In May 2018 the General Data Protection Regulation (also known as GDPR) came into effect. GDPR imposes new rules on the collection and processing of personal data. The law applies to organisations that offer products and services to people within the European Union (EU) and to organisations that collect and/or analyse data relating to European citizens.

Dutch Data Protection Authority (DPA)

This is an independent administrative body that has been appointed as a supervisory authority in the Netherlands to oversee compliance with the statutory rules for the protection of personal data. All member states of the EU have their own body for this purpose. See also Belgian Data Protection Authority.

DPO

A Data Protection Officer is responsible within a company for ensuring compliance with the regulations on the protection of personal data. Companies that process, manage or store large amounts of personal data are required by law to have such an officer.

GDPR

GDPR stands for General Data Protection Regulation, a regulation adopted by the EU to ensure improved protection of personal data.

Belgian Data Protection Authority

The Belgian Data Protection Authority, formerly the Privacy Commission, oversees compliance with the protection of personal data in Belgium. Its powers extend from giving out advice to investigations and prosecution. All member states of the EU have their own body for this purpose. See also Dutch Data Protection Authority.

Rights of the individual

GDPR focuses on the rights of the individual: the right to information and access to personal data, the right to be forgotten, the right to correct and delete data, the right to object to and restrict processing, and the right to the portability of data.

Register of processing activities

The register of processing activities contains information about which personal data are processed within the company. The data controller is required to keep a register of all processing activities for which it is responsible. The processor maintains a register of all categories of processing activities that it performs for the controller.

Duty to report data leaks

The duty to report data leaks means that organisations must report any serious data leak as soon as it occurs. In most cases, the data leak must also be reported to the data subjects (the people whose personal data have been leaked).

Personal data

Any information that directly contains details relating to a person, or is traceable to that person, counts as personal data. Examples include name, address, date and place of birth, IP address, citizen service number, customer number, email address, identifying physical features, licence plate, location details, etc.

Processor

A processor is an external party that receives instructions from a controller to process personal data. The processor therefore works for the controller. A processing agreement must be concluded between the two parties.

Controller

The controller determines why personal data are collected and how this is done. The controller may be a natural person, a legal person, a government agency, a service or another body.

Processing agreement

When a controller works with a processor, a processing agreement is obligatory. This sets out, among other things, exactly what the processor may do with the personal data. A processing agreement explicitly denies the third party the right to process the personal data for its own purposes.