Privacy rules in a global world - do's, don'ts and best practices. Takeaways from the Beltug N-sight of 23 October 2018


Privacy and GDPR rules are complex for all companies– and even more so for companies with an international focus and activity. This session was specifically set up for those enterprises. We first zoomed in on the many challenges they face, then heard from legal experts about how to tackle some of the questions. The presentations from the event are available, exclusively for Beltug members (after login).



GDPR challenges for Barco


Katrien Martens, Legal Counsel & DPO, opened the afternoon with her experiences and best practices at Barco. Awareness is key for the GDPR-scene, she stated.  Employees must have at least some basic awareness about privacy and GDPR rules.  In Europe this is the case, but not abroad. Companies need to build awareness for all employees, including blue collar staff and overseas colleagues.  So Barco undertook a highly interactive and active training program, packed with examples. This training was customised to specific target audience: for example, sales and marketing training was based on do's and don'ts, and was quite ‘crisp’.


'Consent in the marketing process' was a complex concept.  Mapping the dataflow within the company was helpful, to define the ways information enters the company and to mould the consent process based on the correct legal ground and legitimate interest. When doing this, however, it’s important to look at your database, she advised, and to involve marketing in this exercise.  A marketing automation tool supports the application of do's and don'ts for sales and marketing and can help applying the GDPR guidelines. (Have a look at slide 3 for more details.)


Barco has quite a few key- and core suppliers; these need to comply with the new data protection clauses in their contracts. Katrien adds, "Suppliers are considered as data processors; we have found the Beltug CSP questionnaire for GDPR [+ link to page] very helpful when dealing with cloud providers."


For 'Privacy by Design', Barco built a checklist for product managers and engineers to use in the early stages of designing a new product.


Complying with the GDPR in an international context


Next, we moved to the legal perspective.  Peter Van Dyck, partner at Allen & Overy, emphasised that the GDPR does apply to non-EU companies.  'Who does the processing' is less important than 'who the processing is for'.  If these activities involve EU entities, the GDPR rules apply (slide 4 has more examples). The conclusion is that non-EU companies must comply with all GDPR obligations.


For companies that are active within multiple EU countries (EU multinationals), the identitification of the lead data protection authority is not just academic: it can influence processes a lot.  More key considerations:

  • Harmonise, but be careful!
  • Group or local DPO(s)
  • Group or local data register(s).

(See slide 8).


For international data transfers within the European Economic Area (EEA), there are no additional rules, Peter confirmed.  But when transferring outside the EEA, companies need to differentiate between countries with or without an adequate level of protection.  (Slide 10 shows which countries have an adequate level of protection). For the US, only companies that have adopted the Privacy Shield, are considered to offer an adequate level.


To conclude, Peter addressed the possibility of a hard Brexit and its consequences:

  • After Brexit, UK will no longer be an EEA country, so no more 'free' data transfers.
  • The UK will probably receive an adequacy decision - but not immediately!
  • To prepare, think about the role you want the UK to play in your organisation (UK servers, UK DPO, etc.)


Cross-border data transfers


Bastiaan Bruyndonckx, Partner at Lydian then carried on with the legal aspects, delving into the key issue of the transfer of personal data. He provided an overview of the various transfer mechanisms possible (slide 4), and first focussed on the mechanism of appropriate safeguards:

  • Standard Contractual Clauses (SCC)
  • Binding Corporate Rules (BCR)
  • Approved Codes of Conduct (CoC) + binding and enforceable commitments of the controller/processor in the third country to apply appropriate safeguards
  • Approved certification mechanism + binding and enforceable commitments of the controller/processor in the third country to apply appropriate safeguards
  • ‘Ad hoc’ contractual clauses, approved by Data Protection Authority
  • Legally binding and enforceable instrument between public authorities/bodies
  • Provisions in administrative arrangements between public authorities/bodies, approved by Data Protection Authority

 (More detail on each can be found in slides 7 to 11.)


To conclude, Bastiaan looked at derogations:  mechanisms that allow you to transfer data to non-EEA countries, even if the general mechanisms don't apply to you.  This is the case when:

  • The data subject has explicitly consented to the proposed transfer.
  • The transfer is necessary for the performance of a contract between data subject and controller.
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
  • The transfer is necessary for important reasons of public interest.
  • The transfer is necessary for the establishment, exercise or defence of legal claims.
  • The transfer is necessary in order to protect the vital interests.
  • The transfer is made from a register which according to Union or Member State law is intended to provide information to the public.


Of course, all these exceptions are subject to a strict interpretation.


One final exception can be a compelling legitimate interest - but under very strict circumstances (see slide 16 for the details).


Bastiaan wrapped up with a to-do list for companies:

  • Analyse and map transfers to third countries (inside/outside EEA)
  • Ensure you have a legitimate basis for transferring data to third countries and/or international organisations
  • Check the transfer contracts, including subcontractors (back-to-back)
  • Implement appropriate safeguards if necessary (SCCs, BCR, etc.)
  • Be aware that non-compliance may result in a fine of EUR 20 million, or , up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
















Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview