GDPR basics

The most important law that has the protection of personal data as its subject is the General Data Protection Regulation (GDPR). This European law applies throughout the European Union (EU). Under this subject you can find general information about the GDPR: how does the GDPR work, and what are the fundamental points of the GDPR?

On this page

  1. General information

Legislative text of the GDPR

The consolidated legislative text of the GDPR on the website of the EU is the most useful version because the later amendments (rectifications) to the original legislative text have been incorporated in it. This version is a good representation of the applicable, amended text of the GDPR.

The official legislative text of the GDPR is the text as published in the Official Journal of the EU of 4 May 2016. This makes it the legally binding version of the GDPR. Two rectifications to this legislative text were published at a later time:
 

  1. GDPR rectification of 23 May 2018 
  2. GDPR rectification of 4 March 2021.

Quick answers

Does the GDPR apply to pilots, tests and pilot projects?

Yes. Do you process personal data during a pilot, test or pilot project? Then the General Data Protection Regulation (GDPR) applies. Even if the final product has not yet been delivered.

This means, among other things, that you have to determine whether you are allowed to process personal data. And if so, you have to demonstrate that you meet the requirements of the GDPR. For example, you have to assess whether you have to carry out a DPIA prior to a pilot, test or pilot project.

The purpose of a pilot, test or pilot project is to test a new way of working. You can use a pilot, test or pilot project to investigate if a way of working is effective and efficient for solving a certain problem. A pilot, test or pilot project may also be very useful for testing privacy by design.

 

Does the GDPR apply to business cards that I receive?

Do you keep business cards that you received systematically (for example, by storing them in alphabetical order) for professional use? Then the General Data Protection Regulation (GDPR) applies.

Strictly speaking, you are the controller then. This means that there has to be a legal basis that you can rely on for processing the personal data on business cards.

In this case, you can rely on the legal basis ‘consent’ for your processing, as you may assume that the person who gives you the business card also gives you consent to use the card for which it is intended (keeping and using contact details). You can easily demonstrate that you have obtained consent because you have the card in your possession.

There are 2 situations in which the GDPR does not apply to the business cards that you receive:

  • You receive business cards in a private capacity and use them for your own purposes, and therefore not for your work.
  • You do not keep business cards systematically. In that case, the GDPR does not apply, because there is no fully or partially automated processing or inclusion in a file.

Informing not necessary
 

According to the law, you have to inform the person whose data you collect about this processing. But when someone gives you a business card, you may assume that this person already knows what you will do with the data on the card.

Wider dissemination
 

Note: are the data on a business card disseminated more widely? For example, because your employer centrally collects and registers all business cards received to enable the entire organisation to use them? Then you may not simply assume that you also have consent for this purpose from the person who gives you a business card.
 

It is advisable to point out to your discussion partner that the data on the card will be disseminated more widely. Does that person object to this? Then you can give the card back or keep it for private purposes.

Do I, as a logistics service provider, have to conclude processing agreements with my clients?

No. You are not a processor, even if you work for a client as a logistics service provider.

You are the controller for the processing of personal data that are necessary for your services. Such as names, addresses, postcodes, places of residence and telephone numbers and email addresses for track & trace delivery.

Can I, as a municipality, water board or province, include the processing operations of multiple administrative bodies in 1 processing register?

Yes, you can. Administrative bodies are free to compile 1 processing register jointly.
However, the processing register has to show clearly which administrative body is the controller (there could also be several of them) for which data processing operation.
 

Related themes and topics

Basic GDPR

Privacy rights under the GDPR

People have a number of rights if organisations use their personal data. These can be found in the General Data Protection Regulation (GDPR). We call these rights ‘privacy rights’.
Go to subject
Basic GDPR

GDPR in practice

The General Data Protection Regulation (GDPR) offers several instruments that help organisations comply with the law.
Go to subject
Basic GDPR

Privacy and personal data

What is the importance of privacy? What exactly are personal data? What exactly is ‘processing’? And what legislation is in place to protect privacy and personal data?
Go to subject
Security

Security of personal data

A proper security of personal data is one of the basic principles of the GDPR privacy law for a reason.
Go to subject