Due in part to the General Data Protection Regulation (GDPR), which will take effect on 25 May 2018, privacy and the protection of privacy are a hot topic. The Personal Data Protection Act (Wet bescherming persoonsgegevens) will cease to apply from that date. The GDPR, which applies throughout Europe (and in some cases outside Europe), imposes additional obligations on the party gathering personal data (the controller) and creates more rights for the data subject.
‘Personal data’ is a very broad term. Any information enabling the identification of a specific person without too much effort constitutes personal data. Therefore, personal data not only includes name and address details, telephone numbers and IP addresses, but also visual and audio material, for example.
Principles of Processing
Data may not be processed for just any reason – data processing is subject to a range of conditions.
One major condition is that data processing is only permitted if it happens on one of the grounds specified in the law (consent, agreement, legal obligation, vital interests of the data subject, government task, own urgent interest).
In addition, only the necessary amount of data may be processed, and this data may not be retained any longer than is necessary. Obviously, the data must also be correct and up to date, and appropriate security measures will have to be taken.
Under the Personal Data Protection Act, data processing operations must usually be reported in advance to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens). Based on these reports, the Dutch Data Protection Authority keeps a public register, providing insight as to what personal data is used for what purpose.
As long as the GDPR is in force, the reporting obligation will be replaced by a documentation obligation. This means that every organisation to which the GDPR applies must be able to demonstrate at any moment that it acted in compliance with the provisions of the GDPR.
Accordingly, organisations will have to keep a ‘privacy administration’:
- Who has processed what personal data using what information systems?
- What security measures were taken to protect the data?
- Can the organisation demonstrate that these measures were efficient and effective?
Data Handeling/Processing Agreement
A data handling agreement must be concluded with each handler of personal data (i.e., a person or organisation processing data on the controller’s instructions). This agreement must set out the arrangements made in respect of personal data protection, the security measures and compliance with the data leaks reporting obligation. From 25 May 2018, the terms ‘handler’ and ‘data handling agreements’ will be replaced by ‘processor’ and ‘data processing agreements’. There is no material change to the obligation in terms of substance – only the list of subjects to be arranged has been extended.
The agreement must address the following aspects:
- Purposes of the data processing;
- Type of personal data being processed;
- Categories of data subjects to whom the data relates;
- Appropriate protection of the data;
- Performance of audits;
- Destruction or return of the data to the controller.
Rights of Data Subjects
The data subject has (or will obtain) a number of rights in order to guarantee the right to privacy. These include:
- The right to the provision of information in a concise, transparent, understandable and easily accessible format, and in clear and simple language;
- The right to rectification;
- The right to be forgotten;
- The right to object to profiling;
- The right to data portability.
Privacy Officer and Privacy Impact Analysis
In some situations, it will be compulsory to appoint a privacy officer. This will be the case for a government body or agency, but also for businesses that are primarily engaged in systematic monitoring (profiling and tracking) or large-scale processing of special categories of personal data (race, faith, political preference, medical data, etc.).
A privacy impact analysis will be required if data processing operations take place which are likely to result in a high risk to the rights and freedoms of natural persons. This will apply to activities such as profiling, large-scale processing of special categories of personal data and large-scale monitoring of public areas.
Data Leaks Reporting Obligation
The data leaks reporting obligation already exists and will remain virtually unchanged. It means that the Dutch Data Protection Authority (and sometimes the data subject) must be notified of any data leaks that have occurred and may have considerable adverse effects on the protection of personal data. A data leak is understood to mean the unintentional release, alteration, destruction or becoming accessible of personal data, for example because of a computer hack or the loss of a USB stick or laptop.
Failure to comply with the GDPR may come at a substantial cost. This is because the Dutch Data Protection Authority is authorised, among other things, to impose penalties of up to EUR 20 million or 4 percent of worldwide turnover (whichever is higher). In addition, the directors of organisations who fail to abide by the rules run the risk of being personally held liable if anything goes wrong. All the more reason for placing privacy high on the agenda!