GDPR fine
Who must comply with the GDPR?
TheGDPRregulationapplies to all companies and government services within the European Union that process and collect personal data.
The term'personal data'includes all possible data and information relating to an identified or identifiable natural person. This is sometimes referred to as 'involved parties'. In short: if data directly concerns a person or can be traced back to this person, it is already personal data.
Personal data can include many things. For example, think of an e-mail address, telephone numbers or an IP address.
For themost companiesthis means that they continuously come into contact with personal data. This could, for example, be about customers, suppliers, employees and perhaps even potential customers from whom sensitive data has already been collected.
Does the GDPR also apply to small businesses?
Absolute.All companiesfall under the scope of this privacy legislation. It does not matter what the worldwide annual turnover of your company is, how many employees you employ, whether you work in a certain sector... It also does not matter whether it is a small company or a large multinational.
The company form of your company is also of no importance. Whether you are a BV or NV, the GDPR and therefore also the GDPR fines are matters that you are obliged to take into account and that you should therefore keep in mind.
The GDPR also applies to the self-employed.
Why should companies take the GDPR into account?
The GDPR was created by the European Commission with the aim ofEuropean citizenbetter tooto protectin the field of privacy and data protection. The identity of a person and its protection are central, so to speak. Consent of the data subject plays an important role within the GDPR.
On the other hand, the GDPR also aims to enable companies to deal with data in a more conscious and safer waycollected data. By imposing legal obligations on companies, they are encouraged to work on this.
A company benefits greatly from dealing with collected data in a correct and conscious manner. That is what customers and employees appreciate, which makes it a bigger oneto trustcomes into your company.
GDPR fines must be aincentiveto actively work on data protection. After all, a GDPR fine is something you would rather avoid as a company. The Expertise of Mr. Franklin can help with this.
What obligations must companies comply with?
The way companies handle and process personal data is subject to the obligations of the GDPR.
A company must be able to justify at any time why and in what way personal data of the data subjects is collected and processed. There must also always be one for the processing of personal dataprocessing groundare. Companies are therefore not allowed to simply collect or keep data from individuals and have a certainaccountability. In addition, the GDPR imposes a number of other obligations on companies.
Processing grounds
There are severalprocessing grounds(“legal bases”), such as the processing ground “consent”. If the person concerned gives his or her consent, there may therefore be a justification for processing data.
Obtaining this permission must also meet a number of conditions, which are stipulated in the GDPR. For example, the data subject must know what permission is given, which personal data will be processed, for what purpose and for how long.
In addition to this specific consent, other processing grounds are also possible, such as a 'legitimate interest' or a 'legal obligation'. In total, there are 6 possible legal bases on which data may be processed.
Create register
Under the GDPR, companies are also required to have aregister of processing activitiesset up and maintain. This concerns internal documentation that companies keep themselves and in which information is kept about the personal data that is processed.
The register must be legible and understandable for the GBA. That's why she puts one herself on her websitemodel formavailable.
Companies can be asked by the GBAaccountabilitywith regard to this register. That is why it is best for you as a company to pay attention to this. An expert on Mr. Franklin can help you with this.
Other GDPR obligations
The GDPR contains other obligations for companies and matters that must be taken into account. So it is sometimes mandatory oneData Protection Impact Assessment (DIA)if the processing of personal data entails a high risk to the freedoms and rights of the data subject.
There is also one for those involved, for exampleright to be forgotten.
To make sure that you as a company are completelyGDPR proofand do not overlook any obligation, it is best to call on the expertise of Mr. Franklin.
Belgian supervisory authority
TheData Protection Authority(GBA)is the competent Belgian supervisory authority that supervises the protection of privacy in the processing of personal data.
It is a government institution that has been given the authority to supervise theGDPR compliance. The Inspection Service of the GBA can start an investigation in response to a complaint or on its own initiative. A report will then followLitigation room, the dispute body of the GBA, which can impose administrative fines on companies that do not comply with the GDPR.
In the Netherlands, the competent data protection authority is the Dutch Data Protection Authority. It also monitors compliance with the obligations under the GDPR and can impose GDPR fines on companies.
Overarching within the European Union, there is also the European Data Protection Board (European Data Protection Board). This is an independent European body that monitors the consistent application of the GDPR and promotes cooperation between the various national data protection authorities.
When are GDPR fines imposed?
Breaches of the GDPRcan give rise tosanctions. After an investigation, the Data Protection Authority (GBA) submits a report to theLitigation room, which to your company aGDPR fineimposes when a breach of the GDPR is established. This is also referred to as the 'substantive procedure'.
For example, if there is no correct justification for processing personal data, or if the data is stored for too long, you as a company run the risk of incurring a GDPR fine.
When will the GBA start an investigation?
A procedure is usually initiated at the GBA in response to acomplaint. If someone believes that his or her personal data is being processed incorrectly, that person can submit a complaint to the GBA. For example, think of a customer, a business partner or supplier.
The GBA can also be used without a complaintown initiativestart a procedure and conduct an investigation into how data processing is done within your company.
The investigation within the GBA is conducted by the Inspection Service of the GBA.
Administrative fine
GDPR finesabilityRise high. In the event of a violation or several violations of the GDPR, the Data Protection Authority can impose a fine on the company concerned of up to 20 million euros or 4% of the company's worldwide annual turnover, whichever amount gives the highest result.
Are these fines effectively issued?
Yes, the Data Protection Authority is not sitting still and has already sharedmultiple finesto companies that committed one or more breaches of the GDPR. In 2020, for example, a total of 83 decisions were made, imposing 19 fines on companies, for a total amount of 885,000 euros.
The amounts are sometimes also high.For example, on July 14, 2020, a fine of 600,000 euros was imposed on Google Belgium, because an investigation showed that the company had not correctly observed the right to be forgotten. This is the highest fine imposed by the GBA to date.
What can Mr. Franklin mean to you?
GDPR Compliance
mr. Franklin offersall in one packagesin return forfixed pricesto ensure that your businessGDPR proofis. A tailor-made GDPR and security policy is drawn up, so that you can sleep soundly.
The specific wishes of your company and way of working, your staff, commercial interests and specific expectations are taken into account.
DPO-as-a-service
You can also call on the lawyers of Mr. Franklin who can act as certifieddata protection officer (DPO). A data protection officer is an independent person within a company who monitors compliance with the GDPR.
Sometimes it is mandatory to appoint a DPO, especially for companies that process a lot of sensitive personal data, such as law firms, medical practices and bailiffs' offices. This is necessary to guarantee the high quality of data security.
Assistance in proceedings
You can go to Mr. Franklin also rightly soassistance in proceedings. This may concern procedures before the GBA, but also legal proceedings, for example if you want to contest an imposed sanction.
The GBA and Disputes Chamber attach great importance to cooperation, both during the investigation phase and during the proceedings on the merits. That is why it is best to call on the expertise and experience of Mr. Franklin. In this way you can avoid procedures and high fines.
CONTACTEER ONS!
THEY ALSO APPLIED TO MR. FRANKLIN
mr. Franklin is the ideal legal point of contact for us, as a software company. We have been perfectly assisted several times with contractual and GDPR-related challenges. Their no-nonsense approach and communication makes me Mr. Franklin warmly recommend.
Alex Vandevelde / Quanta Corp
mr. Franklin always provides quality work for a clear price.
Alain Carels / Carbofisc