What is the GDPR?
“GDPR” stands for General Data Protection Regulation. The GDPR is the new regulation on data protection and replaces the older texts on this subject (Directive 95/46/EC and the Data Protection Act of 8 December 1992). The GDPR came into effect on 25 May 2018. Although the main principles of the GDPR are basically the same as those enshrined in earlier legislation, it does include several new elements as well (in relation to the rights data subjects enjoy and the obligations subcontracted processors are bound by, for instance).
What has SECUREX done to ensure compliance with the GDPR?
SECUREX has developed an action plan to ensure its compliance with the GDPR’s rules in every aspect of its activities and processes. This plan is now in force but has not yet been completely carried out. For a visual presentation of the main strands of this action plan (workstreams), please click here.
Is SECUREX GDPR compliant?
SECUREX has developed an action plan to ensure its compliance with the GDPR’s rules in every aspect of its activities and processes.
Is SECUREX GDPR certified?
Although the European authorities would like GDPR certification schemes to be developed in due course, such schemes do not exist yet. SECUREX is monitoring the situation closely. When the time comes, we will assess whether it is desirable to join any such scheme. At present, our social secretariat (payroll processor) is ISAE 3402 certified. In this context, an evaluation of our compliance with the GDPR will be performed. In addition, our SEPP (External Service for Prevention and Protection at Work / Occupational medicine) has been awarded the ISO9001 quality label.
Does SECUREX have a data protection officer?
Yes. One of the new requirements under the GDPR is that companies are obliged to designate a Data Protection Officer (DPO) under given circumstances, for example when their core activity consists of processing operations which, by virtue of their nature, scope and/or purposes require regular and systematic monitoring of data subjects on a large scale. As SECUREX, throughout its various activities, processes large quantities of personal data of workers, self-employed or business leaders (including their families, in the area of child benefit), it is bound by the obligation to designate a DPO.
Is SECUREX qualified as controller or as processor?
That question must be answered on an activity-by-activity basis. For a large part of its activities, SECUREX is a processor (e.g. payroll administration by the various entities of its social secretariat), because it processes workers’ personal data based on instructions from employers, who are the controllers. For other activities, SECUREX is the controller, because it defines the purposes and terms of the processing (e.g. insurance, surveys) or because it is vested with that capacity by law (e.g. medicals, SEPP).
As an employer, am I the controller of my HR data?
In general, as far as our social secretariat/payroll processing activities are concerned, the employer (you) is the controller (because you give us the relevant instructions to issue and send out payslips), while SECUREX is the processor (because it acts on your instructions).
Likewise, when you use the services of a SECUREX HR consultant, you are the controller of the data the consultant processes and SECUREX is the processor.
Conversely, if you take out a SECUREX insurance policy (e.g. an occupational accident or guaranteed income policy), SECUREX is the controller of the data processed in pursuance of the insurance policy in question.
Similarly, SECUREX is the controller of your workers’ health-related data in the context of its preventive medicine (SEPP) and medical monitoring (MCM) services (in view of the doctor’s independence from the employer).
What is a data breach?
A data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Accordingly, a data breach within the meaning of the GDPR is construed as: any form of hacking into a server, any form of accidental destruction (in spite of all the IT security procedures in place) of a hard disk containing personal data, any form of revelation of personal data, obtained via the SECUREX Group infrastructure.
How are data breaches dealt with?
If SECUREX is the processor (as a payroll processor, for instance), it will notify you, using a specific form, as soon as possible. This form will list all the details you will need to meet your notification requirements vis-à-vis the Belgian Data Protection Authority (DPA).
In some circumstances, it is up to the controller (you, as far as our social secretariat services are concerned and/or SECUREX itself for other services, see above) to notify the DPA when a data breach has occurred.
SECUREX has put in place a procedure and the relevant forms to inform you in due time of the details that need to be included in your notification to the DPA (or, where applicable, to meet its own notification requirements to the DPA).
What security measures has SECUREX implemented to protect the personal data it processes?
SECUREX has introduced organisational measures (the designation of a DPO, a CISO, etc.) and procedural measures (procedures, policies, a security manual) to ensure the IT and physical security of the personal data it processes. Furthermore, some of our activities have been awarded certification (the social secretariat holds ISAE 3402 certification and the SEPP is ISO9001 certified).
As an employer, what are my obligations under the GDPR?
To find out more about your obligations as an employer, click here for a series of articles that have been published on lex4you.be.
If you would like to get concrete advice and/or find out how the GDPR may impact on your HR policies, you can avail of our paying service and/or ask your Legal Advisor for a GDPR screening of all your HR policies (subject to a fee).
If you are interested in following a GDPR training course, make sure to check out our training agenda.
Can you send me a model GDPR register for my business?
SECUREX is not authorised to provide general GDPR-related consultancy services. However, we can help you with a model register for HR processing of personal data. You can obtain a model document from oure-shop or directly from our Legal Advisors.
Where does SECUREX store my employee-related data it processes?
SECUREX’s servers (where, among other things, the data of your employees are stored for social secretariat / payroll processor services) are located in Belgium.
For certain specific services, subcontracted processors may have access to certain personal data, but to a limited extent only. In such cases, the SECUREX policy is to ensure that these subcontractors process the data within the European Union or in secure facilities (e.g. by a US-certified EU-US Privacy Shield company or a company with which EU Model Clauses have been signed).