Collection & Processing

• Personal Data Protection Act BES (Wet bescherming persoonsgegevens BES) (“Personal Data Protection Act BES”);
• General Data Protection Regulation (the “GDPR”) – a regulation of the European Union which became effective on May 25, 2018.

Definition of Personal Data

Personal Data Protection Act BES 

Article 1 paragraph 2 of the Personal Data Protection Act BES stipulates personal data as any data concerning an identified or identifiable natural person. 

GDPR 

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Definition of Sensitive Personal Data

Personal Data Protection Act BES 

A person’s religion or belief, race, political views, health, sexual life as well as personal data concerning membership of a trade union. 

GDPR 

Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

Personal Data Protection Act BES 

The Personal Data Protection Committee as referred to in article 44 of Personal Data Protection Act BES. 

GDPR 

An independent public authority established by a Member state pursuant to article 51 of the GDPR (Article 4(21), GDPR). The authority is responsible for monitoring the application of the GDPR in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU.

Personal Data Protection Act BES 

No registration required. 

GDPR

Article 30 GDPR requires companies to keep an internal electronic registry, which contains the information of all personal data processing activities carried out by the company.

Personal Data Protection Act BES 

Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data. 

Besides the measures above, the Personal Data Protection Act BES does not contain any clauses on any type of registration, filings of documents to any public agency or having a mandatory data protection officer in place. 

GDPR 

The appointment of a data protection officer under the GDPR is only mandatory in three situations:

• When the organisation is a public authority or body;
• If the core activities require regular and systematic monitoring of data subjects on a large scale; or
• If the core activities involve large scale processing of special categories of personal data and data relating to criminal convictions.

Personal Data Protection Act BES 

Collecting and processing: any act or set of acts relating to personal data, including in any case the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, bringing together , as well as data blocking, erasure or destruction of data. 

GDPR 

Collection: a natural or legal person, public authority, agency or other body that collect personal data and use it for certain purposes, like a website that markets to users based on their online behaviour. 

Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Processors act on behalf of the relevant controller and under their authority.

Personal Data Protection Act BES 

Article 42 of Personal Data Protection Act BES stipulates that personal data that is subject to processing or that are intended to be processed after its transfer may only be transferred to a country outside the European Union if, without prejudice to compliance with the law, that country guarantees an adequate level of protection. 

GDPR 

The GDPR restricts transfers of personal data outside the European Economic Area, or the protection of the GDPR, unless the rights of the individuals in respect of their personal data is protected in another way, or one of a limited number of exceptions applies.

Personal Data Protection Act BES 

Pursuant to article 13 of the Personal Data Protection Act BES the responsible party shall execute appropriate technical and organizational measures to secure personal data against loss or any form of unlawful processing. These measures shall guarantee an appropriate level of security, taking account of the technical state of the art and the costs of execution, in view of the risks associated with that processing and the nature of the data to be protected. The measures shall be aimed partly at preventing unnecessary gathering and further processing of personal data. 

GDPR 

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (article 32 GDPR).

Personal Data Protection Act BES 

Contains no specific clauses. 

GDPR 

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with article 55 GDPR, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. 

Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

Personal Data Protection Act BES 

Pursuant to the Personal Data Protection Act BES the committee is authorized to impose an order under administrative coercion to enforce the obligations laid down by or pursuant to the Personal Data Protection Act BES. 

GDPR 

The GDPR holds a variety of potential penalties for businesses. 

For example, article 77 of GDPR states that: 

“Every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating him or her infringes this Regulation.” 

Additionally, article 79 of the Regulation states that “such proceedings may be brought before the courts of the Member State where the data subject has his or her habitual residence.” 

Penalties 

Compensation to Data Subjects. One penalty that may be imposed is compensation to, as stated in article 82 of the Regulation, “Any person who has suffered material or non-material damage as a result of an infringement of this Regulation” for the damage they’ve suffered. 

Fines 

Article 83 of GDPR specifies a number of different fines that may vary based on the nature of the infraction, its severity, and the level of cooperation that “data processors” (i.e. you) provide to the “supervisory authority.” Less severe infringements may incur administrative fines of up to 10,000,000 Euros or 2% of your total worldwide annual turnover for the preceding year (whichever is greater), while more severe infractions may double these fines (20,000,000 or 4% annual turnover). 

Individual Member States of the EU may have additional fines and penalties that may be applied as well. However, these additional penalties are not specifically listed in the text of the Regulation since they’re up to the individual EU nations to set—the only guidelines in article 84 of GDPR are that “Such penalties shall be effective, proportionate and dissuasive” and that “Each Member State shall notify to the Commission the provisions of its law which it adopts pursuant to paragraph 1, by 25 May 2018.”

Personal Data Protection Act BES

N/A. 

GDPR

Under article 22 GDPR organizations cannot send marketing emails without active, specific consent.

Companies can only send email marketing to individuals if:

• The individual has specifically consented.
• They are an existing customer who previously bought a similar service or product and were given a simple way to opt out.

Personal Data Protection Act BES

Contains no specific clauses. 

GDPR 

Cookies, insofar as they are used to identify users, qualify as personal data and are therefore subject to the GDPR. Companies do have a right to process their users’ data as long as they receive consent or if they have a legitimate interest. 

Location data, the GDPR will apply if the data collector collects the location data from the device and if it can be used to identify a person. 

If the data is anonymized such that it cannot be linked to a person, then the GDPR will not apply. However, if the location data is processed with other data related to a user, the device or the user’s behavior, or is used in a manner to single out individuals from others, then it will be “personal data” and fall within the scope of the GDPR even if traditional identifiers such as name, address etc. are not known.