2. New obligations under the GDPR
In 5 questions
- What data do you collect
- Is this documented
- Who’s responsible
- Are you transparant about your collection
- Do you ever delete data
But first:
Some privacy basics
Today’s program
2 www.dmcc.nl
4. Personal data
4 www.dmcc.nl
Privacy = processing of personal data
• Processing
• Personal data
Personal data (Art 1 GDPR): any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a name,
an identification number, location data, an online identifier or to one or more factors
specific to the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person.
Special categories of personal data (Art. 9/ 10 GDPR): data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, trade union membership, genetic
data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person's sex life or sexual orientation,
data relating to criminal convictions and offences.
8. Personal data
8 www.dmcc.nl
Where point (a) of Article 6(1) applies, in
relation to the offer of information society
services directly to a child, the processing of
the personal data of a child shall be lawful
where the child is at least 16 years old.
Where the child is below the age of 16
years, such processing shall be lawful only if
and to the extent that consent is given or
authorised by the holder of parental
responsibility over the child.
Member States may provide by law for a
lower age for those purposes provided that
such lower age is not below 13 years.
10. Register of processings
10 www.dmcc.nl
1. Each controller and, where applicable, the controller's representative, shall maintain
a record of processing activities under its responsibility. That record shall contain all of
the following information:
a. the name and contact details of the controller and, where applicable, the joint
controller, the controller's representative and the data protection officer;
b. the purposes of the processing;
c. a description of the categories of data subjects and of the categories of personal
data;
d. the categories of recipients to whom the personal data have been or will be
disclosed including recipients in third countries or international organisations;
e. where applicable, transfers of personal data to a third country or an international
organisation, including the identification of that third country or international
organisation and, in the case of transfers referred to in the second subparagraph of
Article 49(1), the documentation of suitable safeguards;
f. where possible, the envisaged time limits for erasure of the different categories of
data;
g. where possible, a general description of the technical and organisational security
measures referred to in Article 32(1).
11. Data mapping
11 www.dmcc.nl
Fundraising
➢Donor administration
➢Volunteer administration
➢Collection
➢Petitions
➢Patient association
➢Patient/ member travels
➢Website(s) en action pages
➢News letter registrars
➢Legacies
➢Major donors
➢affiliates
➢Social media
➢Cookies
➢Analytics
Projects
➢ Project management
➢ Investments
➢ Investee/ Investor due
dilligence
HRM
➢Personell administration
➢Payroll
➢Social security
➢Learning management
➢Time and attendance
Finance
➢ Creditors
➢ Debtors
➢ Beneficiaries
➢ Billing
➢ Reporting
12. 12
Donor Ex donor participant Prospect Site visitor Beschikbaarheid Vertrouwelijkheid
Adress detaiils X X X X
E-mail X X X X
Gender X X X X
Data of birth X X
Contact and order history X X X X
Data regarding payments,
transactions etc
X X X X x
Financial data X X X
Derived financial data X X X
Lifestyle characteristics, prifile
information
X X
Special categories of data
Data mapping
13. 13
Partij 1 Partij 1
Partij 1
Intern beheerd Partij 2
Externally managed
Partij 1
Partij 2
Partij 3
Inernally managed Externaly managed
Internally managed
Retention
Data analyses
Customer
(data warehouse)
Customer
database
Online accounts
Single Customer View
(selection tool)
(database marketing en
sales trial and ex-
subscribers)
e-mail tool sales
and marketing
Blacklist
opt-out requests
(automated
dialer)
websites/
landing pages
Data
enrichment
and validation
Telemarketing
E-mail Direct mail
(field marketing
tool) Direct sales
Data mapping
16. DPA (Art. 28 GDPR)
Governance
16 www.dmcc.nl
Processing by a processor shall be governed by a contract or other legal act under Union
or Member State law, that is binding on the processor with regard to the controller and
that sets out the subject-matter and duration of the processing, the nature and purpose
of the processing, the type of personal data and categories of data subjects and the
obligations and rights of the controller. That contract or other legal act shall stipulate, in
particular, that the processor:
a. operates under clear instructions
b. ensures confidentiallity;
c. takes appropriate security measures
d. will inform about any sub processors
e. helps the controller respond to requests from data subjects
f. assists the controller in ensuring compliance
g. at the choice of the controller, deletes or returns all the personal data to the
controller after the end of the provision of services relating to processing
h. makes available to the controller all information necessary to demonstrate
compliance with the obligations laid down in this Article and allow for and contribute
to audits, including inspections, conducted by the controller or another auditor
mandated by the controller.
17. DPO (Art 37 GDPR)
Governance
17 www.dmcc.nl
The controller and the processor shall designate a data protection officer in any case
where:
a. the processing is carried out by a public authority or body, except for courts acting in
their judicial capacity;
b. the core activities of the controller or the processor consist of processing operations
which, by virtue of their nature, their scope and/or their purposes, require regular
and systematic monitoring of data subjects on a large scale; or
c. the core activities of the controller or the processor consist of processing on a large
scale of special categories of data pursuant to Article 9 and personal data relating to
criminal convictions and offences referred to in Article 10.
19. A. Fair and lawfull processing
Art. 6 GDPR
a) consent(= opt-in, e-mail, sms, social media and cookie data)
b) contract (gift, donor agreement, legacies)
f) legitimate interest (profiling, direct mail etc.)
Direct Marketing is een gerechtvaardigd ondernemersbelang
Lawfull processing
20. B) In a transparant manner
Art 12, 13 and 14 GDPR
Information relating to processing to the data subject in a concise, transparent, intelligible
and easily accessible form, using clear and plain language about:
1) Identity
2)Purpose
3) category of data
4) rights
5) third parties
Direct Marketing is een gerechtvaardigd ondernemersbelang
Transparancy
27. Art 4 GDPR
(8) ‘the data subject’s consent’ means any freely-given, specific and informed (…) indication
of his or her wishes by which the data subject, either by a statement or by a clear
affirmative action, signifies agreement to personal data relating to them being
processed;
is een gerechtvaardigd ondernemersbelang
Consent
28. Art 7 GDPR
1. Where processing is based on consent, the controller shall be able to demonstrate that
the data subject has consented to processing of his or her personal data.
2. If the data subject's consent is given in the context of a written declaration which also
concerns other matters, the request for consent shall be presented in a manner which is
clearly distinguishable from the other matters, in an intelligible and easily accessible form,
using clear and plain language. Any part of such a declaration which constitutes an
infringement of this Regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The
withdrawal of consent shall not affect the lawfulness of processing based on consent before
its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be
as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of
whether, inter alia, the performance of a contract, including the provision of a service, is
conditional on consent to the processing of personal data that is not necessary for the
performance of that contract.
is een gerechtvaardigd ondernemersbelang
Consent
29. Freely given
The freedom to say ‘no’to the transaction without it significantly affecting you or
produce a legal effect
is een gerechtvaardigd ondernemersbelang
Consent
35. 35
When
• In effect since 2016
• Implemented by you in May 2018
Positive elements
• Instrument of a regulation
• Transparency obligations
• Fundraising is recognised as a legtimate purpose
Consent
37. 37
• Use of data limited to as long as necessary for purpose of collection
• De-activating is not enough
• Adequate data retention periods?
Data retention