Archive privacy statement

We digitise and preserve all kinds of archive content, which we also make accessible. This content often includes personal data. Privacy legislation provides a different regime for personal data found in (digital) archive records that an archive institute such as meemoo receives for permanent storage.

We attach great importance to the security and confidentiality of the personal data we process. With this statement, we’re aiming to be clear and transparent about what happens when we process your personal data because it appears in archive records that are transferred to us.

This privacy policy therefore does not cover the personal data that we process as a result of our communications or interactions with you. This is subject to our general privacy policy.

Legal context

In the General Data Protection Regulation (GDPR), the European legislator has tried to strike a balance between preserving the collective memory and protecting personal data. There are, for example, some exemptions to a number of provisions (Articles 5, 9, 14 and 17) in the GDPR for processes for archiving in the public interest, among other things.

Article 89 of the GDPR then also provides an exemption regime for the processing of personal data for archiving in the public interest, scientific or historical research, or statistical purposes. This article allows Member States to derogate from a number of rights conferred on data subjects by the GDPR.

Our country made use of this possibility in the articles 186 ff. of the Belgian Federal Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data (hereafter ‘Law of 30 July 2018’).

Purpose limitation

One of the prominent principles in the GDPR is ‘purpose limitation’. Personal data may in principle only be collected for specific, explicit and justified purposes, and may then not be processed further in a way that is incompatible with those purposes.

The GDPR does however provide an exception for (further) processing with a view to archiving in the public interest. When personal data is processed with a view to archiving in the public interest, this is not considered to be incompatible with the original purposes.

Storage limitation

There is also an exception to the principle of storage limitation for archiving. Article 5, first paragraph, e) of the GDPR states that personal data that appears in transferred archive records may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest. Meemoo stores the transferred archive documents with the aim of preserving cultural heritage in Flanders, and is therefore covered by this exception.

Information requirement

Under Article 14 of the GDPR, the controller shall provide certain information to the data subject whose personal data is being processed, when this personal data has not been obtained from the person themselves. This is not necessary, however, in the case of personal data contained in transferred archive files (Article 14, fifth paragraph, b), GDPR).

The large quantities of archive records that are transferred to meemoo mean that informing all those concerned individually would be an impossible task that would require a disproportionate amount of effort. We do, however, provide transparent information about our privacy policy in this public statement.

Rights of data subjects

Meemoo’s core task and mandate by decree is to digitise content, archive this digital content sustainably, and make it accessible. The digitisation of content that is at risk of becoming lost is prioritised here. The aim of this core task is to make the aforementioned content available and give it social value with regard to certain target groups such as education and scientific research. Meemoo therefore archives this content in the public interest.

The rights of data subjects whose personal data is contained in transferred archives can be limited in the context of archiving in the public interest and under GDPR Article 89 and the Law of 30 July 2018.

The authenticity and integrity of our archived content would be seriously compromised if data subjects were able to exercise their rights without limitation. This could also seriously impede our archiving task with regard to the sustainable preservation and accessibility of this content which is part of Flanders’ heritage). Derogations from the rights of data subjects are therefore permissible for these reasons.

In concrete terms, this means the following for your rights:

  • Right of inspection: you are entitled to ask us to review and explain if and how your personal data is processed, unless we cannot comply with your request because it is unreasonable. Meemoo processes large amounts of personal data collected by other organisations, which means it is often unnecessary and impossible for us to know whose personal data it concerns.

  • Right of correction: if you believe that your personal data is incomplete or not (still) accurate, we will not make any changes to the archived records that we keep in order to safeguard the authenticity and integrity of these records.

  • Right to be forgotten: we process archive files on the basis of a task of public interest, which means you cannot therefore exercise this right. We have the statutory obligation to sustainably preserve the transferred archive records, which also means they need to be preserved in their entirety.

  • Right to restrict processing: you can request to suspend the processing of your personal data as soon and for as long as there are any doubts about its accuracy or legitimacy, or if you have lodged an objection. Pure preservation by meemoo remains permitted, however. The permanent preservation of records for the purpose of archiving in the public interest can also not be temporarily suspended.

  • Right to data portability: you are not entitled to ask meemoo to transfer your personal data that we process for the purpose of archiving in the public interest to another data controller. This is because we do not process this personal data on the basis of your consent or the execution of a contract with you.

  • Right to object: in principle, you can object to the processing of your personal data that we carry out in the execution of our task of public interest. However, in accordance with Article 21,1, GDPR, we will not be able to comply with this objection. This is because the exercising of this right by one data subject would make it impossible for us to carry out all the archive processing and services that we provide (file storage, digitisation, inventorying, making accessible, etc.).

Distributing personal data

According to the provisions contained in Articles 205 and 206 of the Law of 30 July 2018, we can disclose to third parties some personal data that we process for archiving purposes in the public interest. This means that we may publish certain archive content (in which personal data appears) online, for example.

We can distribute non-pseudonymised data when at least one of these conditions is satisfied:

  • The person involved has given their consent.

  • The person involved has published the data themselves.

  • The data is closely linked to the public or historical nature of the person involved.

  • The data is closely linked to the public or historical nature of the facts in which the person was involved.

In other cases, we will only distribute pseudonymised data, excluding special categories of personal data (Art. 9.1 GDPR).

Communicating personal data

According to the provisions contained in Articles 207 and 208 of the Law of 30 July 2018, we can disclose to identified third parties personal data that we process for archiving purposes in the public interest.

These Articles determine that, when at least one of these four cases does not apply to the personal data in an archive record, the data controller must take extra measures in certain cases:

  • The person involved has given their consent.

  • The person involved has published the data themselves.

  • The data is closely linked to the public or historical nature of the person involved.

  • The data is closely linked to the public or historical nature of the facts in which the person was involved.

If none of the above four cases apply, the law obliges meemoo, as the data controller, to ensure that the identified third party cannot make a digital copy of the accessed archive when:

  • it concerns personal data referred to in Articles 9.1 and 10 of the GDPR; or

  • the agreement between the controller of the initial processing and the controller of the further processing prohibits it; or

  • this reproduction can risk the safety of the person involved.

We satisfy this legal obligation by stipulating, in our own retrieval platforms’ terms of use, that the identified third parties are not allowed to export the archive content so that it is used and/or stored outside the protected environment of the platform.

Excercising rights and complaints

We will handle your requests within 30 calendar days. If your request is complex or we need to handle too many requests simultaneously, then the terms can be extended by 60 days. We also have a data protection officer who you can contact via privacy@meemoo.be. If you believe that meemoo has not responded adequately to your request, you can submit a complaint to the Data Protection Authority or Flemish Supervisory Commission.