The General Data Protection Regulation (GDPR) is a privacy law that applies in the European Union (EU), including Belgium. The GDPR aims to ensure the protection of personal data of EU citizens and to strengthen the rights of individuals in an increasingly digital world. For websites that process personal data, the GDPR imposes a number of obligations to ensure the privacy of users.
A website in Belgium must meet several obligations to comply with the GDPR. Here are some important aspects:
Transparent and understandable information: The website must provide clear and understandable information to users about what personal data is collected, for what purpose, and how long it is stored. This information must be provided in a privacy statement or policy that is easily accessible on the website.
Consent: Before collecting or processing personal data, the website must obtain explicit consent from users. This consent must be voluntary, specific and informed. Users must have the opportunity to withdraw their consent at any time.
User rights: The GDPR gives users several rights with regard to their personal data. A website must ensure that users can exercise these rights. Some of these rights are the right to access, rectify, erase and restrict data processing.
Data security: A website must take appropriate technical and organizational measures to ensure the security of personal data. This includes implementing security measures to prevent unauthorized access, loss, theft or destruction of data.
Data breach notification obligation: In the event of a data breach, where personal data may have been lost, stolen or unlawfully processed, the website must report this to the competent authority, such as the Data Protection Authority in Belgium, within 72 hours. In certain cases, the user concerned must also be informed.
Processor agreements: If a website uses third parties, such as hosting providers or analytics tools, to process personal data on their behalf, processor agreements must be concluded. These agreements regulate the responsibilities and obligations regarding data processing between the website and the third party
Mandatory information on websites
In order to comply with the GDPR and the requirements of the economic inspection on a website, there are some mandatory statements that must be included. Here are some essential points:
For GDPR entries:
Privacy Statement: A clear and understandable privacy statement must be placed on the website. This statement must contain information about what personal data is collected, the purpose of the data processing, the legal basis for the processing, how long the data is stored and with whom the data is shared.
Consent: If the website collects personal data based on consent, this must be stated. Users must be informed about what data is being collected and explicitly agree before the data is processed.
User rights: The privacy statement must state that users have certain rights with respect to their personal data, such as the right to access, rectify, erase and restrict data processing. It must also state how users can exercise these rights.
Data security: It is important to mention that appropriate technical and organizational measures have been taken to ensure the security of personal data. Although the specific measures do not always need to be stated in detail, mentioning encryption, firewalls and data protection protocols may be useful.
For entries relating to the economic inspection:
Company information: The website should contain clear information about the company or organization, such as the company name, address, company number and contact details.
General terms and conditions: Where applicable, the website must also clearly refer to the general terms and conditions that apply to the use of the website and any services or products offered.
Prices and payment terms: If products or services are offered on the website, the prices, any taxes and the payment terms must be clearly stated.
Complaints procedure: It may be helpful to provide information about the procedure for submitting complaints, for example via a contact form or a specific complaints address.
This list is not exhaustive and it is recommended that legal advice be sought to ensure that all relevant requirements are complied with, as specific requirements may vary depending on the nature of the website and the services or products offered.
