works hard on
projects that aim at making the law accessible
to all. We stand for open, transparent and
innovative law.
Gent - Brussel - London - Paris - Amsterdam
theJurists Europe is a contemporary legal
boutique office and has been a pioneer in
digital law for eight years.

3. • Insert Image
3
About
Matthias
MATTHIAS DOBBELAERE-WELVAERT
Matthias is the Managing Partner of theJurists Europe,
which has offices in Ghent, Brussels, Amsterdam, Paris
and London. He is a member of the board of directors
of FeWeb and Gent Web Valley. He is a ‘Copyright and
Mediarights’ professor at the EHB. He is specialized in
online privacy, cybercrime and art. 10 ECHR.
theJurists Europe.
MANAGING PARTNER

4. 4
What is Privacy?
Personal data means all data
relating to a living individual
who is or can be identified
from the data.

5. 5
art. 8 ECHR
Right to respect for
private and family life.
1/ Everyone has the right to
respect for his private and
family life, his home and his
correspondence.
2/ There shall be no interference
by a public authority with the
exercise of this right except
such as is in accordance with
the law and is necessary in a
democratic society

6. 6
The Data Protection
Authority (Privacycommissie)
Bart Tommelein, the former state secretary for
privacy, created a furore by suing Facebook,
winning the case in the first instance, and…
eventually losing the case.
His successor, Philippe De Backer, now wants to
sue Google for alleged violations of privacy.
What are the priorities of the DPA?
Eager for media attention or
actual watchdog?

7. 7
Information
is the new
gold
There is no such thing as a free lunch. If there is
no entrance fee or a selling price, the user is the
product. Privacy is a new currency. Facebook,
Snapchat, Instagram, Gmail, Twitter, etc. all
apply this principle. (More) data is always the
purpose.

8. 8
Debate
MORE OF THE ONE
MEANS LESS OF
THE OTHER
And what do you
prefer? Privacy or
Safety?

9. 9
A new European regulation
which governs the privacy in
the EU member states.
The General Data Protection Regulation (GDPR) is a
regulation with which the European Commission
wants to promote the safety of data. The GDPR
mainly focuses on the protection of personal
information of EU residents as well as on regulating
the export of personal data outside the EU. The
European Commission wants to give back the control
over personal data to the individual.
What is
the
GDPR?

10. 10
The GDPR was adopted in April 2016. It entered
into force on 24 May 2016 and shall be fully
applicable from 25 May 2018. This gives
European governments and enterprises two
years time to prepare for the changing
legislation.
The predecessor of the GDPR is Privacy
Directive 95/46/EG which exists since 1995, but
which no longer suffices in the current digital
era. The GDPR, however, no longer is a directive,
but a regulation.
25 may 2018
A directive has to be converted into national
legislation, whereas a regulation has direct
effect.
The member states can still put forward their
own priorities and adapt the national
legislation to their own customs. There are, for
example, regional differences with regard to the
maximum age of children.

11. 11
Scope
The new privacy regulation or GDPR replaces
the current privacy directive. If your company is
currently dealing with national privacy laws
then you can assume that the new regulation
applies to your company.

12. 12
If you are not sure whether the regulation is applicable to you, you should ask yourself the following
question: does my company process personal data of EU residents?
Do you
process data?
What is processing? What are personal data?

13. 13
Consequently, personal data is any information
which allows to, directly or indirectly, identify a
natural person. This includes: IP addresses,
human tissue, anonymous vs pseudonymous
data: (only in the case of anonymization you no
longer have to do with ‘personal data’)
What are
personal
data?
Art. 4.1. GDPR: “Personal data means any
information relating to an identified or
identifiable natural person ('data subject'); an
identifiable natural person is one who can be
identified, directly or indirectly, in particular by
reference to an identifier such as a name, an
identification number, location data, an online
identifier or to one or more factors specific to
the physical, physiological, genetic, mental,
economic, cultural or social identity of that
natural person”
RIGHT REFLEX

