GDPR basics
The most important law that has the protection of personal data as its subject is the General Data Protection Regulation (GDPR). This European law applies throughout the European Union (EU). Under this subject you can find general information about the GDPR: how does the GDPR work, and what are the fundamental points of the GDPR?
On this page
Legislative text of the GDPR
The consolidated legislative text of the GDPR on the website of the EU is the most useful version because the later amendments (rectifications) to the original legislative text have been incorporated in it. This version is a good representation of the applicable, amended text of the GDPR.
The official legislative text of the GDPR is the text as published in the Official Journal of the EU of 4 May 2016. This makes it the legally binding version of the GDPR. Two rectifications to this legislative text were published at a later time:
Quick answers
Does the GDPR apply to pilots, tests and pilot projects?
Yes. Do you process personal data during a pilot, test or pilot project? Then the General Data Protection Regulation (GDPR) applies. Even if the final product has not yet been delivered.
This means, among other things, that you have to determine whether you are allowed to process personal data. And if so, you have to demonstrate that you meet the requirements of the GDPR. For example, you have to assess whether you have to carry out a DPIA prior to a pilot, test or pilot project.
The purpose of a pilot, test or pilot project is to test a new way of working. You can use a pilot, test or pilot project to investigate if a way of working is effective and efficient for solving a certain problem. A pilot, test or pilot project may also be very useful for testing privacy by design.
Does the GDPR apply to business cards that I receive?
Do you keep business cards that you received systematically (for example, by storing them in alphabetical order) for professional use? Then the General Data Protection Regulation (GDPR) applies.
Strictly speaking, you are the controller then. This means that there has to be a legal basis that you can rely on for processing the personal data on business cards.
In this case, you can rely on the legal basis ‘consent’ for your processing, as you may assume that the person who gives you the business card also gives you consent to use the card for which it is intended (keeping and using contact details). You can easily demonstrate that you have obtained consent because you have the card in your possession.
There are 2 situations in which the GDPR does not apply to the business cards that you receive:
- You receive business cards in a private capacity and use them for your own purposes, and therefore not for your work.
- You do not keep business cards systematically. In that case, the GDPR does not apply, because there is no fully or partially automated processing or inclusion in a file.
Informing not necessary
According to the law, you have to inform the person whose data you collect about this processing. But when someone gives you a business card, you may assume that this person already knows what you will do with the data on the card.
Wider dissemination
Note: are the data on a business card disseminated more widely? For example, because your employer centrally collects and registers all business cards received to enable the entire organisation to use them? Then you may not simply assume that you also have consent for this purpose from the person who gives you a business card.
It is advisable to point out to your discussion partner that the data on the card will be disseminated more widely. Does that person object to this? Then you can give the card back or keep it for private purposes.
Can a governmental organisation rely on the legal basis 'legitimate interest'?
No. As a governmental organisation, you can never rely on the legal basis 'legitimate interest' when performing your statutory tasks. You will therefore have to rely on one of the other legal bases. For example, the legal basis 'necessary for the performance of a task carried out in the public interest or in the exercise of official authority'.
As a governmental organisation, you may as a rule only process data for performing your tasks if the law has given you the power to do so. The legislator has to ensure that every governmental organisation has a legal basis for processing.
Do I, as a logistics service provider, have to conclude processing agreements with my clients?
No. You are not a processor, even if you work for a client as a logistics service provider.
You are the controller for the processing of personal data that are necessary for your services. Such as names, addresses, postcodes, places of residence and telephone numbers and email addresses for track & trace delivery.
Can I, as a municipality, water board or province, include the processing operations of multiple administrative bodies in 1 processing register?
Yes, you can. Administrative bodies are free to compile 1 processing register jointly.
However, the processing register has to show clearly which administrative body is the controller (there could also be several of them) for which data processing operation.