Login
Service Contact Lex4You
Login
Home

GDPR

Would you like to know more about what changes the GDPR will mean for your company?

GDPR

“GDPR” stands for General Data Protection Regulation. The GDPR is the new regulation on data protection and replaces the older texts on this subject (Directive 95/46/EC and the Data Protection Act of 8 December 1992). The GDPR came into effect on 25 May 2018. Although the main principles of the GDPR are basically the same as those enshrined in earlier legislation, it does include several new elements as well (in relation to the rights data subjects enjoy and the obligations subcontracted processors are bound by, for instance).

Although the European authorities would like GDPR certification schemes to be developed in due course, such schemes do not exist yet. SECUREX is monitoring the situation closely. When the time comes, we will assess whether it is desirable to join any such scheme. At present, our social secretariat (payroll processor) is ISAE 3402 certified. In this context, an evaluation of our compliance with the GDPR will be performed. In addition, our SEPP (External Service for Prevention and Protection at Work / Occupational medicine) has been awarded the ISO9001 quality label.

Yes. One of the new requirements under the GDPR is that companies are obliged to designate a Data Protection Officer (DPO) under given circumstances, for example when their core activity consists of processing operations which, by virtue of their nature, scope and/or purposes require regular and systematic monitoring of data subjects on a large scale. As SECUREX, throughout its various activities, processes large quantities of personal data of workers, self-employed or business leaders (including their families, in the area of child benefit), it is bound by the obligation to designate a DPO.

That question must be answered on an activity-by-activity basis. For a large part of its activities, SECUREX is a processor (e.g. payroll administration by the various entities of its social secretariat), because it processes workers’ personal data based on instructions from employers, who are the controllers. For other activities, SECUREX is the controller, because it defines the purposes and terms of the processing (e.g. insurance, surveys) or because it is vested with that capacity by law (e.g. medicals, SEPP).

In general, as far as our social secretariat/payroll processing activities are concerned, the employer (you) is the controller (because you give us the relevant instructions to issue and send out payslips), while SECUREX is the processor (because it acts on your instructions).

Likewise, when you use the services of a SECUREX HR consultant, you are the controller of the data the consultant processes and SECUREX is the processor.

Conversely, if you take out a SECUREX insurance policy (e.g. an occupational accident or guaranteed income policy), SECUREX is the controller of the data processed in pursuance of the insurance policy in question.

Similarly, SECUREX is the controller of your workers’ health-related data in the context of its preventive medicine (SEPP) and medical monitoring (MCM) services (in view of the doctor’s independence from the employer).

A data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Accordingly, a data breach within the meaning of the GDPR is construed as: any form of hacking into a server, any form of accidental destruction (in spite of all the IT security procedures in place) of a hard disk containing personal data, any form of revelation of personal data, obtained via the SECUREX Group infrastructure. 

If SECUREX is the processor (as a payroll processor, for instance), it will notify you, using a specific form, as soon as possible. This form will list all the details you will need to meet your notification requirements vis-à-vis the Belgian Data Protection Authority (DPA).

In some circumstances, it is up to the controller (you, as far as our social secretariat services are concerned and/or SECUREX itself for other services, see above) to notify the DPA when a data breach has occurred.

SECUREX has put in place a procedure and the relevant forms to inform you in due time of the details that need to be included in your notification to the DPA (or, where applicable, to meet its own notification requirements to the DPA).

SECUREX has introduced organisational measures (the designation of a DPO, a CISO, etc.) and procedural measures (procedures, policies, a security manual) to ensure the IT and physical security of the personal data it processes. Furthermore, some of our activities have been awarded certification (the social secretariat holds ISAE 3402 certification and the SEPP is ISO9001 certified).

  • To find out more about your obligations as an employer, click here for a series of articles that have been published on lex4you.be. 
  • To obtain a Privacy Policy or data register template for your HR processing operations, please visit our e-shop or contact your Legal Advisor. 
  • If you would like to get concrete advice and/or find out how the GDPR may impact on your HR policies, you can avail of our paying service and/or ask your Legal Advisor for a GDPR screening of all your HR policies (subject to a fee). 
  • If you are interested in following a GDPR training course, make sure to check out our training agenda. 

SECUREX is not authorised to provide general GDPR-related consultancy services. However, we can help you with a model register for HR processing of personal data. You can obtain a model document from our e-shop or directly from our Legal Advisors. 

Securex solely processes your data in Europe. The Securex servers (on which, amongst other things, your employee data is stored for the social secretarial service offering) are located in Belgium, for example.

For given specific services, subcontractors may enjoy limited access to certain personal data. Possible subcontractors are expected to meet the same conditions and expectations.
We contractually safeguard and monitor that those subcontractors process the data in the European Union or another adequate country (e.g., the United Kingdom or Switzerland).
If certain services however require data to be transferred to other countries, this can only be done if sufficient prior guarantees are offered for an adequate level of protection of the personal data and privacy of the people involved (as provided for by Europe and the GDPR on the basis of e.g., Binding Corporate Rules or Standard Contractual Clauses).
Read more

    Cookies on Securex.be

    Our site uses cookies in order to function optimally and offer you the best possible surfing experience. This way we guarantee you a better site experience and service, personalized offers and relevant information that matches your interests. Would you like more information about the use of your data? Consult our online documentation:

    Cookies on Securex.be