14. 14
In other words: almost every act relating to
personal data. Teach yourself this reflex.
What is
processing?
Art. 4.2. GDPR: “Processing means any
operation or set of operations which is
performed on personal data or on sets of
personal data, whether or not by automated
means, such as collection, recording,
organization, structuring, storage, adaptation or
alteration, retrieval, consultation, use, disclosure
by transmission, dissemination or otherwise
making available, alignment or combination,
restriction, erasure or destruction.”
RIGHT REFLEX

15. 15
Where does
the GDPR
apply?
This Regulation applies to the processing of
personal data in connection with the activities
of a branch of a processor or a processor in the
Union, regardless of whether or not processing
in the Union takes place.

16. 16
This Regulation applies to the processing of personal data of persons in the Union by a data processor or
controller located outside the Union when the processing involves:
a) offering goods or services to those concerned in the Union, regardless of whether a payment is required
by the parties concerned; or
b) monitoring their behavior, in so far as this behavior occurs in the Union.
Do you
process data?

17. 17
It no longer matters whether or not the data processing takes place within the European Union or not, as
long as data of natural persons in the Union are processed. This is an important advance for the privacy of
individuals. In the past, major internet giants like Google and Amazon could escape European privacy laws
as they had a headquarters in Silicon Valley. Now the GDPR will also apply to them as soons as they process
personal data of European residents.
Where?

18. 18
In addition, the obligations in the GDPR apply not only to companies that process personal data for their
own purposes (processors) but also companies that process personal data for other companies (processors).
When you are hired as a company to take care of another company's marketing, which includes the
collection of the contact information of the customers of the latter, you also fall under the scope of the
GDPR.
Subcontractor?

19. 19
Your obligations under the
GDPR: permission,
information, security.
The existing privacy legislation already imposes many
obligations that are also present in the GDPR.
However, there are a number of additional
obligations your company needs to prepare for in
order to be GDPR compliant.
What do
you have
to do?

20. 20
Permission
Unlike earlier, in the GDPR permission may be
withdrawn,
Permission can only be given by an active act.
This must indicate that the data provider agrees
freely, specifically, informed and
unambiguously with the processing of
personal data. If the processing has multiple
purposes, the provider must give permission for
each of the purposes separately.
In addition, he or she may withdraw the
permission at all times. Withdrawing permission
should be as easy as giving it.
ART. 6 GDPR

21. 21
For a child under the age of 16, the following
rule applies:
Processing is only legitimate when consent or
permission is granted by the person who carries
parental responsibility for the child.
This age limit can be reduced by other regional
authorities to 13 years, so regional differences
may occur.
ART. 6 GDPR

22. 22
Agreement
This applies for example when you want to buy
a car. The seller has to ask your name, etc., in
order to sell the car. Permission is not required
here.
However, when the seller would request your
hobbies, he cannot rely on this justification.
ART. 6 GDPR

23. 23
Legal
obligation
For example, if your employer has to pay your
wage, he must withhold a part of the wage for
social security. For this, he has to send
employee information to social security. An
employer must pay his employee and pay taxes.
1. Necessary in order to protect the vital
interests of the data subject or of another
natural person,
2. Processing is necessary for the performance
of a task carried out in the public interest,
3. Processing is necessary for the purposes of
the legitimate interests pursued by the
controller or by a third party (balance of
interests).
ART. 6 GDPR

24. 24
The controller always has
to clarify for which
purposes.
PURPOSE INFORMATION
Principle of
transparence: Why are
these data needed here?
Purpose &
Information
Lee & White consultants.

25. 25
Special personal data or sensitive personal data relate to certain categories for which the legislator
considers additional protection is necessary. These are personal data revealing racial or ethnic origin,
political views, religious or philosophical beliefs, or membership of a trade union, or genetic data, biometric
data for the unique identification of a person, health or data related to Someone's sexual behavior or sexual
orientation.
A bit special
The processing of these data is normally prohibited, but important exceptions exist here.

