GDPR basics

Yes. Do you process personal data during a pilot, test or pilot project? Then the General Data Protection Regulation (GDPR) applies. Even if the final product has not yet been delivered.

This means, among other things, that you have to determine whether you are allowed to process personal data. And if so, you have to demonstrate that you meet the requirements of the GDPR. For example, you have to assess whether you have to carry out a DPIA prior to a pilot, test or pilot project.

The purpose of a pilot, test or pilot project is to test a new way of working. You can use a pilot, test or pilot project to investigate if a way of working is effective and efficient for solving a certain problem. A pilot, test or pilot project may also be very useful for testing privacy by design.

Do you keep business cards that you received systematically (for example, by storing them in alphabetical order) for professional use? Then the General Data Protection Regulation (GDPR) applies.

Strictly speaking, you are the controller then. This means that there has to be a legal basis that you can rely on for processing the personal data on business cards.

In this case, you can rely on the legal basis ‘consent’ for your processing, as you may assume that the person who gives you the business card also gives you consent to use the card for which it is intended (keeping and using contact details). You can easily demonstrate that you have obtained consent because you have the card in your possession.

There are 2 situations in which the GDPR does not apply to the business cards that you receive:

• You receive business cards in a private capacity and use them for your own purposes, and therefore not for your work.
• You do not keep business cards systematically. In that case, the GDPR does not apply, because there is no fully or partially automated processing or inclusion in a file.

Informing not necessary
 

According to the law, you have to inform the person whose data you collect about this processing. But when someone gives you a business card, you may assume that this person already knows what you will do with the data on the card.

Wider dissemination
 

Note: are the data on a business card disseminated more widely? For example, because your employer centrally collects and registers all business cards received to enable the entire organisation to use them? Then you may not simply assume that you also have consent for this purpose from the person who gives you a business card.
 

It is advisable to point out to your discussion partner that the data on the card will be disseminated more widely. Does that person object to this? Then you can give the card back or keep it for private purposes.

No, the government is usually not allowed to do that. The government is, for example, your municipality or the UWV. If an organisation asks you for consent, you must also be able to say ‘no’, and that can be difficult with the government because you often need something from the government, such as a facility like a stair lift or benefits. So you are dependent on the government.

It is usually not necessary for the government to ask you for consent to use or share your data, because the law often states that the government is allowed to do so.

Sometimes, the law states nothing on the subject, but a government organisation still wants to share your data, because it turns out you need help. The organisation will then transfer your details to other organisations, where you can receive help. Organisations that you are unable to find yourself.

In such a case, it may be allowed. However, the organisation must explain to you clearly:

• which data of yours are shared by the organisation;
• why it does so (for what purpose);
• how that works.

You must also be given some time to decide whether you give consent for this. And, of course, you can always refuse.

Want to know more? Then read Consent and the government.

No. You are not a processor, even if you work for a client as a logistics service provider.

You are the controller for the processing of personal data that are necessary for your services. Such as names, addresses, postcodes, places of residence and telephone numbers and email addresses for track & trace delivery.