Although the GDPR already entered into force on 25 May 2016, the GDPR will really apply as from Friday 25 May 2018. In concrete terms, this means that we are entering the weekend with new legislation concerning data protection and that the old legislation on this subject will no longer apply. 

It’s time! After the GDPR had entered into force on 25 May 2016, - and you have probably received an overload of information about this recently - it will as of today, Friday 25 May 2018, finally be applicable. In Belgium, it will replace the Act of 8 December 1992 on the protection of privacy in relation to the processing of personal data.

1. Specific Belgian legislation?

One reason for the two-year period between the entry into force and the application of the GDPR was to allow Member States to finalise their national legislation.

In this context, the GDPR states, among other things, that Member State law or collective agreements may provide for specific rules on the processing of employees’ personal data in the employment context. This concerns in particular rules in the framework of recruitment, the performance of the employment contract (including discharge of obligations laid down by law or by collective agreements), the management, planning and organisation of work, equality and diversity in the workplace, health and safety at work, and for the purposes of the exercise and enjoyment, on an individual or collective basis, of rights and benefits related to employment, and for the purpose of the termination of the employment relationship. Also outside the HR framework, the GDPR contains several “opening clauses” that can be clarified, executed or supplemented by the Member States.

Like most other European countries, Belgium will have a separate Belgian act in addition to the GDPR on the protection of personal data of natural persons. However, for the time being there is only a preliminary draft of the law on this subject, and there is thus no final legislation yet. For the time being, it remains unclear when the final version can be expected, but it can be presumed that the final legislation on personal data processing will enter into force retroactively on 25 May 2018.

2. Consequences for controllers? 

Another reason for the two-year period was to allow companies to finalise their processing activities by 25 May 2018 and to frame them in the right way.

All processing activities at the level of the controller should thus by today have been brought into line with the GDPR, even if they already complied with the Act of 8 December 1992.

Taking into account the extensive sanctioning power of the Data Protection Authority (the new name that the Privacy Commission will have as of today), this means concretely - among other things and without being exhaustive - the following:

• The correct legal ground must be determined for each processing activity. If consent is used, it should comply with the stricter conditions of the GDPR; this means, freely given, informed, specific, unambiguous and withdrawable.
   
• As of today, most controllers and processors will have to keep records of all processing activities that take place under their responsibility. The Data Protection Authority will always be able to request access tothese records to monitor the processing activities. For this purpose, companies must have examined which personal data are processed, where they come from, with whom which data are shared, which legal ground is used for the processing, whether the safeguards are in place, etc.
   
• Some controllers will have to arrange for a “Date Protection Officer” to be appointed.
   
• Controllers must have provided the data subjects with the correct information regarding the processing of their personal data, as well as adapt their agreements with their processors. It is also possible that existing policies had to be modified, or that new policies had to be drawn up.
   
• Confirmations granted by the then Privacy Commission with regard to the transfer of personal data to third countries without an appropriate level of protection based on appropriate safeguards, such as contractual provisions, remain in force until they are changed, replaced or withdrawn.

And you? Are you ready?