Rules of thumb for the processing of personal data

  • Personal data are “all information on a natural person through which the latter can be identified directly or indirectly,” such as name, identification number, location data, telephone numbers, e-mail addresses and online identifiers (e.g. information obtained by means of tracking cookies). Data concerning the physical, genetic, mental, cultural or social identity of a natural person also fall under the GDPR regulation. 
  • It is best to check which data you keep on your employees and which you share with your social secretariat. The same applies for data you keep relating to people who apply to your company. 
  • People often think that processing entails a far-reaching operation, such as sending said data to a third party. Make no mistake: the mere collection of data suffices in and of itself to be considered as processing! 

Tip! State clearly the purpose for which you process data in your general terms and conditions (or other contractual forms) and on your website.

The GDPR does not imply that you must always have explicit consent to process personal data. But when processing personal data, the following rules must be complied with AT ALL TIMES: 

  • Process the data in a legal, proper and transparent manner. The data must be processed for well defined, expressly described and justified purposes. 
  • The processed data must be relevant for what you want to do with them. For instance, you do not need the customer’s date of birth for invoicing purposes.  
  • The processed data must be correct, and incorrect data must be erased or corrected as promptly as possible.  
  • Data may be kept only for a period that is necessary for the purposes of the processing. So ask yourself now and then whether it is still useful to keep old data. 
  • The processed data must be secured in an appropriate manner against unauthorized processing or inadvertent loss.