What is the GDPR/AVG?
GDPR stands for General Data Protection Regulation and is very briefly outlined the renewed privacy legislation[i] on the protection of personal data, applicable to European citizens. In Dutch, this is also referred to as the AVG or General Data Protection Ordinance.
The data protection in question requires:
appropriate, technical and organisational measures that we must take in the form of information security (firewall, anti virus, anti phishing, etc.)
appropriate procedures such as obtaining the active consent of data subjects to process their data.
This legislation will enter into force on 25 May 2018, which is why we would like to inform you in advance how we are doing this today. After all, simply storing personal data is already a processing operation. So when we receive a mailing list from you as a customer (with names, addresses or other personal data), there are certain rules attached to it. We must make these rules clear internally and everyone within the organisation must comply with them.
What are the steps we take?
Initially, a data register or register of processing activities will be set up. This register (required by Article 30) contains the basis and content of the processing of personal data and covers suppliers, customers and personnel as well as all their personal data that we process from or for them.
Therefore, when we process personal data for you as a customer, we will place special emphasis on this and include the processing of these data in this register. This processing data includes the owner of the data, purpose, location, access, etc. One of the reasons for this is that we ourselves must gain insight into the various places where and for whom we keep which personal data.
An EU citizen has a number of rights that he or she can invoke, such as the right of access, the right to change or delete his or her personal data, but also the right to transfer them to third parties (Article 20).
For this reason, we need to know at all times where these data are located.
How can you find out more?
In addition, and this is not mandatory for Graphius, we appoint a certified data protection officer, in professional jargon a DPO (Data Protection Officer). He or she will be responsible for regular monitoring of the application of this legislation, providing the necessary procedures and answering internal and external questions concerning the GDPR.
You can reach our DPO (Hendrik Van Haele) via firstname.lastname@example.org.