How to identify the Lead Supervisory Authority (LSA)?

On the 5th of April 2017, the Article 29 Working Party revised and adopted guidelines on identifying the lead supervisory authority (LSA) for controllers and processors in the context of cross-border processing. These guidelines will help controllers and processors to determine the single supervisory authority (one-stop-shop principle) with whom they will deal regarding their obligations under the GDPR. Even though the new guidelines do not differ much from the guidelines adopted on the 13th of December 2016, they attempt to introduce more clarity:

Continue reading “How to identify the Lead Supervisory Authority (LSA)?”

Van kitten tot tijger: de nieuwe Gegevensbeschermingsautoriteit

Het verzekeren van een hoge bescherming voor de rechten op privacy en gegevensbescherming in onze gedigitaliseerde en geglobaliseerde maatschappij, wordt steeds moeilijker. Om aan deze nieuwe ontwikkelingen te beantwoorden, heeft de Europese wetgever recent de Algemene Verordening Gegevensbescherming (“AVG”) aangenomen. Omdat het creëren van nieuwe rechten en verplichtingen alleen niet voldoende is om dit beschermingsniveau op te krikken, verplicht de GDPR de lidstaten om te voorzien in een toezichthoudende autoriteit die de nodige bevoegdheden heeft om de naleving hiervan te verzekeren. Zie hier de nieuwe Belgische “Gegevensbeschermingsautoriteit”.

Continue reading “Van kitten tot tijger: de nieuwe Gegevensbeschermingsautoriteit”

From kitten to tiger: the new Data Protection Authority

The challenge of ensuring high levels of data protection to citizens in our increasingly digitized and globalized society has led the Europeanlegislator to recently adopt the General Data Protection Regulation (“GDPR”). Knowing that creating new rights and obligations is not sufficient, the GDPR compels Member States to reform their existing supervisory authorities to ensure the proper application of the new rules. Enter the new Belgian “Data Protection Authority”.

Continue reading “From kitten to tiger: the new Data Protection Authority”

GDPR – PSD2: integrating both to ensure full compliance


The Revised Payment Service Directive (PDS2) is a directive focused on the further integration of an internal market in payment services. Third parties (Account Information Services Providers or AISPs and Payment Initiation Service Providers or PISPs) will have access to transactional data to analyse the transactional data and/or execute payments. The PSD2 is a directive which means that member states need to implement the directive into national legislation. The implementation deadline for member states is the 13th of January 2018. Even though Belgium has not yet implemented the directive in national law, the key changes are clear: financial institutions will need to give access to bank accounts to third parties when double consent is obtained.

Continue reading “GDPR – PSD2: integrating both to ensure full compliance”

Identifying the Lead Supervisory Authority: an easy task?

On the 13th of December, the Article 29 Working Party issued its guidelines for identifying a controller’s or processor’s lead supervisory authority (LSA). The aim is to assist organizations in determining who is their LSA when carrying out cross-border processing activities. This relates to the one-stop-shop principle intended to simplify the way in which organizations operating in several European countries interact with the European supervisory authorities. Correctly identifying the LSA is important as it determines with which authority an organization will have to deal regarding many of the GDPR compliance requirements such as registering a data protection officer; notifying a risky processing activity or notifying a data security breach.

Continue reading “Identifying the Lead Supervisory Authority: an easy task?”

Big Brother’s watching you, maar dit zijn je wapens!

rights of the data subject gdpr avg privacyOp 25 mei 2018 is het zover. Dan zal de nieuwe Europese General Data Protection Regulation (GDPR) de huidige Richtlijn Gegevensbescherming vervangen. De nieuwe verordening moet een betere gegevensbescherming bieden aan betrokkenen en noodzaakt heel wat bedrijven die persoonsgegevens verwerken tot ingrijpende veranderingen. Vanaf 2018 zal het immers mogelijk zijn om aan bedrijven boetes op te leggen tot 20 miljoen euro of 4% van hun wereldwijde omzet in geval van strijdigheid met de GDPR. Maar ook voor individuen luidt de GDPR een nieuw tijdperk in. De verordening bevat een reeks nieuwe beschermingsmaatregelen die ervoor zorgen dat de burger nog nooit zo sterk in zijn schoenen stond wat betreft zijn persoonsgegevens. Toch heerst er nog veel onwetendheid en onverschilligheid omtrent het thema.  Dit artikel somt de rechten van betrokkenen op die de GDPR voorschrijft.

Continue reading “Big Brother’s watching you, maar dit zijn je wapens!”

Profiling to Practice: Real Life Examples

profiling gdpr practiceWith the GDPR, profiling is one of the provisions that will have the most significant impact on businesses that rely on profiling and processing large quantities of data, and you as a customer and data subject. For the first time a European law defines what profiling means. Shortly, profiling is composed of three elements: automated form of processing; carried out on personal data and the purpose is to evaluate personal aspects about a person.

To put some practice into the theory, this blogpost will give 3 examples to show what the impact of profiling is or can be on your life as a consumer of all the goodies in the world.

Continue reading “Profiling to Practice: Real Life Examples”

Data Protection Today and Tomorrow: 24 years of hibernation, 368 days to wake up

Privacy law gdpr anniversary

Today on the 8th of December 2016, the Belgian Privacy Law celebrates its 24th birthday. Even though we celebrate its birthday, the countdown for the replacement of the Belgian Privacy Law continues as only 368 working days (532 days) are left before the General Data Protection Regulation (GDPR) enters into force. But what are the consequences of this change that has become such a hot topic? Time for some reflection to look at the highlights.

When looking at the GDPR, one will notice that certain provisions have been expanded and that new elements have been added.

One very crucial element is the scope of the GDPR, which will apply directly in all 28 member states. This means that the organisations and companies no longer have to take into account 28 different national laws, but will, in principle, only have to look at the regulation to know what they should or should not do. Importantly, organisations and companies that are not based in the EU must comply with the GDPR when they are directly involved with personal data in the EU.

With regard to individuals, the EU has listened to their demand of being more in control of their personal data and what happens to it, by expanding their rights. For example, the GDPR has added the right to data portability and now explicitly mentions the right to be forgotten (right to erasure), which was previously based on jurisprudence of the Court of Justice. Also, more attention is given to transparency, which will make the idea of data protection and being in control of the personal data more accessible to individuals.

Continue reading “Data Protection Today and Tomorrow: 24 years of hibernation, 368 days to wake up”

ID Masking App by Dutch Government

kopieid For some time now, the Dutch government has made an app available (Android / iOS) with one purpose: to take a photo of your ID or passport and then mask certain information on the photo before you save it or send it along. The reason is that very often these a copy of photo of your passport or ID is requested, even when only some of the information on the ID or passport is relevant. This app makes it easier to avoid discussions and provide a copy of your ID, but without giving out information (such as a person’s national number) that is not relevant or proportionate for the request.

The DPO and Conflict of Interest

dpo blog20 October 16, the Bavarian State Office for Data Security Supervision (Bayerische Landesamt für Datenschutzaufsicht (BayLDA)) fined a company because of the combination of the roles of Data Protection Officer (DPO) and IT Manager that results in a conflict of interest.

Under German law, companies that process personal data are legally obligated to appoint an intern or an extern DPO if at least ten employees are involved in the automated processing of personal data. The role of the internal DPO cannot be exercised by a person who has tasks in the company, which are in a relationship of tension with the independent, effective internal supervision of data protection.

Continue reading “The DPO and Conflict of Interest”