Operationele blik op GDPR Mastermail, Wilsele, 19 September 2017

… I have an opt-in

Ceci n’est pas un consentement . … I have an opt-in Ceci n’est pas un consentement .

Conditions consent Freely given Specific Informed Unambiguous indication of wishes By statement or clear affirmative action Clearly distinguishable from other acts Withdrawable No unfair clauses Burden of proof

processing grounds “Processing shall be lawful only if and to the extent that at least one of the following applies” Consent Necessary for Performance contract Pre-contractual measures at request of data subject Legal obligation Protecting vital interests Performance of public interest or official authority Legitimate interest controller / third party

Purpose limitation

Purpose limitation

Data minimisation

Accuracy Are personal data correct and up to date? Address and postal code check Orphan accounts

Storage limitation

Confidentiality and integrity

Controller vs processor

Obligations of controllers and processors Subject to GDPR when established in the EU (art 3.1) Yes Subject to GDPR when established outside the EU subject to conditions Appoint representative if established outside EU and subject to GDPR (art 27) Respect quality principles (art 5: lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality) No No processing without lawful basis (art 6 and 9) Honour data subject rights (Chapter III: information, access, rectification, erasure, restriction, portability and object) Ensure and demonstrate compliance (art 24: accountability) Data protection by design and by default (art 25) Agreement between joint controllers (art 26) Appoint processor (if any) with sufficient guarantees for GDPR compliance (art 28.1) Appoint subprocessor (if any) subject to authorization of controller (art 28.2) Enter into processor agreement (art 28.3) Assistance to controller in responding to data subjects exercising their rights (art. 28.3.e) Assistance to controller in complying with obligations regarding security, data breach and data protection impact assessment (art. 28.3.f) Delete or return all personal data after the end of the relationship controller-processor (art 28.3.g) Make available to controller all information necessary to demonstrate compliance with art. 28 (art. 28.3.h) Immediately inform controller if his instruction infringes GDPR or local/EU law (art. 28.3 in fine) Obey to instructions of controller (art 29) Keep records of processing (art 30) Ensure security of processing (art 32) Notify personal data breaches (art 33) If applicable, appoint a data protection officer (art 35) If applicable, conduct a data protection impact assessment (art 37) Ensure for adequacy when transferring personal data to third countries (art 44) Subject to supervising authority (art 56) Liability for compensation of damages and for administrative fines (art 82-83)

Personal data management

data Security

data subject’s rights Data Subject Rights Mgt

Proof GDPR compliance Database Website e-news subscription Name: Torfs First Name: Joke Email: joke@email.com PC: 2000 City Leuven DOB: 1 Jan 1985 Name: Joke First Name: Torfs Address: Elleveldeweg 8 PC: 2000 City Leuven DOB: 1/1/1985 Name: Torfs FN: : Joke @: J@email.com Gender: Female City: 3000 Leuven Website e-news subscription Order form & delivery Mobile delivery message joke@email.com Contact Elleveldeweg 8, 3000 Leuven Joke Torfs Date of Birth First Name, Name Gender 01/01/1985 Delivery Female J@email.com Database Checks done: Name / First Name Inversion check Address Standardisation and Verification Email Structure Check Opt-in mgt logging of changes in dbase

registerverplichting

GDPR: Is this still you?

wat nu EU General Data Protection Regulation An obligation. A strategic opportunity.

DE GEEST VAN DE WET Geef de controle van de persoonlijke data terug aan de mens

It was our pleasure… Gerrit Vandendriessche Claudine Knop gerrit.vandendriessche@altius.com Tour& Taxis Building Avenue du port 86 C, B414 1000 Brussels www.altius.com Claudine Knop claudine.knop@dbm.be Pegasus Park De Kleetlaan 12B 1831 Diegem www.dbm.be / www.ligato.be