04 October 2023
The new Data Protection Act is here. Are you ready for it?
The new Data Protection Act ("DPA") came into force on September 1. Over the past few weeks, we've been receiving numerous e-mails, pop-ups and other notifications informing us of updated data privacy policies. But what exactly is involved, and to what extent are you affected? Here's a brief explanation for those who simply clicked "OK" to make the pop-up disappear...
Goals
The aim of the new Data Protection Act is to protect the personality and fundamental rights of individuals whose personal data is processed. By "processing" we mean "any operation relating to personal data". In practice, therefore, every company holding a list of customers, prospects or... employees is subject to the DPA.
Obligations
In terms of obligations, any operation relating to information concerning an identified or identifiable natural person is subject to a series of principles such as legality, good faith, proportionality, the determinable and recognizable nature of the purpose and, last but not least, consent where required.
Every legal entity or individual processing personal data must therefore ensure that technical and organizational measures are in place to ensure compliance with the aforementioned principles. In concrete terms, these measures must answer questions relating to the way in which personal data is collected, secured and processed. One of the central elements is the obligation for each company to inform the persons concerned of the collection of personal information, whether this collection is carried out directly or indirectly. It will also be necessary to determine whether the data collected is indeed in line with the desired purpose, and the extent to which the rights of the person concerned are taken into account. And whether the data collection requires the consent of the data subject, and if so, in what form. Certain organizational measures are also imposed on large companies with more than 250 employees.
It should be noted that failure to comply with the duty to inform persons whose personal data is collected may, upon complaint, be punishable by a fine. At present, it is still too early to say how the penal provisions of the DPA will be applied.
Actions to be taken
Ultimately, this new legislation should at least lead to a rethinking of the way each company handles personal data. Some companies will be well advised to draw up an internal directive or regulation on the subject. In any case, it's important for everyone to have a clear picture, not only to comply with the new legal requirements, but also to be able to respond simply and effectively to any request, legitimate or otherwise, and thus avoid any time-consuming inconvenience.
