Beltug

Privacy rules in a global world - do's, don'ts and best practices. Takeaways from the Beltug N-sight of 23 October 2018


Privacy and GDPR rules are complex for all companies– and even more so for companies with an international focus and activity. This session was specifically set up for those enterprises. We first zoomed in on the many challenges they face, then heard from legal experts about how to tackle some of the questions. The presentations from the event are available, exclusively for Beltug members (after login).

 

 

GDPR challenges for Barco

 

Katrien Martens, Legal Counsel & DPO, opened the afternoon with her experiences and best practices at Barco. Awareness is key for the GDPR-scene, she stated.  Employees must have at least some basic awareness about privacy and GDPR rules.  In Europe this is the case, but not abroad. Companies need to build awareness for all employees, including blue collar staff and overseas colleagues.  So Barco undertook a highly interactive and active training program, packed with examples. This training was customised to specific target audience: for example, sales and marketing training was based on do's and don'ts, and was quite ‘crisp’.

 

'Consent in the marketing process' was a complex concept.  Mapping the dataflow within the company was helpful, to define the ways information enters the company and to mould the consent process based on the correct legal ground and legitimate interest. When doing this, however, it’s important to look at your database, she advised, and to involve marketing in this exercise.  A marketing automation tool supports the application of do's and don'ts for sales and marketing and can help applying the GDPR guidelines. (Have a look at slide 3 for more details.)

 

Barco has quite a few key- and core suppliers; these need to comply with the new data protection clauses in their contracts. Katrien adds, "Suppliers are considered as data processors; we have found the Beltug CSP questionnaire for GDPR [+ link to page] very helpful when dealing with cloud providers."

 

For 'Privacy by Design', Barco built a checklist for product managers and engineers to use in the early stages of designing a new product.

 

Complying with the GDPR in an international context

 

Next, we moved to the legal perspective.  Peter Van Dyck, partner at Allen & Overy, emphasised that the GDPR does apply to non-EU companies.  'Who does the processing' is less important than 'who the processing is for'.  If these activities involve EU entities, the GDPR rules apply (slide 4 has more examples). The conclusion is that non-EU companies must comply with all GDPR obligations.

 

For companies that are active within multiple EU countries (EU multinationals), the identitification of the lead data protection authority is not just academic: it can influence processes a lot.  More key considerations:

(See slide 8).

 

For international data transfers within the European Economic Area (EEA), there are no additional rules, Peter confirmed.  But when transferring outside the EEA, companies need to differentiate between countries with or without an adequate level of protection.  (Slide 10 shows which countries have an adequate level of protection). For the US, only companies that have adopted the Privacy Shield, are considered to offer an adequate level.

 

To conclude, Peter addressed the possibility of a hard Brexit and its consequences:

 

Cross-border data transfers

 

Bastiaan Bruyndonckx, Partner at Lydian then carried on with the legal aspects, delving into the key issue of the transfer of personal data. He provided an overview of the various transfer mechanisms possible (slide 4), and first focussed on the mechanism of appropriate safeguards:

 (More detail on each can be found in slides 7 to 11.)

 

To conclude, Bastiaan looked at derogations:  mechanisms that allow you to transfer data to non-EEA countries, even if the general mechanisms don't apply to you.  This is the case when:

 

Of course, all these exceptions are subject to a strict interpretation.

 

One final exception can be a compelling legitimate interest - but under very strict circumstances (see slide 16 for the details).

 

Bastiaan wrapped up with a to-do list for companies:

 

 

 

 

 

 

 

 

 

 

 

 

 

 



 

Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login