26. 26
1. Take appropriate security measures,
2. Respecting the rights of the data subject,
3. Profiling. Data subject must always be able to object.
4. A number of additional obligations regarding data processors.
What else?

27. 27
Specific
obligations
under the GDPR
The GDPR also sets out specific new
commitments. For example, Data Protection
Officers (DPOs) should be put in place if the
conditions are met, a data breach should be
reported, and there is greater accountability.

28. 28
DPO or Data
Protection Officer
The DPO has been
mentioned several
times and is also one of
the most significant
changes brought on by
the regulation. Or at
least for some. You are
only obliged to assign a
DPO if you have to
answer yes to one of
the following questions:
Do you process more than 5000
data subjects per year?
> 5000
GOVERNMENT
SPECIAL
OBSERVATION
Are you a governmental
organisation or agency?
Do you mainly process special
categories of data?
Do you perform regular
observation on a large scale?
1
2
3
4

29. 29
The role of Data Protection Officer or DPO may be assigned to an existing employee. However, his or her
other responsibilities must be compatible with the obligations arising from the DPO's role. He or she may
not serve conflicting interests. Within a business group, one DPO may be designated as long as he or she is
easily accessible for each department or establishment. In addition, the DPO can be hired as an employee
by the processor, but can also perform his duties under a service agreement.
The role of a DPO

30. 30
Notification data
breach
A data breach means
that there is an
infringement of
security that
accidentally or
unlawfully leads to the
destruction, loss,
alteration or
unauthorized
disclosure of or
unauthorized access to
personal data.
If an infringement of personal data has occurred,
the processor shall report to the Privacy
Commission without unreasonable delay and, if
possible, at the latest 72 hours after becoming
aware of a breach, unless it is unlikely that the
infringement in relation to personal data presents
a risk for the rights and freedoms of natural
persons. If the notification to the supervisory
authority does not take place within 72 hours, it
shall be accompanied by a statement of reasons
for the delay.
The processor (IT service provider) informs the
controller (customer) without unreasonable delay
once he has noticed an infringement connected to
personal data.

31. 31
Accountability
The obligation of
accountability entails
that companies will
have to check for
themselves whether
their data processing is
in line with the GDPR,
and they have to be
able to show this at any
given moment.
This is a significant change to the existing privacy
directive. Although the concept of accountability is
not expressly included in the GDPR, some
obligations are included in the GDPR that may fall
under the concept. For example:
1. The company must take appropriate technical
and organisational measures to ensure that
processing is GDPR compliant,
2. Each processing manager keeps a register of
processing activities (under his responsibility).

32. 32
Pseudonymization
Pseudonymization is a
new concept that is
introduced in the
GDPR. It means that
data is processed in
such a way that
personal data can not
be linked to the data
subject without
additional data being
used.
This additional data must be kept separately and
"technical and organisational" measures must be
taken so that the data can not be reconnected to
the person.
Therefore, data is not completely anonymised by
this process (which would mean exclusion from the
GDPR) but the data subject can no longer be
identified directly. Only the controller has the key
to the source data and there are guarantees that
will prevent reidentification. But the source data
are still present, they are not destroyed so you still
have to comply with privacy laws. However,
because the privacy risk of the data subject is
reduced, privacy legislation will be more flexible in
processing pseudonymised personal data.

33. 33
Which
rights does
the user
have?
The data subject has many
rights under the GDPR.
If personal data is being processed, the data
subject is entitled to information about (the
processing of) this data. What information
should be provided depends on whether the
personal data were collected directly or
indirectly from the data subject.
Read articles 13 GDPR and 14 GDPR.
IN THE LAW

34. 34
Right to
information
Already existed, but
extended under the GDPR.
If personal data is being processed, the data
subject is entitled to information about (the
processing of) this data. What information
should be provided depends on whether the
personal data were collected directly or
indirectly from the data subject.

35. 35
Right to
access
Already existed, but
extended under the GDPR.
The data subject is entitled to know whether or
not data of him is being processed, and if this is
the case, to obtain access to this information
(processing, categories of personal data,
recipients, duration, etc.)

