In certain cases, the GDPR legislation provides that EU Member States and individually the national authorities can introduce stricter measures. In the training for GDPR legislation via the SME Portefeuille , we take into account;

  • the amended GDPR legislation,
  • the rules included in the recommendations of the Data Protection Authority.

A. The GDPR LEGISLATION and Personal Data ?


According to the GDPR, the term personal data includes “any information relating to an identified or identifiable natural person (“the data subject”)” .

This term is therefore very broad and includes names, contact details, personal characteristics and health data. There are also contracts and other documents that allow to identify a natural person.

The fact that a natural person is not “identified” from the certain data does not mean that they are not personal data. The data on the basis of which a natural person is “identifiable” is also personal data.

The GDPR therefore considers any natural person to be identifiable if they can be identified directly or indirectly. This can be through an identifier such as a name, an identification number, location data, an online identifier or of one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

2. The GDPR LEGISLATION and Special Categories of Personal Data

Certain types of personal data are additionally protected by the GDPR, such as special personal data and personal data regarding criminal convictions and criminal offences.

Special categories of personal data or sensitive data include the following personal data:

  • racial or ethnic origin;
  • political views;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data for the purpose of uniquely identifying a person;
  • health data;
  • data relating to a person’s sexual behavior or sexual orientation.

The processing of this data is prohibited in principle, but the GDPR legislation provides for a few exceptions where the processing is permitted.

The personal data concerning criminal convictions and offenses may only be processed under the supervision of the government or by a person if the processing is permitted by law.

These categories of personal data are relevant in the context of both a data breach and the data protection impact assessment.

B. The GDPR LEGISLATION and Processing

“Processing” is defined in the GDPR legislation as any “operation or a set of operations on personal data or a set of personal data, whether or not carried out by automated processes ”.

This definition is very broad and includes “collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by transmission, dissemination or otherwise making available, aligning or combining” and “blocking, erasing or destroying data” .

In other words, every possible action and possible use with regard to personal data, from collection to destruction , falls under the scope of the GDPR legislation.

C. The GDPR LEGISLATION and the Controller versus the Processor.

Although the GDPR legislation imposes a large part of the obligations on both the controller and the processor, they also each have their specific obligations. It is therefore important to identify the capacity of the company for specific processing operations.

1. Training for the controller via the SME Portfolio

A controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

2. The processor in the GDPR Legislation

A processor is a natural or legal person, a public authority, a service or other body that processes personal data on behalf of the controller.

3. The GDPR Legislation and Joint Controllers

It is possible that the company determines the purpose and means of the processing together with another company. In such a case, they are joint controllers in the GDPR legislation.

D. Basics GDPR Legislation

The rights of the data subject and obligations of the controller and processor derive from the principles regarding the processing of personal data provided for in the GDPR legislation, such as:

  • lawfulness, fairness and transparency for the purpose of processing, data minimum processing, accuracy, storage limitation, integrity and confidentiality and accountability.

If an organization complies with these principles and can demonstrate this, it will in principle be compliant with the GDPR legislation.

E. The GDPR LEGISLATION and Obligations in general

The obligations to which companies are bound can be summarized as follows:

  • accountability,
  • The obligations corresponding to the rights of the data subject,
  • Lawfulness of the processing,
  • Security of processing and notification of breaches.

1. Accountability within the GDPR Legislation

a. GDPR Legislation training

Companies must take appropriate technical and organizational measures so that it can be demonstrated that the processing operations they carry out are in accordance with the GDPR legislation .

The accountability obligation within the GDPR legislation mainly entails a documentation obligation .

b. The risk-based approach

Accountability is accompanied by a risk-based approach to the processing of personal data.

Both the controller and the processor should assess the likelihood and severity of the risks to the rights and freedoms of individuals before processing personal data. The nature, scope, context and purposes of the processing must be taken into account.

This means that every company must take measures when processing personal data in function of the risk level. The higher the risk, the stricter the measures.

