FAQ - GDPR
These FAQ about the GDPR have been compiled to:
Provide you with general information on how SECUREX is getting ready for the GDPR.
Answer the most common GDPR-related questions we have received from our clients.
Q: What is the GDPR?
A: “GDPR” stands for General Data Protection Regulation. The GDPR is the new Data Protection Regulation and replaces the older Directive 95/46/EC. The law of 2 August 2002 on the protection of personal data will be reviewed. The GDPR will come into effect on 25 May 2018. Although the main principles of the GDPR are basically the same as those enshrined in earlier legislation, it does include a number of new elements (in relation to the rights data subjects enjoy and the obligations subcontractors are bound by, for instance).
Q: How is SECUREX preparing itself for the GDPR?
A: SECUREX has developed an action plan to ensure its compliance with the GDPR in every aspect of its activities and processes. This plan is in the course of implementation.
Q: What are the main strands of SECUREX’s GDPR action plan?
A: The SECUREX GDPR action plan features the following 5 main strands (workstreams):
Workstream 1 - Governance: review and fine-tuning of our internal policies, procedures and processes and, where appropriate, the establishment of new procedures, policies or processes.
Workstream 2 - Registers: a review of all our personal data processing operations (data flows) and the setting-up of data registers for each line of business/entity of the SECUREX Group.
Workstream 3 - Customers: a review of all the contractual clauses between clients and the various entities of the SECUREX Group.
Workstream 4 – Vendors & Partners: a review of the contractual clauses between suppliers, subcontractors and partners and SECUREX.
Workstream 5 – Training & Awareness: training and briefing SECUREX staff on the ins and outs of data protection.
Q: Is SECUREX GDPR compliant?
A: At this moment in time, no business can claim to be GDPR compliant as further details (European and Luxembourg texts) are needed to understand the full extent of some of the obligations arising from the GDPR. Aside from analysing all recently published documents and any documents that will be published between now and the month of May 2018 to establish its exact obligations, SECUREX has devised an action plan to ensure that its activities and processes will be fully consistent with the GDPR. This plan is currently being implemented.
Q: Is SECUREX GDPR certified?
A: Although the European Authorities plan to develop a GDPR certification system in time, that system still needs to be developed. SECUREX intends to closely monitor the development of any future certification plans and, when the time comes, will evaluate the appropriateness of signing up to a system of this nature.
Q: Does SECUREX have a data protection officer?
A: Yes. One of the new requirements under the GDPR is that companies whose core activity consists of processing operations which, by virtue of their nature, their scope, and/or their purposes require regular and systematic monitoring of data subjects on a large scale are obliged to designate a data protection officer (DPO). As SECUREX, throughout its various activities, processes large quantities of personal data of workers, the self-employed or business leaders.
Q: Is SECUREX qualified as controller or as processor?
A: That question must be answered on an activity-by-activity basis. For a large part of its activities, SECUREX is qualified as the processor (e.g.: salary administration ensured by the various entities of its social secretariat) because it processes workers’ personal data in line with the instructions from individual employers, which entails that it are the latter who are qualified as controllers. For other activities, SECUREX is qualified as the controller because it is SECUREX that defines the purposes and terms of the processing (e.g.: insurance, surveys) or because it is vested with that capacity by law (e.g.: medicals).
Q: As an employer, am I the controller of my HR data?
A: In general, as far as our activities as a supplier for payroll services are concerned, the employer is qualified as the controller (because he gives us the relevant instructions to issue and send out payslips) while SECUREX is qualified as the processor (because SECUREX acts on these instructions).
Likewise, when you avail of the services of a SECUREX HR consultant, you are qualified as the controller of the data the consultant processes and SECUREX is qualified as the processor.
Q: What is a data breach?
A: A data breach is any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Accordingly, a data breach within the meaning of the GDPR is construed as: any form of hacking into a server, any form of accidental destruction (in spite of all the IT security procedures in place) of a hard disk containing personal data, any form of revelation of personal data, obtained via the SECUREX Group infrastructure.
Q: How are data breaches dealt with?
A: If SECUREX is the processor (in its capacity of supplier for payroll services for instance), we will notify you, using a specific form, as soon as possible. This form will list all the details you will need to allow you to meet your notification requirements vis-à-vis the National Commission for Data Protection (CNPD).
In some circumstances, it is up to the controller (you, as far as our payroll services are concerned, SECUREX itself for other tasks, see above) to notify the CNPD when a data breach has occurred.
By May 2018, SECUREX will have a procedure and the relevant forms in place to timely inform you of the details that need to be included in your notification to the CNPD (or, where applicable, to meet its own notification requirements vis-à-vis the CNPD).
Q: What security measures did SECUREX implement to protect the personal data it processes?
A: SECUREX has put organisational measures (the designation of a DPO, a CISO…) and procedural measures (procedures, policies, security manual) in place to ensure the IT and physical security of the personal data it processes. Furthermore, some of our activities have been awarded a quality-assurance label.
Q: As an employer, what are my obligations under the GDPR?
A: To find out more about your obligations as an employer, please find below a link to the National Commission for Data Protection (CNPD) to find out more: https://cnpd.public.lu/fr.html
Q: Can you furnish me with a GDPR register template for my business?
A: SECUREX is not authorised to provide general GDPR-related consultancy services. However, we advise you to use the RGDP compliance tool, set up by the National Commission for Data Protection (CNPD) and available online https://cst.cnpd.lu/portal/.
Q: Where does SECUREX store my employee-related data it processes?
A: SECUREX’s servers (where, inter alia, the data of your staff our social secretariat processes are stored) are located in Luxembourg and in Belgium.
For certain specific services, subcontractors may have access to certain personal data, but to a limited extent only. In that case, the SECUREX policy is to ensure that these subcontractors process these data within the European Union or in secure facilities (e.g.: processed by a US certified “EU-US Privacy Shield” company or a company with whom “EU Model Clauses” have been signed).