36. 36
Right to
rectification
Art. 16 and 18 GDPR.
The GDPR explicitly recognizes the right to
correct personal data when they are incorrect
or incomplete.

37. 37
Right to
object
Already existed (extended
for profiling).
The right to object to direct marketing,
processing based on justified grounds and
processing for scientific or historical research.
Data subjects should also be informed about
this right to object.

38. 38
Profiling
Explicit consent is now
required.
The data subject has the right not to be
subjected to a decision based solely on
automated processing, including profiling, that
has legal consequences for him or her or
otherwise affects his or her to a significant
extent.

39. 39
This requirement does not apply if the profiling:
a) is necessary for the establishment or execution of an agreement between the data subject and a
processor;
b) is permitted by Union or national law applicable to the processor and which also provides for
appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or
c) relies on the explicit consent of the data subject.
Exception

40. 40
Right to be
forgotten
New in the GDPR:
lots of commotion.
The right to be forgotten means that in some
cases data subjects have the right to obtain the
removal of personal data. This right may apply
in the following cases:

41. 41
(1)The data is no longer required for the purposes for which the data was collected.
(2)The data subject withdraws his consent for processing his personal data and there is no other legal basis
for the processing.
(3)The data subject objects to the processing.
(4)The personal data of the person concerned were processed illegally.
(5)The personal data must be deleted to comply with a legal obligation under Union law or in accordance
with national law.
(6)The personal data were collected in connection with the provision of services to children.
When is there a right
to be forgotten?

42. 42
Right to data
portability
New in the GDPR: art. 20
Data provided to one service provider must be
easily recoverable. This way, it is easy to go from
one service provider to another.

43. 43
(1)It should concern a data processing that is based on consent or on an agreement. The GDPR expressly
states that this right is not valid in processing necessary to fulfill a public interest mission or to exercise
public authority.
(2)There is the right to recover the personal data provided to the processor and to transfer the data to
another processor or service provider without the first processor being able to contest this.
When is there a
right to
portability?

44. 44
By design &
by default
New in the GDPR. Art. 25
Article 25 GDPR states that technical and
organisational measures must be taken. These
must be taken throughout the process of
processing personal data.

45. 45
By design &
by default
Both at the time of the determination of the means of processing and during the processing itself. The
purpose of these technical and organisational measures is to effectively execute the data protection
principles. For example, minimal data processing. In addition, the necessary safeguards must be
incorporated in the processing to comply with the GDPR and to protect the rights of the parties concerned.
What are technical and organisational measures? Consider pseudonomisation, transparency regarding the
functions and processing of personal data, enabling the data subject to control information processing, and
enable the processor to create and improve security features.

46. 46
Sanctions Everyone is talking about
it: the enormous GDPR
sanctions.
The GDPR will give the Belgian Privacy
Commission the power to impose an
administrative fine. The maximum fine (eg for
absence of required consent or non-compliance
with data exchange rules with non-EU
countries) is 20 million euros or 4% of
worldwide turnover. Although it is a matter of
maximum amounts, the GDPR determines that
the Privacy Commission must ensure that the
fine is deterrent. Therefore, it will not be
possible to just ´buy off´ an infringement. So it’s
important to be aware of all personal data
being processed!

47. 47
Time to
practice.
Some user cases.

48. 48
User
case 1
A Chinese sold
robots in the EU.

