top of page

GDPR: General Data Protection Regulation

​

In Dutch, it is referred to as AVG or Algemene Verordening Gegevensbescherming, and in French as RGPD or Règlement Général sur la Protection des Données. This European regulation replaces the Data Protection Directive 95/46/EC from 1995.

The aim is to better protect citizens' privacy and to establish uniform rules across the EU. On the one hand, it gives individuals more control over how their personal data is used. On the other hand, GDPR sets a clear legal framework — a standard that applies across Europe — so businesses know how to act to safeguard privacy.

​

Who does the GDPR apply to?

Every organization, business, or government that collects and processes personal data of EU citizens must comply with the GDPR, regardless of where the organization is located. For example, an American company processing data from European users must also adhere to these rules.

If you run a physical or online store and collect customer addresses to send mailings by post or email, you are subject to GDPR.

It is important to understand the definition of personal data. The regulation refers to PII (Personally Identifiable Information). This includes not only names, addresses, ID numbers, and birthdates, but also digital data like location, IP addresses, cookie data, and RFID tags. Health data also falls under this category, as well as genetic, biometric, racial, ethnic data, sexual orientation, and political opinions.

​

Summary of key principles:

Data collection, both online and offline:

  • The user must give explicit consent. Pre-checked boxes (opt-out) are no longer allowed. Instead, the user must actively check a box (opt-in) to receive newsletters or marketing messages.

    • Every DIPLA user, starting May 24, must first review their data and explicitly give Profisi consent to process it.

    • Profisi does not create users. The user with the “orgadmin” rights can add people in DIPLA.

  • Exceptions: Data processing without consent is allowed when required for the performance of a contract, legal obligation, public interest task, or to protect vital interests of the user or others.

  • The data controller must explicitly state which data is collected and for what purpose.

    • In DIPLA, only the following user data is stored: username, name, first name, and email address, linked to a unique user ID.

    • This ID is used throughout DIPLA to record actions, changes, tasks, measurements, and photos (with GPS coordinates in MyDIPLA).

    • DIPLA only displays names when required for functionality.

    • Users can anonymize their name, preserving the data while removing the personal link.

  • Data may only be used for the stated purpose and retained only as long as necessary.

    • Profisi retains data for the duration of the organization’s DIPLA subscription.

​

Data Retention

​

Data must be stored in a system designed to protect and safeguard privacy.

Any data breach must be reported within 72 hours.

​

User Rights:


Users have the right to:

  • Access their data

  • View, correct, delete, or transfer their data

  • Receive an electronic copy of their personal data

DIPLA's interface is designed to give every user and organization administrator full control over their personal data.

Users must also be able to withdraw consent at any time.
This can be done by requesting anonymization of their name.

​

Monitoring and Supervision of Data

​

Organizations with more than 250 employees must appoint a Data Protection Officer (DPO) to ensure GDPR compliance.
This requirement does not apply to DIPLA.

Each EU member state has appointed a Supervisory Authority to oversee GDPR compliance.
In Belgium, this is the Gegevensbeschermingsautoriteit (Data Protection Authority).

​

Data Transfers

​

Transferring data to organizations outside the EU is only permitted if those organizations can demonstrate GDPR compliance.

​

Data Processing

​

Does the GDPR mean we must obtain consent for every processing activity?

Many people wonder this, but the answer is no — explicit consent is not always required.

The goal of GDPR is to better protect the privacy of individuals and establish uniform rules across the EU, giving people more control and setting a clear legal framework for businesses.

Definition of Personal Data:
“Any information relating to an identified or identifiable natural person.”
This includes names, ID numbers, location data, phone numbers, email addresses, and online identifiers such as tracking cookies.

It also includes data about a person’s physical, genetic, psychological, cultural, or social identity — though many of these are not relevant to our sector.

​

What is a "natural person"?

​

The term "natural person" should not be restricted to someone's private life.

For example:
A private customer registering domain names — their name and email are personal data.
But so is the name and personal email (e.g. jan.peeters@company.be) of an employee at a reseller you work with professionally.

So yes — you may be processing personal data even in a business context.

​

What does "processing" mean?

​

Processing refers to any operation performed on personal data.
Many people wrongly assume that "processing" implies major actions like sharing data with third parties. In reality, even collecting personal data already counts as processing.

​

Golden Rules for Processing:

​

Whether or not the data subject has given consent, the following principles must always be followed:

  1. Data must be processed lawfully, fairly, and transparently

  2. Data must be collected for specific, explicit, and legitimate purposes

  3. Processing must be limited to what is necessary for those purposes

  4. Data must be accurate and kept up to date; errors must be corrected or deleted promptly

  5. Data may not be kept longer than necessary

  6. Data must be protected against unauthorized or accidental loss or processing

  7. ​

Consent and Equivalents

​

The most basic rule:
Processing is lawful if the data subject has given explicit, informed consent.

Unlike the past, consent must now be the result of a clear affirmative action — silence or inactivity is no longer valid.

Controller vs. Processor

These are two key roles under the GDPR — often confused:

  1. Controller
    A natural or legal person, authority, agency, or other body which alone or jointly determines the purpose and means of processing personal data.
    The controller is accountable to regulators and must enable data subjects to exercise their rights.

  2. Processor
    A natural or legal person, authority, agency, or other body which processes data on behalf of the controller.
    Think of a subcontractor who performs data processing for the controller.
    Examples include IT service providers and payroll firms.

 Note: Not every subcontractor is a processor — only those who process personal data on behalf of a controller fall under this definition.

DIPLA-specific context

​

All data in DIPLA belongs to an organization.
DIPLA is purely a tool to collect, store, and process that data.

Source: European Commission – Controllers and Processors

​

​

Profisi

info@profisi.eu

Company number: BE 0505 695 147

Company number: BE 0505 695 147

bottom of page