In the context of accountability, it is important that companies can demonstrate that they have assessed the level of risk and have applied the appropriate measures.

c. The GDPR Legislation and the Register of Processing Activities

The controller and the processor must keep a register of processing activities.

In principle, this obligation only applies to companies with more than 250 employees, but an SME will also have to keep a register of processing activities if one of the following conditions is met:

  1. The processing poses a risk to the rights and freedoms of the data subject(s);
  2. The processing is not purely occasional;
  3. The processing relates to special categories of personal data or personal data related to criminal convictions and offences.

This obligation applies to almost every company as a customer and employee database is always maintained in a systematic manner. [1]

The register of processing activities that a company must keep in its capacity as controller should contain the following information:

  • the name and contact details of the controller and any joint controllers and, where applicable, the name of the controller’s representative and the name of the data protection officer;
  • the processing purposes;
  • a description of the categories of data subjects and the categories of personal data;
  • the categories of recipients to whom the personal data are, recipients in third countries or international organisations;
  • transfers to a third country or an international organisation, including the identification of that country or organization and the documents relating to the appropriate safeguards;
  • the envisaged deadlines within which the different categories of data must be erased;
  • a general description of the technical and organizational security measures.

The register of processing activities that a company must keep in its capacity as processor should contain the following information:

  • the name and contact details of the processors and controllers on whose behalf the processor acts, the name of the representative of the controller or the processor and the name of the data protection officer;
  • the categories of processing;
  • transfers to a third country or an international organisation, including the identification of that country or organization and the documents relating to the appropriate safeguards;
  • a general description of the technical and organizational security measures.

The register of processing activities amounts to part of the actual documentation obligation that the company has. After all, it serves as an excellent tool for the data protection authority to map out a company’s processing activities. The register of processing activities is a central document in the context of data breaches and the data protection impact assessment.

2. Data protection by design and by default

In the context of the principles of lawful data processing described above, the terms “data protection by design” and “data protection by default” are usually referred to as privacy by design and privacy by default, respectively.

These concepts are important in the context of the data protection impact assessment as they influence the risk.

a. The GDPR legislation and Privacy by design or data protection from design

Any business activity should take into account the right to the protection of personal data and ensure that the controller and processor are able to comply with their data protection obligations.

The controller must always take into account the rights and freedoms of natural persons.

b. The GDPR Legislation and Privacy by default or data protection by default

When processing personal data in the GDPR legislation, the controller must also take appropriate technical and organizational measures to ensure that only personal data is processed that is necessary for each specific purpose of the processing.

The controller must always provide the most privacy-friendly options when conducting business activities. These measures should ensure that the personal data is not made accessible to everyone.

3. The GDPR Legislation and the rights of the data subject

The GDPR imposes further rules that apply to all rights of data subjects.

Explanation of these rules:

  1. Be clear !

The controller shall take appropriate measures so that the data subject is informed. If the data subject must be informed via, for example, the privacy statement on an existing website.

2. Ability to refuse to provide information;

The controller facilitates the exercise of the data subject’s rights and can only refuse to comply with this if this is provided for in the GDPR.

3. Be fast ;

The controller shall provide the data subject within one month of receipt of the request for information.

If the controller does not comply with the request of the data subject, it shall inform the data subject at the latest within one month of receipt of the request why the request has been unsuccessful. He informs him about the possibility to lodge a complaint with a supervisory authority and to lodge an appeal with the court.

4. Free of charge for the data subject ;

The provision of the mandatory information in response to a request from the data subject or in the event of a data breach is free of charge. Where requests from a data subject are unfounded or excessive, the controller may;

  • charge a reasonable fee for the administrative costs associated with providing the requested information or communication and taking the requested measures; either
  • refuse to comply with the request.

It is up to the controller to demonstrate the unfounded or excessive nature of the request.

Ask for your SME Portfolio for training GDPR legislation.