49. 49
I’m a Chinese producer of robots. I would like to start a web shop with a distribution centre in The
Netherlands in order to sell my robots to Belgian consumers, to start with. I want to keep things simple for
my customers so I only ask for their email address and their favourite animal for identification at purchase.
But I would like to use that email address and the list of addresses for targeted marketing, through
analysis and potentially selling off those email adresses. That way, I could even make some money out of
the email addresses themselves.
What should I pay attention to to be entirely GDPR compliant?
The
assignment

50. 50
How does a Chinese producer become GDPR compliant?
China: not European, so doesn’t fall under the GDPR? Wrong: because he directs his activities through an establishment in a Member
State of the EU (The Netherlands). Also, his activities are directed at Belgian consumers, therefore he is processing data of EU nationals.
Just email adresses: personal data are data that could directly or indirectly identity a natural person. Only email addresses such as
‘info@, contact@, team@’ will be considered as too impersonal. Other email addresses do fall under the GDPR.
Their favourite animal: the principle of data minimisation implies that only those data that are strictly necessary for the intended
purposes of the processing can be collected. Asking for their favourite animal is a collection of data that is not necessary to the
purchase of a robot and will therefore no longer be allowed under the GDPR.
Targeted marketing + reselling of the list: these are processing purposes about which the subject must receive clear information. He
needs to be made aware (through a privacy policy or general terms and conditions) of the reasons for the processing. These need to be
as specific as possible. Moreover, it needs to be mentioned per specific purpose, so targeted marketing must be mentioned separately
from reselling. This form of marketing requires explicit consent in the general terms and conditions.
Further GDPR compliance: reasonable and adequate security measures against possible data breaches on the basis of estimation
severity of breach and degree of security. Keeping of a data register and of the data being processed. Consent for the processing can
be given in the general terms and conditions.
The answer.

51. 51
User
case 2
A Belgian once
used a Chinese
robot.

52. 52
I’m a Belgian software developer for Japanese robots that are used as greeting host at establishments of
AXA Belgium. For AXA, the purpose of the software is to greet Belgian consumers and to ask them for some
information in order to make the introductory meeting with the insurance broker run smoothly. The robot
asks for their name, email address, address and a couple of questions for risk analysis.
Who is responsible for ensuring GDPR compliance, me as software developer of AXA Belgium? Who is liable
for data breaches?
The
assignment

53. 53
The Belgian software developer is going to process personal data for another company, AXA Belgium, through the software that it
develops. In this case, the software developer is the processor and AXA data controller (AXA determines the ultimate purposes for
which the data are processed: insurance purposes).
In the other case it’s different: if users put data in the robot, that data ends up in a database, that database is created by an IT’er, but
the question here is if the management of the database is outsourced to the IT’er or is directly taken care of by AXA (most probably by
AXA itself). If AXA manages and hosts the database, AXA also processes and controls the data; if the IT’er just creates the software and
does not process the data beforehand, it is not a processor.
If the IT’er is also responsible for hosting the platform, with updates and keeping servers and bandwidth available, the IT’er falls under
the term processor. Then it processes data on behalf of the controller. It is important to have a processor agreement between AXA and
the software developer. In the absence of such an agreement, there can be high fines. This needs to include arrangements on the type
of personal data being processed, data processing purposes, what the software developer will undertake in case of a data breach, etc.
The answer
(1).

54. 54
Under the current directive the obligations mainly concern the data controller, but not under the GDPR: processors are subjected to
more obligations and can be held liable when they are not compliant with the GDPR. Both have to comply with the GDPR.
In terms of liability: the IT’er will have the responsibility to ensure technical measures that can safeguard from data breaches.
Whether or not this is included in the assignment, will depend on context. It is of course expected of an IT’er to develop safe platforms/
software. Unless AXA is itself fully responsible for hosting and updating/security of the software. Furthermore, both controller and
processor need to keep a data register and have to agree on the duty to report a data breach, most likely in a processor agreement.
The answer
(2).

55. 55
There is still some time
left.
2017
What is your GDPR
question?
May
2018

56. theJurists
56
theJurists Europe.
GENT (BELGIUM)
HQ
Brussel & London.
AMSTERDAM, PARIS,
+
5 offices in 4 European
Countries.

57. 57
Get in
touch.
You’ll love our beer.
Webchat & Slack app
contact@dejuristen.be
Chat & E-mail
!
Heernislaan 19
B-9000 GENT
Address
"
+32 9 298 04 58
Phone